Page 1
Cisco Reader Comment Card
General Information
1 Years of networking experience: Years of experience with Cisco products:
2 I have these network types: LAN Backbone WAN
Other:
3 I have these Cisco products: Switches Routers
Other (specify models):
4 I perform these types of tasks: H/W installation and/or maintenance S/W configuration
Network management Other:
5 I use these types of documentation: H/W installation H/W configuration S/W configuration
Command reference Quick reference Release notes Online help
Other:
6 I access this information through: Cisco.com (CCO) CD-ROM
7 I prefer this access method:
8 I use the following three product features the most:
Printed docs Other:
% %
% %
Document Information
Document Title: Cisco PIX Firewall Hardware Installation Guide
Part Number: 78-15170-01 S/W Release (if applicable): Version 6.3
On a scale of 1–5 (5 being the best), please let us know how we rate in the following areas:
The document is written at my technical
The information is accurate.
level of understanding.
The document is complete. The information I wanted was easy to find.
The information is well organized. The information I found was useful to my job.
Please comment on our lowest scores:
Mailing Information
Company Name Date
Contact Name Job Title
Mailing Address
City State/Province ZIP/Postal Code
Country Phone ( ) Extension
Fax ( ) E-mail
Can we contact you further concerning our documentation? Yes No
You can also send us your comments by e-mail to bug-doc@cisco.com, or by fax to 408-527-8089.
Page 2
BUSINESS REPLY MAIL
FIRST-CLASS MAIL PERMIT NO. 4631 SAN JOSE CA
POSTAGE WILL BE PAID BY ADDRESSEE
ATTN DOCUMENT RESOURCE CONNECTION
CISCO SYSTEMS INC
170 WEST TASMAN DRIVE
SAN JOSE CA 95134-9883
NO POSTAGE
NECESSARY
IF MAILED
IN THE
UNITED STATES
Page 3
Cisco PIX Firewall
Hardware Installation Guide
Version 6.3
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: DOC-7813880=
Text Part Number: 78-15170-01
Page 4
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS M ANUAL ARE SUBJECT TO CHA NGE WITHOUT NO TICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSI BILITY FOR THEIR APPLICA TION OF ANY PRODUCT S.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORT H IN THE INFORMATION PACKET T HAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accor dance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required
to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency ener gy. If it is not
installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to
comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable
protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.
Modifying the equipment without Cisc o’s writ ten author ization m ay resul t in the equi pment no lo nger comp lyi ng with FCC requi rements for Class A or Class B digital
devices. In that event, your right to use the equ ipment may be limit ed by FCC regul ations , and you may be requir ed to correct a ny interference to radio or television
communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interferen ce stops, it was probably caused by the Cis co equipm ent or one of its
peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the followi ng measures:
• Turn the television or radio antenna unt il the int erference st ops.
• Move the equipment to one side or the other of the televisio n or radi o.
• Move the equipment farther away from the te levision or radio.
• Plug the equipment into an outlet that is on a di fferent cir cuit from the televi sion o r radio. (That is, make certain th e equipment and the te levision or radio are on circuit s
controlled by different circuit breaker s or fuses.)
Modifications to this product no t author ized by Cis co Syst ems, Inc. coul d voi d the FCC appro val and ne gate your authorit y to op erate the pr odu ct.
The Cisco implementation of TCP head er compressi on is an adap tation of a program developed by the Universi ty of Ca lifornia, Berk eley (UCB) as part of UCB ’s public
domain version of the UNIX operatin g system. All rights reserved . Copyri ght © 1981 , Rege nts of the Uni versity of Calif ornia.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THE SE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAI M ALL WARRANTIE S, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NO NINFRINGEM ENT OR ARISING FROM A COURS E OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING ,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE S.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Breakthrough, iQ
FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing
the Way We Work, Live, Play, and Learn, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST,
BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco
Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS,
IP/TV, iQ Expertise, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView
Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0301R)
Cisco PIX Firewall Hardware Installation Guide
Copyright © 2003 Cisco Systems, Inc. All rights reserved.
Page 5
About This Guide vii
Document Objectives vii
Audience vii
Document Organization vii
Document Conventions viii
Safety Warning ix
Obtaining Documentation x
Cisco.com x
Documentation CD-ROM xi
Ordering Documentation xi
Documentat ion Feedback xi
Obtaining Technical Assistance xii
Cisco.com xii
Technical Assistance Center xii
Obtaining Additional Publications and Information xiii
CONTENTS
CHAPTER
CHAPTER
1 Preparing for Installation 1-1
Installation Overview 1-1
Safety Recommendations 1-2
Maintaining Saf et y with Ele c tricity 1-2
Preventing Electrostatic Discharge Damage 1-3
General Site Requirements 1-4
Site Environment 1-4
Preventive Site Configuration 1-4
Power Supply Considerations 1-4
Configuring Equipment Racks 1-5
2 PIX 501 2-1
PIX 501 Product Overview 2-1
Installing the PIX 501 2-3
Connecting a Power Supply Module to the PIX 501 2-3
PIX 501 Cable Lock 2-4
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
iii
Page 6
Contents
CHAPTER
CHAPTER
3 PIX 506E 3-1
PIX 506E Product Ove rview 3-1
Installing the PIX 506E 3-3
Connecting a Power Supply Module to the PIX506E 3-3
4 PIX 515/515E 4-1
PIX 515/515E Product Overview 4-1
Installing the PIX 515/515E 4-3
Surface Mounting the PIX 515/515E 4-4
Rack Mounting t he P IX 51 5/515E 4-4
Vertical Mounting the PIX 515/515E 4-5
Installing the PIX 515/515E 4-5
PIX 515/515E Feature Licenses 4-7
PIX Firewall VPN Accel erator Card 4-8
PIX Firewall VPN Accelerator Card+ 4-8
Installing Failover 4-9
Installing LAN-Based Failover 4-11
CHAPTER
Removing and Replacing the PIX 515/515E Chassis Cover 4-12
Removing the Chassis Cover 4-12
Replacing the Chassis Cover 4-13
Replacing a Lith ium Battery 4-14
Installing a Memory Upgrade 4-14
Memory Instal la ti on Steps 4-15
Installing a Circuit Board in the PIX 515/515E 4-17
PIX Firewall VPN Accelerator Circuit Board 4-20
Installing the PI X 515/515E DC Model 4-20
5 PIX 520 5-1
PIX 520 Product Overview 5-1
Installing the PIX 520 5-4
PIX 520 Feature Licenses 5-6
Installing Failover 5-7
Installing LAN-Based Failover 5-8
Removing and Replacing the PIX 520 Chassis Cover 5-10
Removing the Chassis Cover 5-10
Replacing the Chassis Cover 5-11
iv
Replacing a Lith ium Battery 5-12
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 7
Installing a Memory Upgrade 5-12
Memory Installati on Ste p s 5-13
Installing a Circuit Board in the PIX 520 5-15
PIX Firewall 16 MB Fl as h C i rc u it Bo a r d 5-18
PIX Firewall VPN Accelerator Circuit Board 5-19
Gigabit Ethernet Circuit Board 5-20
Installing the PI X 520 DC Model 5-21
Contents
CHAPTER
6 PIX 525 6-1
PIX 525 Product Overview 6-1
Installing the PIX 525 6-3
PIX 525 Feature Licenses 6-5
PIX Firewall VPN Accel erator Card 6-6
PIX Firewall VPN Accelerator Card+ 6-6
Installing Failover 6-6
Installing LAN-Based Failover 6-8
Removing an d R ep la cing the PIX 525 Cha s sis Cover 6-9
Removing the Chassis Cover 6-9
Replacing the Chassis Cover 6-11
Replacing a Lith ium Battery 6-12
Installing a Memory Upgrade 6-12
Memory Installati on Ste p s 6-12
Installing a Circuit Board in the PIX 525 6-14
PIX Firewall VPN Accelerator Circuit Board 6-17
Gigabit Ethernet Circuit Board 6-18
CHAPTER
78-15170-01
Installing a DC Power Supply 6-19
Rerouting the Fan Wiring 6-24
7 PIX 535 7-1
PIX 535 Product Overview 7-1
PIX 535 Network Interface Description 7-4
Installing the PIX 535 7-5
Before Installing the PIX 535 7-5
Mounting t h e PIX 535 7-5
PIX 535 Network Interface Installation 7-5
PIX 535 Feature Licenses 7-6
PIX Firewall VPN Accel erator Card 7-7
PIX Firewall VPN Accelerator Card+ 7-7
Cisco PIX Firewall Hardware Installation Guide
v
Page 8
Contents
Installing Failover 7-7
Installing LAN-Based Failover 7-9
Replacing a Lith ium Battery 7-10
Installing a Memory Upgrade 7-10
Memory Instal la ti on Steps 7-11
Installing a Circuit Board in the PIX 535 7-13
PIX 535 Circuit Board Options 7-13
Circuit Board Slot Description 7-15
Installing a Circuit Board 7-16
PIX Firewall 16 MB Fl as h Circuit Board 7-17
PIX Firewall VPN Accelerator Circuit Board 7-19
Gigabit Ethernet Circuit Board 7-19
Installing the PI X 535 DC Model 7-20
APPENDIX
I
NDEX
A Cable Pinouts A-1
10BaseT and 100BaseT X Connectors A-1
Console Port (RJ-45) A-2
RJ-45 to DB-9 or DB-25 Serial Cable A-4
Failover Cable Pinouts A-4
vi
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 9
About This Guide
This preface includes the following sections:
• Document Objectives, page vii
• Audience, pag e vii
• Document Organization , page vii
• Document Conventions, page viii
• Safety War ning, page ix
• Obtaining D ocu me ntat ion , page x
• Obtaining Technical Assistance, page xii
• Obtaining Additional Publications and Information, page xiii
Document Objectives
This guide descri bes h ow to i nstall the Cisc o PIX Firewall ha rdware c om ponen t s.
Audience
This guide is for network administrators who perform any of the fo llowing tasks:
• Managing net work secur ity
• Installing and configuring firewalls
• Managing d efault and stat ic ro ute s, and T CP an d UD P se rvi ces
Document Organization
This guide includes the following chapter s:
• Chapter 1, “Preparing for Installation” describes the installation o vervie w , safety recommendations,
and general site requir ements .
• Chapter 2, “PIX 501” describes the PIX 501 product overvie w , and the installation and conf iguration
procedures.
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
vii
Page 10
Document Conventions
About This Guide
• Chapter 3, “PIX 506/506E” describes the PIX 506E produ ct overview, installation and
configuration, as well as how to connect the PIX 506E to a power suppl y.
• Chapter 4, “PIX 515/515E” describes the PIX 515/515 E product overview, installation and
configuration of the PIX 515/515E, as well as the procedure to remove and replace the chassis cover.
This chapter also includes installation procedures for the circuit board and installation of the DC
model.
• Chapter 5, “PIX 520” describes the PIX 520 product overview , installation, and configuration of the
PIX 520, as well as the procedure to remove and replace the chassis cover. This chapter also includes
the procedure for i nstal lati on of t he D C mode l.
• Chapter 6, “PIX 525” describes the PIX 525 product overview , installation, and configuration of the
PIX 525, as well as the procedure to remove and replace the chassis cover. This chapter also includes
installation procedur es for the circu it boar d and instal lation of the DC model.
• Chapter 7, “PIX 535” describes the PIX 535 product overview , installation, and configuration of the
PIX 535, as well as the installation procedure for the circuit board and installation of the DC model.
• Appendix A “Cable Pinout s” describes the cable pinout s.
Document Conventions
Command descriptions use these conventions:
• Braces ({ }) indica te a requir ed choice.
• Square brackets ([ ]) indicate optional elements.
• Vertical bars (|) separate alternative, mutually exclusive elements.
• Boldface indicates comma nds and keywords that ar e enter ed literal ly as shown.
• Italics indicate arguments for whic h you supply values.
Examples use th ese conventions:
• Examples depict screen displays and the command line in screen font.
• Informatio n you ne ed to ent er i n exampl es is sh own in b oldface screen font.
• Variables for which you must supply a value are shown in italic screen font.
Graphic user interface access uses these conventions:
• Boldface indicates buttons and menu item s.
• Selecting a menu item (or screen) is indicated by the following convention:
Click Start>Settings>Control Panel.
Note Means reader take note. Notes contain helpful suggestio ns or references to material not covered in the
manual.
viii
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 11
About This Guide
Safety Warning
Safety Warning
Warning
Waarschuwing
Varoitus
Attention
This warning symbol means danger. You are in a situation that could cause bodily injury . Before you
work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar
with standard practices for preventing accidents. To see transl ations of the warnings that appear
in this publication, refer to the Regulatory Compliance and Safety Information document that
accompanied this device.
Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan
veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij
elektrische schakelingen betrokken risico's en dient u op de hoogte te zijn van standaard
maatregelen om ongelukken te voorkomen. Voor vertal ingen van de waarschuwingen die in deze
publicatie verschijnen, kunt u het document Regulatory Compliance and Safety Information
(Informatie over naleving van veiligheids- en andere voorschriften) raadplegen dat bij dit toestel is
ingesloten.
Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen
kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja
tavanomaisista onnettomuuksien ehkäisykeinoista. Tässä julkaisussa esiintyvien varoit usten
käännökset löydät laitteen mukana olevasta Regulatory Compliance and Safety Information
-kirjasesta (määräysten noudattaminen ja tietoa turvallisuudesta).
Ce symbole d'avertissement indique un danger. Vous vous trouvez dans une situation pouvant
causer des blessures ou des dommages corporels. Avant de travailler sur un équipement, soyez
conscient des dangers posés par les circuits électriques et familiarisez-vous avec les procédures
couramment utilisées pour éviter les accidents. Pour prendre connaissance des traductions
d’avertissements figurant dans cette publication, consultez le document Regulatory Compliance
and Safety Information (Conformité aux règlements et consignes de sécurité) qui accompagne cet
appareil.
Avvertenza
78-15170-01
Warnung
Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer
Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie
sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur
Vermeidung von Unfällen bewußt. Übersetzungen der in dieser Veröffentlichung enthaltenen
Warnhinweise finden Sie im Dokument Regulatory Compliance and Safety Information
(Informationen zu behördlichen Vorschriften und Sicherheit), das zusammen mit diesem Gerät
geliefert wurde.
Questo simbolo di avvertenza indica un pericolo. La situazione potrebbe causare infortuni alle
persone. Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai
circuiti elettrici ed essere al corrente delle pratiche standard per la prevenzione di incidenti. La
traduzione delle avvertenze riportate in questa pubblicazione s i trov a nel documento Regulatory
Compliance and Safety Information (Conformità alle norme e informazioni sulla sicurezza) che
accompagna questo dispositivo.
Cisco PIX Firewall Hardware Installation Guide
ix
Page 12
Obtaining Docume ntation
About This Guide
Advarsel
Aviso
¡Advertencia!
Varning!
Dette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du
utfører arbeid på utstyr, må du vare oppmerksom på de faremomentene som elektriske kretser
innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. Hvis du vil se
oversettelser av de advarslene som finnes i denne publikasjonen, kan du se i dokumentet
Regulatory Compliance and Safety Information (Overholdelse av forskrifter og
sikkerhetsinformasjon) som ble levert med denne enheten.
Este símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos
físicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos
relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir
possíveis acidentes. Para ver as traduções dos avisos que constam desta publicação, consulte o
documento Regulatory Compliance and Safety Information (Informação de Segurança e
Disposições Reguladoras) que acompanha este dispositivo.
Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular
cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los
procedimientos estándar de prevención de accidentes. Para ver una traducción de las advertencias
que aparecen en esta publicación, consultar el documento titulado Regulatory Compliance and
Safety Information (Información sobre seguridad y conformidad con las disposiciones
reglamentarias) que se acompaña con este dispositivo.
Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan leda till personskada.
Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och
känna till vanligt förfarande för att förebygga skador. Se förklaringar av de varningar som
förkommer i denna publikation i dokumentet Regulatory Compliance and Safety Information
(Efterrättelse av föreskrifter och säkerhetsinformation), vilket medföljer denna anordning.
Obtaining Documentation
Cisco provides several ways to obtain documentation, techn ical assistance , and other tec hnical
resources. These se ction s expl ain how to obt ai n tec hnic al infor mati on from Cisc o Sy stem s.
Cisco.com
You can acc ess t he m ost c ur rent C isc o doc um ent ation on the World Wide Web at this URL :
http://www.cisco.com/univercd/home/home.h tm
You can access the Cisco website at this URL:
http://www.cisco.com
International Cisco web sites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml
Cisco PIX Firewall Hardware Installation Guide
x
78-15170-01
Page 13
About This Guide
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM
package, which may have shipped with your product. The Documentation CD-ROM is updated monthly
and may be more curre nt than printed do cumentati on. The CD-R OM pack age is av ailable as a single unit
or through an an nual su bscript ion.
Registered Cisco.com users can order the Documentation CD-ROM (product number
DOC-CONDOCCD=) through the online Subscription Store:
http://www.cisco.com/go/subscription
Ordering Documentation
You can find ins truc tio ns for or de ring do cu ment atio n a t t his U RL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco doc umen tation in th ese ways:
• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from
the Networking Produ cts Market Pla ce:
http://www.cisco.com/en/US/partner/ordering/index.shtml
Obtaining Documentation
• Registered Cisco.com users can order the Documentation CD-ROM (Customer Order Number
DOC-CONDOCCD=) through the online Subscription Store:
http://www.cisco.com/go/subscription
• Nonregistered Cisc o. com u s ers ca n o rd er doc umen tat ion t hrou gh a loc a l acco unt r ep resen tat ive by
calling Cisco Systems Corpo rate Headqu arter s (Califo rnia, U.S.A. ) at 408 526-7208 or, elsewhere
in North America, by calli ng 800 55 3-NE TS (6387).
Documentation Feedback
You can submit co mm ents el ec tronic all y on Cisc o.com . On the Cisco Doc ume nta tion h ome pag e, cl ick
Feedback at the top of the page.
You can e-ma il your co mmen ts to bug-doc@c isco.c om.
You can submit yo ur comm ents by mail by using the respon se card beh ind the fr ont cover of your
document or by wri ting t o the fo llowing a ddress:
Cisco Systems
Attn: Customer Docume nt Ordering
170 West Tasman Drive
San Jose, CA 95134- 988 3
We appre ciate yo ur co mmen ts.
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
xi
Page 14
Obtaining Technical As sistance
Obtaining Technical Assistanc e
Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a
starting point for all technical assistance. Customers and partners can obtain online documentation,
troubleshooting tips, and sample configurations from the Cisco T AC website. Cisco.com registered users
have complete access to the technical support resources on the Cisco TAC website, including TAC tools
and utilities.
Cisco.com
Cisco.com offers a suite of in tera ct ive, networked serv ices t hat le t y ou acc ess Ci sco in for mat ion,
networking solutions, services, pr ogram s, and re sources at any time, from anywhe re in the world.
Cisco.com provides a br oad r ange of fea tur es an d s er vice s to h elp you wi th th ese ta sks:
• Streamline business processes a nd improve productivity
• Resolve technical issues with onlin e support
• Download and t es t s o ftwar e pa ck ag es
• Order Cisco le arni ng m ate ria ls a nd merc handise
About This Guide
• Register for online skill assessment, tr aining, and certification programs
To obtain customized information and service, you can self-register on Cisco.com at this URL:
http://www.cisco.com
Technical Assistance Center
The Cisco TAC is available to all customers who need technical assistance with a Cisco product,
technology, or solution. Two levels of support are available: the Cisc o TAC w ebsite an d the Cisc o TAC
Escalation Center. The avenue of support that you choose depends on the priority of the problem and the
conditions stated in service contracts, when applicable.
We ca tegoriz e Cisco TAC inquiries according to urgency:
• Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities,
product installation, or basi c product configuration.
• Priority level 3 (P3)—Your network perf ormance is degra ded. Ne twork functio nality i s noticeab ly
impaired, but most business operations continue.
• Priority level 2 (P2)—Your productio n network is severely degraded , affecting signi ficant aspect s
of business operations. No workar oun d is available.
• Priority level 1 (P1)—Your production network is down, and a critical impact to business operations
will occur if se rvic e is n ot r esto red qui ckl y. No workaround i s available.
Cisco TAC Website
You can use the Cisco TA C website to resolve P3 and P4 issues yourself, saving both cost and time. The
site provides around-the-clo ck access to onlin e tools, knowledge ba ses, and soft ware. To access the
Cisco TAC website, go to this URL:
http://www.cisco.com/tac
Cisco PIX Firewall Hardware Installation Guide
xii
78-15170-01
Page 15
About This Guide
All customers, partners, and resellers who have a valid Cisco service contract have complete access to
the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website
require a Cisco.co m login ID and password. If you have a valid service contract but do not have a login
ID or password, go t o th is URL to register :
http://tools.cisco.com/RPF/register/register.do
If you are a Cisco.com registere d user, and you cannot resol ve your tech ni cal issues by using the Cisco
TAC website, you can open a case online at this URL:
http://www.cisco.com/en/US/support/index.html
If you have Internet access, we recommend that you open P3 and P4 cases th rough the Cisco TAC
website so that y ou ca n desc ribe the s ituati on in your own wor ds an d a ttac h any nece ssar y files.
Cisco TAC Escalation Center
The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These
classifications are assigned when severe network degradation significantly impacts business operations.
When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer
automatically opens a case.
Obtaining Additional Publications and Information
To o bt ain a dir ect or y of t oll- free C isco TAC telephone numbers for yo ur co unt ry, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC .shtml
Before calling, please check with your network operations center to determine the level of Cisco support
services to which your company is entitled: for example, SMARTnet, SMARTnet On site, or Network
Supported Account s (NSA ). W he n you c all t he ce nte r, please have available your serv ice agre eme nt
number and your product seri al number.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online
and printed sources.
• The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as
ordering and custome r support ser vices. Access the Cisco Product Catalog at this URL:
http://www.cisco.com/en/US/products/products_catalog_links_launch.html
• Cisco Press publishe s a wid e r ange of netwo rking pub lica tions. Cisco sugg ests t hese ti tles fo r new
and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking
Technology Hand boo k, In tern etwo rkin g Troubleshooting Guide, and the Inter netw ork ing De sign
Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:
http://www.ciscopress.com
• Packet magazine is the Cisco monthly periodical that provides industry professionals with the latest
information about t he field of net working. You can access Packet magazine at this URL:
78-15170-01
http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html
• iQ Magazine is the Cisco monthly periodical that provides business leade rs and decision ma kers
with the latest information about the networkin g industry. You can access iQ Magazine at this URL:
http://business.cisco. com/prod/tree.taf%3fasset_id=44699&public_view=true&kbns=1.html
Cisco PIX Firewall Hardware Installation Guide
xiii
Page 16
Obtaining Additiona l Publications and Informatio n
• Internet Protocol Journal is a quarterly journal publis hed by Cisco Systems for engineering
professionals involved in the design, development, and operation of public and private internets and
intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html
• Training—Cisco offers world-class networking training, with current offerings in network training
listed at this URL:
http://www.cisco.com/en/US/learning/le31/learning_recommended_training_list.html
About This Guide
xiv
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 17
CHAPTER
1
Preparing for Installation
This chapter describes how to install and add PIX Firewall hardware upgrades that accompany the unit.
The information in t his guide applies to the PIX 501, PIX 506E, PIX 515/515E, PIX 520, PIX 525, and
PIX 535. In this guide, the term “PIX Firewall” refers to all models unless specifically noted otherwise.
Caution Installing a PIX Firewall Version 6.0(1) or higher, such as a PIX Firewall “Classic,” PIX10000 , or
PIX 510 on an older unit, causes a continuous reboot until a version previous to 6.0(1) is reinstalled.
This chapter includes the following sections:
• Installation Overview, page 1-1
• Safety Recomm enda tio ns, pa ge 1 -2
• General Site Requirements, page 1 -4
Installation Overview
Complete these steps to prepare for the installation of a PIX Firewall:
Note If your PIX Firewall model supports a failover configuration, perform the steps that follow only on the
primary (active) unit. (Not appl icable to the PIX 501 or the PIX 506E.)
Step 1 Review th e safety precautions outlined in the Regulat ory Compliance and Safety Information for the
Cisco PIX Firewall document.
Step 2 Completely read the release notes for your respe ctive software version .
Step 3 Unpack the PIX Firew all. The PIX Fir e wal l consis ts of two ma in components, the PI X Fire wal l unit a nd
a separate accessory kit . The acc essory kit con tains doc ument ation, a power supp ly or cord, rack
mounting hardware (not appl icab le to the PIX 501 or t he PIX 506E) , and add itional soft ware you can
use with your PIX Firewall.
Step 4 Place the PIX Firewall on a stable work surface.
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
1-1
Page 18
Safety Recommendations
Safety Recommendations
Use the following gu idelines and the infor mation in the follo wing sections t o help ensure your safety and
protect the PIX Firewall eq uipm en t. T he l ist o f gui del ine s m ay no t addr ess all pote nti ally ha zard ous
situations in your worki ng environment, so be alert and exercise good ju dgement at all time s.
Note If you need to open the PIX Firewall case to install a hard ware compone nt such as addi tional memo ry
or an interface card, doing so does not affect your Cisco warranty. Upgrading the PIX Firewall does not
require any special t ools an d do es no t cre ate a ny ra dio fr eque ncy le ak s.
The safety gui delin es ar e as fo llows:
• Keep the chassis area clear and dust-f ree before, during and after installation.
• Keep tools away from walk areas wh ere you and ot hers could fal l over them.
• Do not wear loo se clo thing or jewelry, such as earrings, bracele ts, or chai ns, th at coul d get caug ht
in the chas si s.
• Wear safety glasses if you are working unde r any cond ition s tha t mi ght b e haz ardou s to yo ur eye s.
Chapter 1 Preparing for Installation
• Do not perform any action tha t crea tes a poten tial haza rd to pe ople or makes the e quip me nt unsa fe.
• Never attempt to lift an object that is too heavy for o ne person to handle.
This section includes the following topics:
• Maintaining Safety with Electricity, page 1-2
• Preventing Electro static Discharge Damage, page 1-3
Maintaining Safety with Electricity
Warning
Before working on a chassis or working near power supplies, unplug the power cord on AC units;
disconnect the power at the circuit breaker on DC units.
Follow these guidelines when working on equipment powered by electricity:
• Before beginnin g p roce dures t hat requ ire a ccess t o the inte rior of the PIX Firewall, lo ca te the
emergency power-off switch for the room in which you are working. Then, if an electrical accident
occurs, you ca n ac t q ui ckl y to t urn o ff the power.
• Do not work alo ne if pote nt iall y ha za rdous c ond ition s exist anywhe re i n your wor k sp ace .
• Never assume that power is disconnected from a circuit; always check the circuit.
• Look careful ly for possib le hazard s in your work area, such as moist floor s, ungrou nded power
extension cables, frayed power cords, and missi n g safe ty ground s.
1-2
• If an electrical accident occurs, proceed as follows:
–
Use caution; do not bec ome a vict im yourse lf.
–
Disconnect power from the system.
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 19
Chapter 1 Preparing for Inst allation
–
–
• Use the PIX Firewall within its marked electrical ratings and product usage instructions.
• Install the PIX Firewall in compliance with local and national electrical codes as listed in the
Regulatory Compliance and Safety Information for the Cisco PIX Firewall document.
• PIX Firewall models e quipp ed w ith AC-input power supp lie s a re shippe d with a 3-w ire el ect ric al
cord with a grounding-type plug that fits only a grounding-type power outlet. This is a safety feature
that you should not circumvent. Equi pmen t grounding sho uld com ply with loc al and natio nal
electrical c ode s.
• PIX Firewall models equipped with DC-input po we r supp lies must b e terminated with the DC input
wiring on a DC source ca pabl e of sup pl ying at lea st 15 am ps. A 15 -amp c irc uit bre aker is requi red
at the 48 VDC facil ity po we r sou rce. An eas ily acc essib le dis con nect de v ice s hould be in corpo rated
into the facility wir ing. Be sure to c onn ect t he gro und ing w ire co nduit to a so l id e art h gro und. We
recommend that you use a clos ed loop rin g to termin ate the ground cond ucto r at the gro und stud.
Other DC power guidelines are listed in the Regulatory Compliance and Safety Informa tion for the
Cisco PIX Firewall docu me nt.
Safety Recommendations
If possible, send another person to get medical aid. O therwise, assess the con dition of the victim
and then call for help.
Determine if the person needs rescue breathing or external cardiac compressions; then take
appropriate act ion.
Preventing Electrostatic Discharge Damage
Electrostatic discharge (ESD) can damage equipment and impair electrical circuitry. ESD damage occurs
when electronic components are impro pe rly han dled and can result in comple te o r inter mi tten t f a ilure s.
• Always follow ESD-prevention procedures when r emoving and replacing components. Ensure that
the chassis is electrically connected to earth ground. Wear an ESD-preventive wrist strap, ensuring
that it makes good skin contact . Connect th e groundi ng clip to an unp ainted sur face of the cha ssis
frame to safely ground ESD voltages. To properly guard against ESD damage and shocks, the wrist
strap and cord must operate e ffectively. If no wrist strap is available, ground yourself by touching
the metal part of the chassis.
• For safety, periodically check the resistance value of the antistatic strap, which should be between
1 and 10 megohms ( Mohms ).
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
1-3
Page 20
General Site Requirements
General Site Requirements
The topics in this section describe the requirements your site must meet for safe installation and
operation of your syste m. E nsur e t hat your si te i s pr oper ly pr e pare d b efore begin ning insta llat ion.
This section includes the following topics:
• Site Environment, page 1-4
• Preventive Site Configuration, page 1-4
• Power Supply Considerations, page 1-4
• Configuring Equipm ent Ra cks, pa ge 1 -5
Site Environment
The PIX Firewall can be plac ed o n a de sktop. E xce pt f or the PIX 501 and the PI X 506 E, al l oth er
PIX Firewall models can be mo unte d in a ra ck. The lo cat ion of the PIX Firewall and the l ayout of yo ur
equipment rack or wiring room are extremely important for proper system operation. Equipment placed
too close together, inadequa te ventilat ion, and i nacces sible pa nels can cause syste m malfun ction s and
shutdowns, and can make PIX Firewall maintenance difficult.
Chapter 1 Preparing for Installation
When planning your sit e l ayout and equipment locations, keep in mind the precautions described in the
next section “Preventive Site Conf iguration,” to help av oid equipmen t failures a nd reduce the possibi lity
of environmentally caused shutdowns. If you are currently experiencing shutdowns or unusually high
errors with your existing equi pmen t, these pre caution s may help you isolat e the cau se of failur es and
prevent futur e problems.
Preventive Site Configuration
The following precautions he lps you plan an accept able opera ting environment for you r PIX Firewall
and helps you avoid environmentally c ause d equ ipme nt failure s:
• Electrical equipment generates heat. Ambient air temperature might not be adequate to cool
equipment to acceptable opera ting temper atures with out adequate circul ation. Ensu re that the room
in which you o per ate y our sy stem ha s ad equa te air c ircu lat ion.
• Always follow the ESD-prevention procedures described previously to avoid damage to equipment.
Damage from static discharge can cause immediate or intermittent equipment failure.
• Ensure that the chassis top panel is secure. The chassis is designed to allow cooling air to flow
effectively within it. An open chassis allows air leaks, which may interrupt and redirect the flow of
cooling air f rom int e rn al com po ne nts .
Power Supply Considerations
1-4
The PIX 515/515E, PIX 520, PIX 52 5, PIX 535, a nd PIX1000 0, have AC power supplies. The
PIX 515/515E, PIX 520, PIX 525, and PIX 535 models can have either an AC or DC power supply. The
PIX 501 and the PIX 506E have an external power supply that converts AC to DC.
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 21
Chapter 1 Preparing for Inst allation
Observe the following considerations:
• Check the power at your site before installing the PIX Firewall to ensure that you are receiving
“clean” power (free of sp ikes and no i se) . I nsta ll a power co nditi one r if nece ssa ry, to ensure proper
voltages and power levels in the source voltage for the system.
• Install proper grounding fo r the site to avoid damage from lightni ng and power surges.
• In units eq uipp ed wi th AC-input p ower supplie s, use t he f oll owing guide line s:
–
–
–
–
–
General Site Requirements
The PIX Firewall and PIX10000 models automatically select operating ranges of a low range of
90 to 135 volts or a high range of 180 to 270 volts.
The PIX 510 and PIX 520 models operate with a source voltage ranging from 100 to 240 VAC;
the input power supply requires a 20 am p service mi nimum for North A meric a and 10 am p or
16 amp for the international area.
The PIX 515/PIX 515E, PIX 525, and PIX 535 do not have a selectable operating range. Refer
to the label on each model for the correct AC-input power requirement.
Several styles of AC-input power supply cords are available; make sure you have the correct
style for your site.
Install an uninterr upti ble p ower sourc e fo r your site , if p ossible .
–
Install proper site grounding facilities to guard against damage from lightning or power surges.
• In a unit equi pped w ith DC- i nput power supp lie s, use the fol lowing g u idel ine s:
–
Each DC-input power supply requires dedicated 15 amp service.
–
For DC power cables, we recommend that you use a minimum of 18 AWG wire cable.
Configuring Equi pment R ack s
The following tips help you plan an acceptable equipment rack configuration:
• PIX 515/515E, PIX 520, PIX 525, and PIX 535 units requi re you to first attac h rack mounti ng
brackets to the unit.
• Enclosed racks must have adeq uate v entilation. Ensu re that the ra ck is not ov erly cong ested because
each unit generates heat. An enclosed rack should have louvered sides and a fan to provide cooling
air.
• When mounting a chassis in an open rack, ensure that the rack frame does not block the intake or
exhaust ports. If the chassis is installed on slides, check the position of the chassis when it is seated
all the way into the rack.
• In an enclosed rack with a ventilation fan in the top, excessi v e heat generated b y equipment near the
bottom of the rack can be drawn upward and i nto the int ake ports of th e equipm ent above it in the
rack. Ensure that you provide adequ ate ventilation for equipment at the bottom of the rack.
• Baffles can help to isol ate exhaust air from intake air, which also helps to draw cooling air through
the chassis. The best placement of the baffles depends on the airflow patterns in the rack.
Experiment with different arrangements to position the baffles effectively.
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
1-5
Page 22
General Site Requirements
Chapter 1 Preparing for Installation
1-6
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 23
PIX 501
This chapter desc rib es how to insta ll a PIX 501, an d in cl udes t he f ollowing s ect ions:
• PIX 501 Produc t O verview, page 2-1
• Installing the PIX 501 , pag e 2-3
• Connecting a Power Supply Module to the PIX 501, page 2-3
PIX 501 Product Overview
This section desc ribe s the PIX 5 01 fr ont an d r ear pane ls a nd the p anel LE Ds .
Note The PIX 501 chassis cover should not be removed as it does not con tain user-servic eable com ponent s.
CHAPTER
2
Figure 2-1 shows the front view of the PIX 501.
Figure 2-1 PIX 501 Front Panel
CISCO
®
PIX
501
FIREWALL
POWER
VPN TUNNEL
1234
67848
LINK/ACT
100 MBPS
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
2-1
Page 24
PIX 501 Product Overview
Figure 2-2 shows the r ear vi ew of the PIX 5 01.
Figure 2-2 PIX 501 Rear Panel
POWER
4
3
2
1
0
CONSOLE
3.3V 4.5A
Figure 2-3 shows the PIX 50 1 fro nt p anel LE Ds.
Chapter 2 PIX 501
67849
POWER
VPN TUNNEL
12
3
LINK/ACT
100 MBPS
4
61926
Table 2-1 lists the state of the PIX 501 front panel LEDs.
Figure 2-3 PIX 501 Front Panel LEDs
.
Table 2-1 PIX 501 Front Panel LEDs
LED State Description
POWER Green The device is powered on.
Off The device is powered off.
LINK/ACT Flashing green Network activity, such as Internet access, is present.
Green The correct cable is in use, and the connected equipment has power
and is operationa l.
Off No link is established.
VPN TUNNEL Green One or more IKE/IPSec VPN tunnels are established.
Off One or more IKE/IPSec VPN tunnels are disabled. If the standard
configuration is not modified to support VPN tunnels, the LED does
not light up because it is disabled by default. Also, the LED does not
light up when PPTP/L2TP tunnels ar e establis hed.
100 MBPS Green The inter face is enabl ed at 100 Mbp s (autonegoti ated).
Off The in terface is enabled at 10 Mbps.
2-2
Tip If the LINK/ACT LED does not light up, you mi ght be using the wrong type of cable. Try replacing the
yellow, straight-through Ethernet cable with th e orange , crossover Ethern et cabl e.
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 25
Chapter 2 PIX 501
Installing the PIX 501
Place the PIX 501 on a fl at, stabl e sur face. T he PIX 501 i s not rack m oun table .
Complete these steps to install the PIX 501:
Step 1 Connect Port 0, the outsid e Ether net port, t o the public network.
• Use the ye ll ow Etherne t c ab le (72 -14 82-01) to c onn ect the d evice to a swi tch or hub.
• Use the orange Ethernet cable (72-3515- 01) to connect t h e device to a DSL modem, cable modem,
or router.
Step 2 Connect your PC or the othe r net work devices to o ne of the f ou r swit che d ins ide por ts ( num bere d 1
through 4).
Connecting a Power Supply Module to t he PIX501
Installing the PIX 501
This section desc ribe s how to conn ec t the p ower supply mo dule to a PIX 501 . Us e thi s inf orm ation i n
conjunction with the appropri ate version of t he Regulatory Compliance and Safety Information for the
Cisco PIX Firewall document.
Complete these steps to con nect the power supply module to the PIX 501:
Step 1 Connect the small, round connector of the power supply cable to the power connector on the rear panel.
(See Figure 2-4.)
Step 2 Connect the AC power connector of the power supply input cable to an electric al outle t.
Note The PIX 501 does not have a power switch. Completing Step 2 powers on the device.
Figure 2-4 Connecting the Power Supply Module to the PIX 501
POWER
43
2
1
0 CONSOLE
3.3V 4.5A
78-15170-01
Power supply
Cisco PIX Firewall Hardware Installation Guide
71534
2-3
Page 26
Connecting a Power Supply Modul e to the PIX 501
PIX 501 Cable Lock
The PIX 501 inc lude s a s lot tha t a cce pts st anda r d d eskto p cabl e l ocks t o prov ide physic al sec uri ty f or
small portable e quipm en t, s uc h as la ptop co mput ers. ( See Figu re 2 -5.)
Chapter 2 PIX 501
POWER
43
2
1
0 CONSOLE
3.3V 4.5A
Lock slot
61929
Cable lock
(not included)
Complete these steps to install a security cable lock:
Figure 2-5 PIX 501 Security Cable Lock
Step 1 Attach the cable lock to the lock slot on the back panel of the PIX 501.
Step 2 Follow the directions from the manufac turer fo r attac hing the other en d of the device for sec uring the
PIX 501.
2-4
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 27
PIX 506/506E
This chapter descri bes how to insta ll a PIX 506 / 506E, and inc lude s the f ollowing sec tions:
• PIX 506/506E Produ ct O vervi ew, page 3-1
• Installing the PIX 506/ 506E , page 3-4
• Connecting a Power Supp ly M od ule t o th e PIX 5 06/50 6E , page 3-5
The PIX 506 and the PIX 506/506E are the same except the PIX 506/506E has a faster pro cessor and
a different power supply.
PIX 506/506E Product Overview
This section desc ribe s th e PIX 5 06/5 06E fr ont and r ear pane ls a nd the pane l L EDs.
CHAPTER
3
Note The PIX 506/506E chassis cover should not be removed as it does not cont ain user-serv iceabl e
components.
Figure 3-1
Figure 3-1 PIX 506 Front Panel
POWER
shows the front view of the PIX 506.
CISCO SECURE PIX 506
FIR
EW
ACT
NETWORK
A
67944
LL
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
3-1
Page 28
PIX 506/506E Produc t Ove r view
Figure 3-2 shows the front view of the PIX 506/506E .
Figure 3-2 PIX 506/506E Front Panel
POWER
Figure 3-3 shows the re ar vi ew of the PIX 5 06.
Figure 3-3 PIX 506 Rear Panel
Chapter 3 PIX 506/506E
67945
CISCO PIX 506E
FIREW
ACT
NETWORK
ALL
D
C
P
O
W
E
R
I
N
P
U
A
C
T
ETHERNET 1
L
I
N
K
A
C
T
L
I
N
K
ETHERNET 0
USB
CONSOLE
T
Figure 3-4 shows the re ar vi ew of the PIX 5 06/50 6E .
Figure 3-4 PIX 506/506E Rear Panel
D
C
P
O
W
E
R
I
N
P
U
A
C
T
ETHERNET 1
L
I
N
K
A
C
T
L
I
N
K
ETHERNET 0
USB
CONSOLE
T
67946
67947
3-2
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 29
Chapter3 PIX 506/506E
PIX 506/506E Product Overview
Figure 3-5 shows the PIX 50 6/50 6E fro nt pa nel LEDs.
Figure 3-5 PIX 506/506E Front Panel LEDs
POWER ACT NETWORK
25735
Table 3-1 lists the state of t he PI X 506/ 506 E fron t pa ne l L EDs.
Table 3-1 PIX 506/506E Front Panel LEDs
LED State Description
POWER On The unit has power.
ACT Flashing green Active indicator—On when the software image has been loaded on
the PIX 506/506E uni t.
NETWORK Flashing green On when at least one network interface is passing traffic.
Figure 3-6 shows the PIX 50 6 rear pa nel LE Ds.
Figure 3-6 PIX 506 Rear Panel LEDs
ACT(ivity)
LED
ACT
E
T
H
10BaseT
(RJ-45)
E
ACT(ivity)
LED
LINK
LED
LINK
R
N
E
T
1
ACT
E
T
H
E
R
N
E
10BaseT
(RJ-45)
LINK
LED
LINK
T
0
USB
port
U
S
B
C
O
N
S
O
LE
Console
port (RJ-45)
Power switch
DC
POWER
INPUT
38852
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
3-3
Page 30
Installing the PIX 506/506E
Table 3-2 lists the state of the PIX 50 6/506 E rea r pa ne l L EDs.
Table 3-2 PIX 506/506E Rear Panel LEDs
LED State Description
ACT On Shows network activity.
LINK On Shows that data is passing on the ne twork t o whic h th e co nnec tor is
attached.
The USB port at the left of the Console port is not used.
Installing the PIX 506/506E
Place the PIX 506/ 506E on a fl at, stabl e sur face. T he PIX 506 /506 E i s n ot r ack mo unta ble.
Complete these steps to install the PIX 506/506E :
Chapter 3 PIX 506/506E
Step 1 Connect the cable so that you have either a DB-9 or DB-25 connector on one end as required by the serial
port for your co mpu ter, and the oth er e nd is t he RJ-4 5 con ne ctor.
Note Use the RJ-45 Console port to connect a computer to enter configuration commands. Locate the
serial cable from the ac cessory ki t. The ser ial cabl e assembly consists of a null mo dem cabl e
with RJ-45 connec tors, a nd on e D B-9 c onnec tor a nd one D B- 25 conn ec tor.
Step 2 Connect the RJ-45 connector to the PIX 506/506E and connect the other end to the serial port connector
on your computer.
Figure 3-7 PIX 506 Serial Console Cable
DC
POWER
ACT
LINK
ACT
E
T
H
E
R
N
E
T
1
LINK
E
T
H
E
R
N
E
T
0
U
S
B
C
O
N
S
O
L
E
Console
port (RJ-45)
RJ-45 to
DB-9 or DB-25
serial cable
(null-modem)
INPUT
Computer serial port
DB-9 or DB-25
38853
3-4
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 31
Chapter3 PIX 506/506E
Connecting a Power Supply Module to the PIX 506/506E
Step 3 Connect the inside network cable to the interface connector marked ETHERNET 0 or ETHERNET 1.
Note The inside or outside network connections can be made to either interface port on the
PIX 506/506E.
Step 4 Connect the outside network c able to the rem aining Et hernet port.
Connecting a Power Supply Module to t he PIX 506/506E
This section desc ribes how to c onn ect t he p ower suppl y mo dul e to t he PI X 506 /506 E. Us e thi s
information in conjunction with the appropriate version of the Regulatory Com plian ce and Safet y
Information for the Cisco PIX Firewall document, that shi pped with your unit.
The PIX 506/506E uses an external AC to DC power supply. Power is supplied to the PIX 506/506E by
connecting the power supply to the back of the PIX 506/506E and connecting a separate AC power cord
to the power supply.
Figure 3-9 displays the cable conn ection from the power suppl y to the PIX 506, a nd displays th e AC
power cord connect or (a t t he oppo site e nd o f t h e power supp ly).
Figure 3-8 Connecting the Power Supply Module to the PIX 506 6- Pin Connector
DC
POWER
ACT
LINK
ACT
E
T
H
E
R
N
E
T
1
LINK
E
T
H
E
R
N
E
T
0
U
S
B
C
O
N
S
O
L
E
Power supply
INPUT
38854
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
3-5
Page 32
Connecting a Power Supply Modul e to the PIX 506/506E
Figure 3-9 displays the cable connect ion from the power supply to the PIX 506/506E , and displays the
AC power cord connector (at the opposite end of th e power supply)
Figure 3-9 Connecting the Power Supply Module to the PIX 506/506E 8 - Pin Connector
Chapter 3 PIX 506/506E
DC
POWER
ACT
LINK
ACT
E
T
H
E
R
N
E
T
1
LINK
E
T
H
E
R
N
E
T
0
U
S
B
C
O
N
S
O
L
E
INPUT
67847
Power supply
Complete these steps to connect the power supply module:
Step 1 Place the PIX 506/ 506 E on a fl at, sta ble sur face. The PIX 506 /506 E is n ot r ack mo unta ble .
Step 2 Connect the power supply to the back of the PIX 506/506E . See Figur e 3-8 f or t he PIX 506 a nd
Figure 3-9 for the PIX 506E .
Step 3 When you are ready to start the PIX 506/506E, power on the unit from the switch at the rear of the unit.
3-6
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 33
CHAPTER
PIX 515/515E
This chapter describes how to install the PIX 515/515E, and inclu des the following sections:
• PIX 515/515E Produ ct O vervi ew, page 4-1
• Installing the PIX 515/ 515E , page 4-3
• PIX 515/515E Feat u re L ice nses, pa ge 4 -7
• Installing Failover, page 4-9
• Installing LAN-Ba sed Failover, page 4-11
• Removing and Repla cin g th e PIX 515/51 5E Chassi s Cover, page 4-12
• Replac i ng a L i th iu m B a tt er y, page 4 -1 4
• Installing a Mem ory Upg rade , page 4-14
• Installing a Circui t Board in the PIX 5 15/515E , pag e 4-17
• Installing the PIX 515/ 515E DC M odel, page 4-20
The PIX 515 and the PIX 515E ar e the same excep t the PIX 515E has a faster proces sor.
4
PIX 515/515E Product Overview
This section describes th e PIX 515/5 15E front a nd rear pan els and the pa nel LEDs .
Figure 4-1 shows the front view of the PIX 515/515E.
Figure 4-1 PIX 515/515E Front Panel
P
O
W
E
R
A
C
T
N
E
T
W
O
R
K
78-15170-01
PIX Firewall
SERIES
67851
Cisco PIX Firewall Hardware Installation Guide
4-1
Page 34
PIX 515/515E Produc t Ove r view
Figure 4-2 shows the re ar vi ew of the PIX 5 15/51 5E .
Figure 4-2 PIX 515/515E Rear Panel
Figure 4-3 shows the PIX 51 5/51 5E fr ont pane l LE Ds.
Figure 4-3 PIX 515/515E Front Panel LEDs
POWER ACT NETWORK
Chapter 4 PIX 515/515E
D
O
N
O
T
I
N
S
T
A
L
L
I
N
T
E
R
F
A
C
E
C
A
R
D
S
W
I
T
H
P
O
W
E
R
A
P
P
L
I
E
D
1
0
0
M
L
b
in
p
s
k
F
D
X
1
0
0
M
b
p
s
L
in
k
1
0
/
1
0
0
E
T
H
E
F
R
N
E
T
0
/0
1
0
/
1
0
0
E
T
H
E
R
N
E
T
0
PIX-515
F
A
I
L
O
V
E
R
D
X
/
0
C
O
N
S
O
L
E
67850
25735
Table 4-1 lists the state of the PIX 51 5/515 E fr ont panel LE D s.
Table 4-1 PIX 515/515E Front Panel LEDs
LED State Description
POWER On On when th e un it h as p ower.
ACT On On when the unit is the active failov er unit. If failov er is present, the
light is on when the unit is the active unit.
Off Off when the unit is in standby mode. If failover is not enabled, this
light is off.
NETWORK On On when at least one network interface is passing traffic.
4-2
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 35
Chapter4 PIX 515/515E
Installing the PIX 515/515E
Figure 4-4 shows the PIX 51 5/51 5E rea r p anel LE Ds.
Figure 4-4 PIX 515/515E Rear Panel
0 E
T
H
ER
100 Mbps
LED
FDX
LED
FDX
100 Mbps
N
E
T
1
LINK
LED
FDX
LED
Link
1
0/1
FDX
00
E
T
H
E
R
N
E
T
0
10/100BaseTX
ETHERNET 0
(RJ-45)
FAILOVER
C
O
N
S
O
LE
Console
port (RJ-45)
PIX-515
24298
Power switch
100 Mbps
LED
LINK
LED
DO NOT INSTALL INTERFACE
CARDS WITH POWER APPLIED
100 Mbps
Link
10
/10
10/100BaseTX
ETHERNET 1
(RJ-45)
Table 4-2 lists the state of the PIX 515/515E rear panel LEDs.
Table 4-2 PIX 515/515E Rear Panel LEDs
LED Status Description
100 Mbps Light On 100 megab its per seco nd 100B aseTX co mmunic ation. If the
light is off, that por t is u sin g 10 megabi ts pe r s econd d ata
exchange.
LINK Light On Shows that data is passi ng on t he ne twork t o whic h th e
connector is attached.
FDX Light On Shows that th e connec tion uses fu ll duplex data exchang e
where data is transmitted and received simultaneously.
Light Off If this light is off, half-duplex is in effect.
The inside or outside network connections can be made to any available interface port on the
PIX 515/515E. If yo u are only using the ETHE RNET 0 and ETHERNET 1 po rts, conne ct the insid e
network cable to the interface connecto r marked ETHERNET 0 or ETHERNET 1. Connect the outsid e
network cable to the remain ing Ethern et por t.
The USB port to the left o f the Console port is not used. The detachable plate above the ETHERNET 1
connector is also not used.
Installing the PIX 515/515E
This section contains the following topics:
• Surface Mounti ng the PIX 515 /515 E, pa ge 4 -4
• Rack Mounting the PIX 515/5 15E, page 4-4
• Verti cal Mo unti ng the PI X 51 5/515 E, p age 4-5
• Installing a Circui t Board in the PIX 5 15/515E , pag e 4-17
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
4-3
Page 36
Installing the PIX 515/515E
Surface Mounting the PIX 515/515E
If you do not want to rack mount the un it, attac h the rubb er feet to the bottom of the unit as s hown in
Figure 4-5.
Figure 4-5 Attaching the Rubber Feet to the PIX 515/515E
Fan
Chapter 4 PIX 515/515E
Rack Mounting the PIX 515/515E
Observe the following before installing the PIX 515/515E into an equipment rack:
• To install optional circuit boards or memory, install the brackets on the unit for rack mounting, but
do not put the PIX 515 /515E in the equipment rack before installin g the new boards. The chas sis
cover of the PIX 515/515E must be rem oved to prope rly in stall or remove a ci rcui t boa rd . Ref er t o
“Removing and Replacing the PIX 515/515E Chassis Cover” for information on how to remove and
replace the chas sis cover.
–
If you need information on installing a circuit board, r efer to “Installing a Circuit Board in the
PIX 515/515E”.
–
If you need to install additional memory, refer to “Installing a Memory Upgrade”.
Complete the following to install the PIX 515/515E in a rack:
Step 1 Attach the bracket to the unit using th e supplied scre ws. You can attach the brack ets to the holes near the
front of the unit.
Step 2 Attach the unit to the equipment rack.
24301
Unused
4-4
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 37
Chapter4 PIX 515/515E
Vertical Mounting the PIX 515/515E
To mount the PIX 515/515E vertically, attach the brackets to the side of the unit and mount the unit
vertically as shown in Figure 4-6.
Figure 4-6 Installing the PIX 515/515E Vertically
PIX-515
R
E
V
O
L
I
A
F
E
L
O
S
N
O
C
0
X
/
D
0
F
T
E
N
R
E
H
T
E
0
0
1
k
/
n
0
i
L
1
s
p
b
M
0
0
1
X
0
D
/
F
0
T
E
N
R
E
H
T
D
E
E
E
I
C
L
0
A
P
0
F
k
P
1
R
/
in
E
A
0
L
T
R
1
s
E
p
IN
b
W
L
L
M
O
A
0
P
T
0
1
H
S
IT
IN
T
W
O
S
D
N
R
O
A
D
C
Installing the PIX 515/515E
Installing the PIX 515/515E
Complete the following to install the PIX 515/515E:
Step 1 Connect the ca bl e as s hown in Figure 4-7 so that you have either a DB-9 or DB-25 connector on one end
as required by the s er ial p ort for y our co mput er, and th e othe r end i s the RJ- 45 conne ct or.
Note Use the Console port to conn ect to a computer to enter configuration commands. Locate the
serial cable from the ac cessory ki t. The ser ial cabl e assembly consists of a null mo dem cabl e
with RJ-45 connectors, and one DB-9 connec tor and a D B-25 con nector.
Step 2 Connect the RJ-4 5 con ne ctor to the PIX 515 /5 15E C onso le p ort an d c on nect th e ot her en d to t he se ria l
port connector on yo ur c omp uter.
24303
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
4-5
Page 38
Installing the PIX 515/515E
Figure 4-7 PIX 515/515E Serial Console Cable
PIX-515
100 Mbps
Link
1
0
FDX
/1
00
E
T
H
E
R
N
E
T
0
FAILOVER
C
O
N
S
O
L
E
Chapter 4 PIX 515/515E
Console
port (RJ-45)
Computer serial port
DB-9 or DB-25
RJ-45 to
DB-9 or DB-25
serial cable
(null-modem)
29226
Note If your unit has a four-port Etherne t circu it board al ready in stalled , refer to Figure 4 -8. (The
four-port Ethernet circuit board requires the PIX-515/515E-UR license to be accessed.) If it has
one or two single-por t E ther ne t ci rcui t bo ar ds, re f er to Figure 4-9. If you need to install an
optional circuit board, refer to “Removing and Replacing the PIX 515/515E Chassis Cover” for
information about how to remove and replace th e chassis cover insta ll circui t boards.
Figure 4-8 Four-Port Ethernet Connectors in the PIX 515/515E
Ethernet 5
Ethernet 3
D
O
N
O
T
I
N
S
T
A
L
L
I
N
T
E
R
F
A
C
E
C
A
R
D
S
W
I
T
H
P
O
W
E
R
A
P
P
L
I
E
Ethernet 2
Ethernet 4
D
1
0
0
M
L
b
in
p
s
k
F
D
X
1
1
0
/
1
0
0
E
T
H
E
R
N
E
T
1
Ethernet 1
Ethernet 0
PIX-515
F
A
IL
0
0
M
b
p
s
L
in
k
1
0
/
1
0
0
E
T
H
O
V
E
R
F
D
X
E
R
N
E
T
0
C
O
N
S
O
L
E
25733
4-6
Step 3 Connect the inside, outside, o r p er imeter ne tw o rk cab les to t he in te rface ports. Starting from the top left
the connectors are Ethernet 2, Ethernet 3, Ethernet 4, and Ethernet 5. The maximum number of allowed
interfaces is 6.
Note Do not add a sing le- port circu it bo ard i n t he ext ra sl ot bel ow the four-por t c ircui t boa rd.
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 39
Chapter4 PIX 515/515E
Figure 4-9 Two Single-Port Ethernet Connectors in the PIX 515/515E
Ethernet 2
D
O
N
O
T
I
N
S
T
A
L
L
I
N
T
E
R
F
A
C
E
C
A
R
D
S
W
I
T
H
P
O
W
E
R
A
P
P
L
I
E
D
1
0
0
M
L
b
in
p
s
k
F
D
X
1
0
0
M
b
p
s
L
i
n
k
1
0
/1
0
0
E
T
H
E
R
N
E
T
1
1
0
/
1
0
0
E
T
H
E
R
N
E
PIX-515
F
A
I
L
O
V
E
R
F
D
X
T
0
C
O
N
S
O
L
E
PIX 515/515E Feature Licenses
25734
Ethernet 3
Ethernet 1
Ethernet 0
Note As shown in Figure 4-9, if your unit has one or two single-port Ethernet circuit boards installed
in the auxiliary assembly on the left of the unit at the rear, the circuit boards are numbered top
to bottom so that the top circuit board is Ethernet 2 and the bottom circuit board is Ethernet 3.
(Additional Ethern et ci rcui t bo ards r e quire the PIX -51 5/PIX 515E -U R lic en se to be ac cesse d.)
If you have a second PIX Firewall to use as a failover unit, install the failover feature and cable as
described in “Installing Failover”.
Note Do not power on the failover units until the active unit ha s been configured.
Step 4 Power on the unit from the switch at the rear to start the PIX 515/515E.
PIX 515/515E Feature Licenses
If you have the PIX-515/ 515E-U R un rest ricte d feat u re l icense , t he f ol lowing opt ions a re available:
78-15170-01
• If you have a second PIX 515/515E to use as a failover unit, install the failover feature and cable as
described in “Installing Failover”.
• If needed, install the PIX Firewall Syslog Server as described in the logging command page in th e
Cisco PIX Firewall Command Reference.
• Refer to “Removing and Replacing the PIX 515/515E Chassis Cover”, for information about ho w to
remove and replace the chassis cover if you need to install optional circuit boards.
Note It is very important to remove the chassis cover before in stalling ci rcuit boa rds in the PIX 515 /515E.
Even though it may appe ar po ssi ble to ad d or remove ci rcui t boa rd s from th e b ack p anel , re movin g the
chassis cover greatly simplifies the process.
• If you need to install additional memory, refer to “Installing a Memory Upgrade”.
Note If, for any reason, yo u m ay c hoose to downgra de to a ny softwa re version , note tha t y ou must use t h e
clear flashfs command before doing so . A new sect ion is ad de d to Flash m em ory t hat must be c leare d
before downgrading.
Cisco PIX Firewall Hardware Installation Guide
4-7
Page 40
PIX 515/515E Feature Licenses
For information on upgrading feature licenses or downloading t he latest soft ware versions, re fer to the
following website:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/p ix/pix_sw/v_63/config/upgrade.htm
This section includes the following topics:
• PIX Firewall VPN Accelerator Card, page 4-8
• PIX Firewall VPN Accelerator Card+, page 4-8
PIX Firewall VPN Accelerator Card
The VPN Accelerator Card (VAC) fo r the Cisco PIX Firewall s eries is a card that provid es high-performance,
tunneling and encryption services suitable for site-to-site and remote access applications. The VAC is
integrated with PIX 515 unrestricted (UR) and failover (FO) bundles. You can also purchase the VAC as a
spare for use with PIX 515 units that have a restricted (R) license.
PIX Firewall VPN Accelerator Card+
Chapter 4 PIX 515/515E
PIX Firewall Version 6.3 adds support for the VPN Acc eler ator Car d+ (VAC+). The VAC+ is a
64-bit/66 MHz PCI card, that provides faster tunneling and encryption services for Virtual Private
Network (VPN) remote acce ss, site -t o-site int ra net an d e x tr an et a pplic ation s than the VAC. Each VAC+
card occupies a single PCI slot in the system. The VAC+ is supported on any cha ssis that run s Version
6.3 software, has an appropriate license to run VPN software, and at least one PCI slot available. While
the VAC continues to be supported in Version 6.3, if bot h types of card s, the VAC and the VAC+, are
installed in a sy stem runn in g Version 6.3, the VAC card is ignored. T he VAC+ is a 64 -bit /66 MHz PCI
card, that runs in bo th 32-bit/33 MHz, as well as 64-bit/66 MHz, and does not slow down the bus when
other 66 MHz cards are installed. It is strongly recommended that the VAC+ be installed in a 64bit/66 MHz
slot. Performance is degraded if this recommendation is not followed.
The 6.3 VAC+ driver supports the following:
• 3DES, DES, AES, SHA1, MD5 for (IPSec) ESP pro tocol (For AES, only the CBC mode and key
sizes of 128, 192, and 256 bits are supporte d).
• SHA1, MD5 for the (I PSec) AH pr otocol.
• Load sharin g E SP and AH a ctivity be twee n up to thr e e VAC+ cards.
• Diffie Hellman public key and sha red s ec ret gene rat ion.
• Any other crypto-related activity uses a software implementation.
4-8
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 41
Chapter4 PIX 515/515E
Installing Failover
Complete the following steps to install a failover connection :
Step 1 Power off both the primary and seco nda ry un i ts.
Note Both PIX Firew all uni ts h as to b e the same model number, have at le ast as much RAM, have the
same Flash memory size , an d b e ru nning t he sa me sof tware ver sion.
Step 2 Locate the failo v er cab le (sh o wn in Figure 4-10). This cable is shipped separately from the PIX Firewall
unit. The cable is labeled Prima ry on one end an d Second ary on the other.
Install the cable fo r the PIX 515/ 515E a s s hown in Figu re 4 -10 .
Figure 4-10 PIX 515/515E Failover Cable Connection
Installing Failover
FAILOVER
Primary end
Y
R
A
M
I
R
P
FAILOVER
Secondary end
24297
Y
R
A
D
N
O
C
E
S
Note You can conn ec t th e PIX 515 unit to the PIX 5 15 u nit but you cann ot conn ec t the PIX 515 unit
to the PIX 515E u nit or v ice versa. Bo th un its mu st be id en tica l.
Step 3 Connect the Primary end of the failover cable to the first PIX Firewall unit, that is, the one you have
already configured.
Step 4 Connect the Secondary end of the failover cable to the standby unit.
78-15170-01
Step 5 Connect a power cord to the power con necto r on the rear panel of each uni t, and th e other en d of eac h
power cord to (preferably separate) power outlets.
Cisco PIX Firewall Hardware Installation Guide
4-9
Page 42
Installing Failover
Step 6 If you are using Statef ul Failover, use one of the fol lowing type s of co nne ction s , tha t is approp ri ate fo r
your system, between the dedi cated in terfaces on the PIX Firewall units:
• Cat 5 crossover cable direct ly conne cting th e primar y unit to the secondary unit.
• 100BaseTX hal f-dup lex hub usin g str aigh t Ca t 5 cab les.
• 100BaseTX f ull du pl ex on a dedic a ted sw itch or dedi cate d VLAN of a s witc h.
Figure 4-11 shows an example of a minimally config ured PIX 515/51 5E with only the tw o interf aces on
the motherboard used for network traffic.
Figure 4-11 Failover Connections
Chapter 4 PIX 515/515E
Stateful Failover
dedicated interface
cable
Outside switch
Internet
Note All enabled interfac es must be connected between the acti ve an d standby units. Only conf igure the acti ve
Power
D
O
N
O
T
I
N
S
T
A
L
L
I
N
T
E
R
F
A
C
E
C
A
R
D
S
W
I
T
H
P
O
W
E
R
A
P
P
L
I
E
D
1
0
0
M
b
L
p
i
n
s
k
1
0
/
1
0
0
E
T
H
E
R
PIX 515
Primary unit
F
D
X
1
0
0
M
b
p
s
L
in
k
F
D
X
N
E
T
1
1
0
/
1
0
0
E
T
H
E
R
N
E
T
0
C
O
N
S
O
L
PIX 515
Standby unit
D
O
N
O
T
I
N
S
T
A
L
L
I
N
T
E
R
F
A
C
PIX-515
F
A
I
L
O
V
E
R
E
E
C
A
R
D
S
W
I
T
H
P
O
W
E
R
A
P
P
L
I
E
D
1
0
0
M
L
b
in
p
s
k
F
D
X
1
0
0
M
1
0
/
1
0
0
E
T
H
E
R
N
E
T
1
PIX-515
F
A
I
L
O
V
E
R
b
p
s
L
in
k
F
D
X
1
0
/
1
0
0
E
T
H
E
R
N
E
T
0
C
O
N
S
O
L
E
UPS
(not supplied)
Failover
serial cable
Inside switch
Inside
network
unit. On the PIX 515/515E, the active unit is indicated by the ACT LED on the front of the unit.
27883
4-10
Caution Do not turn the power on until the units are conne cted a nd the prim ary unit is configured complete ly.
Step 7 Use the power switc h at the back of the units to powe r on the pri mary unit and then po wer on the st andby
unit.
Within a few seconds, the active unit autom ati call y downloads its c onfigura tio n to the sta ndby uni t.
If the primary unit fails, the secondary unit automatically becomes active.
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 43
Chapter4 PIX 515/515E
Installing LAN-Based Failover
LAN-based failover supports fai lover between two units connected over a dedicated Ethernet interface.
LAN-based failover eliminates the need for a special failover cable and over comes the distance
limitations imposed by the failover cable.
Note Both PIX Firewall units must be the same model number, have the same amount of RAM, Flash memory,
number and type of interfac es, an d be runnin g the same sof tware version.
Complete the following to set up a LAN-based failover co nnection:
Step 1 Disconnect both the PIX Firewall units, so that there is no traffic flow between them. If the Fa il ov er ca b le
is connected to the PIX Firewall, disconnect it.
Step 2 Configure the PIX Firewall units. For information on configuring the PIX Firewall, refer to “Configuring
LAN-Based Failov er ,” section in Chapter 10 “Using PIX Fire wall F ailover ” in the Cisco PIX Fir ewall and
VPN Configuration Guide.
Step 3 Power off both the units.
Installing LAN-Based Failover
Step 4 Connect the LAN Failover interfaces to the dedicated switch/hub, as shown in Figure 4-12.
Note A dedicated LAN interface and a dedicated switch (or VLAN) is required to implement
LAN-based failover. You cannot use a crossover Ethernet cable to connect the two PIX Firewall
units.
Figure 4-12 LAN- Based Failover Connections
Dedicated Ethernet
interface
PIX 515
D
O
N
O
T
I
N
S
T
A
L
L
I
N
T
E
R
F
A
C
E
C
A
R
D
S
W
I
T
H
P
O
W
E
R
A
P
P
L
I
E
D
1
0
0
M
b
L
p
in
s
k
F
D
X
1
0
0
1
0
/
1
0
0
E
T
H
E
R
N
E
T
1
PIX-515
F
A
IL
O
V
E
M
R
b
p
s
L
i
n
k
F
D
X
1
0
/
1
0
0
E
T
H
E
R
N
E
T
0
C
O
N
S
O
L
E
D
O
N
O
T
C
A
R
D
S
Dedicated Ethernet
interface
PIX 515
I
N
S
T
A
L
L
I
N
T
E
R
F
A
C
E
W
I
T
H
P
O
W
E
R
A
P
P
L
I
E
D
1
0
0
M
L
b
in
p
s
k
F
D
X
1
0
0
1
0
/
1
0
0
E
T
H
E
R
N
E
T
1
PIX-515
F
A
IL
O
V
M
E
R
b
p
s
L
in
k
F
D
X
1
0
/
1
0
0
E
T
H
E
R
N
E
T
0
C
O
N
S
O
L
E
Hub/switch
Step 5
If you are using Statef ul Failover, use one of the fol lowing types of co nne ction s, t hat is app rop ria te fo r
your system, between the de dicated in terfaces on the PIX Firewall units:
87313
78-15170-01
• Cat 5 crossover cable direct ly conne cting th e primar y unit to the secondary unit.
• 100BaseTX f ull du pl ex on a dedic a ted sw itch or dedi cate d VLAN of a s witc h.
• 1000BaseTX full duplex on a dedicated switch or dedicated VLAN of a switch.
Caution Do not turn the power on until the units are conne cted a nd the prim ary unit is configured complete ly.
Cisco PIX Firewall Hardware Installation Guide
4-11
Page 44
Chapter 4 PIX 515/515E
Removing and Replacing the PIX 515/515E Chassi s Co ver
Step 6 Power the primary unit on first, then power on the secondary unit. Within a few seconds, the ac tive unit
automatically downloads its configuration to the standby unit.
If the primary unit fails, the secondary unit automatically becomes active.
Removing and Replacing the PIX 515/515E Chassis Cover
This section describes how to remove and replace the chassis cover from the PIX 515/515E. This section
includes the following topics:
• Removing the Chassis Cover, page 4-12
• Replacing t he C has sis Cover, page 4-13
Removing the Chassis Cover
Complete the f oll owing to rem ove the ch ass is c over:
Note Removing the PIX Firewall case does not affect your Cisco warranty. Upgrading the PIX Firewall does
not require any special tools and does not create any radio fr equency leaks .
Step 1 Read the Regulatory Compliance and Safety Information for the Cisco PIX Firewall document.
Step 2 Unplug the power cor d f rom th e power outl et. E nsu re tha t th e PIX 51 5/51 5E is p owered off. O nce th e
upgrade is complete, you can saf ely reconn ect the power cord.
Warning
Step 3 Remove the screws from the fr ont of t he c ha ssis o n th e PIX 5 15/ 515E ( Figure 4-13).
Before working on a system that has an On/Off switch, turn OFF the power and unplug the power cord.
Figure 4-13 Removing PIX 515/515E Top Panel Screws
Top panel screws (4)
D
O
N
O
T
I
N
S
T
A
L
L
I
N
T
E
R
F
A
C
E
C
A
R
D
S
W
I
T
H
P
O
W
E
R
A
P
P
L
I
E
D
1
0
0
M
L
b
in
p
s
k
F
D
X
1
0
0
M
b
p
s
L
in
k
1
0
/1
0
0
E
T
H
E
F
R
N
E
T
0
/
0
1
0
/1
0
0
E
T
H
E
R
N
E
T
0
PIX-515
F
A
I
L
O
V
E
R
D
X
/0
C
O
N
S
O
L
E
24305
4-12
Step 4 With the front of the unit facing you, push the top panel back by about one inch as shown in Figure 4-14.
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 45
Chapter4 PIX 515/515E
Step 5
Removing and Replacing the P IX 515/515E Chassis Cover
Figure 4-14 Pushing Back the Top Panel
PIX Firewall
SERIES
P
O
W
ACT NETWORK
E
R
Pull the top panel up as shown in Figure 4-15. Put the top panel in a safe place.
Figure 4-15 Pull the Top Panel up to Remove
24285
P
O
W
ACT NETWORK
E
R
Replacing the Chassis Cover
Caution Do not o perate PIX Firewall units without the top panel installed. The top panel protects the internal
components, prevents ele ctr ica l sho rts, a nd provi des p rop er ai r-flow for cool ing t he e lec tro ni c
components.
Complete the following to replace the chassis cover:
Step 1 Place the chassis on a secure surface with the front panel facing you.
Step 2 Hold the top panel so the tabs at th e rear of the top pane l are aligne d with the c hassis bo ttom.
Step 3 Lower the front of the top panel onto the chassis, making sure that the top panel side tabs fit under the
chassis side pan els.
Step 4 Slide the top panel toward th e front, making sure that the top panel tab s f it under the ch assis back panel,
and the back p anel t abs fit und er th e t o p pan el.
PIX Firewall
SERIES
24286
78-15170-01
Step 5 Fasten the top panel with the screws you set asid e earlier.
Step 6 Reinstall the chassis on a rack, wall, desktop, or table.
Cisco PIX Firewall Hardware Installation Guide
4-13
Page 46
Replacing a Lithium Ba tt ery
Step 7 Reinstall network interface cables.
Replacing a Lithium Battery
The PIX Firewall has a lithium battery on its main circuit board. This battery has an operating life of
about 10 years. When the battery loses its charge, the PIX Firewall cannot function. The lithium battery
is no t a field replacable unit (FRU). Co n t act C isco TAC to repla c e t he batte r y.
Note Do not attempt to re pla ce thi s bat ter y yourse lf.
Chapter 4 PIX 515/515E
Warning
Danger of explosion exists if the lithium battery is in correctly replaced. Replace only with the s ame
or equivalent type recommended by the manufacturer. Dispose of used batteries according to the
manufacturer's instructions.
Installing a Memory Upgrade
Observe the following warnings, cautions, and notes when installing additional PIX Firewall system
memory.
The following statement applies to DC models:
Warning
Warning
Before performing any of the following procedures, ensure that power is removed from the DC circuit.
To ensure that all power is OFF, locate the circuit breaker on the panel board that services the DC
circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit
breaker in the OFF position.
The following statement ap plies to both AC and DC models :
Before working on a system that has an On/Off switch, turn OFF the power and unplug the power cord.
4-14
Caution Always remove old memory before insta lling new memory.
Note After installing additional memory in a PIX 515/515E, do not remove the memory strips and power on
the unit, or the PIX Firewall unit becomes inoperable.
Caution If you remove the PIX Firewall chassis top panel, always reinstall the top panel. Running the PIX Firewall
without the top panel may cause overheating and damage to electrical components.
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 47
Chapter4 PIX 515/515E
Memory Installation Steps
Complete the following to install additional system memory:
Step 1 Remove networ k wires and any cords connecting to the PIX Firewall unit if the unit is rack-mounted.
The PIX 515/515E should be removed from the rack and placed on a stable working surface. Ensure that
the unit is unplug ge d f rom i ts power s ource .
Step 2 Unpack the items in the memory upgrade kit.
Remove the top panel from the PIX Firewall unit. Remove all screws holding the assembly in place.
Refer to “Removing and Replacing the PIX 515/515E Chassis Cover” for information on how to remove
and replace th e t o p pan el.
Step 3 Determine the location of your system memory sockets (See Figure 4-16).
Step 4 Use the markings on the motherboar d to de ter mine the soc ket numbers. Always install the first memory
board into the l owest socket num be r. Progressively add memory boa rd s into hi gher nu mb er ed soc kets.
Figure 4-16 PIX 515 System Memory Location
Installing a Memory Upgrade
78-15170-01
24302
Front
Note Do not install a 64 MB DIMM in the PIX 515. You will not be able to properly replace the top
panel because of t he height of a 64 MB DIMM. Operating the PIX Firewall chassis without a top
panel installed may cause dam age to the unit.
Cisco PIX Firewall Hardware Installation Guide
4-15
Page 48
Installing a Memory Upgrade
The standard memory configuration for the PIX 515 is a 32 MB DIMM memory strip i nstalled into one
of two slots. If you are upgrading a 32 MB system , add a sec ond 32 MB DIMM mem ory strip into the
empty slot.
Step 5 Locate the wrist grounding strap in the accessory kit and connect one end to the unit as shown in
Figure 4-17, or to the PIX Firewall chassis, a nd securely attach the other to your wrist so it contacts y our
bare skin.
Figure 4-17 Attaching the Wrist Strap to the PIX 515/515E
Chapter 4 PIX 515/515E
Copper foil
D
O
N
O
T
I
N
S
T
A
L
L
I
N
T
E
R
F
A
C
E
C
A
R
D
S
W
IT
H
P
O
W
E
R
A
P
P
L
I
E
D
10
0 M
L
b
in
ps
k
F
D
X
1
00 M
bps
Lin
k
F
D
1
0
/1
0
0
E
T
H
E
R
N
E
T
0
X
/0
1
0
/1
0
0
E
T
H
E
R
N
E
T
0
/0
PIX-515
FA
IL
O
V
E
R
C
O
N
S
O
L
E
24304
Step 6
With the wrist st rap on y our wrist, car eful ly gra s p the memor y str ip from ei th er end . Note th at a DI MM
strip has notches.
Step 7 To install a DIMM strip:
–
Remove the old memory strip by openi ng the t wo pl astic wing c onnec tors, and pu lling the old
strip up. Discard the old strip.
–
The standard memory configuration for th e PIX 515 is a 32 MB DIMM mem ory strip i nstall ed into
one of two slots. If you are upgrading a 32 MB system, add a second 32 MB DIMM memory strip
into the empty slot. Refer to Figure 4-16, Figure 4-18, and Figure 4-19 for more information.
Note You cannot inst all a 64 MB DIMM in the PIX 515 due to height restr aints. You will not be able
to properly replace the top panel if you use a 64 MB DIMM. Operating the PIX Firewall chassis
without a top panel may cause dama ge to the un it.
4-16
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 49
Chapter4 PIX 515/515E
Installing a Circuit Board in the PIX 515/515E
Figure 4-18 Inserting a DIMM Memory Strip in the PIX 515/515E
DIMM
24299
Figure 4-19 Securing a DIMM Memory Strip in the PIX 515/515E
24300
When you finish inserting new RAM m emor y, replace the top p anel o n the PIX Fir ewall chassis.
Reattach the scre ws. If desir ed, rack mou nt the PIX Fire wall an d attach all cables and cor ds as discu ssed
in previous sections. After the PIX Firewall is installed, you can vi ew the amount of RAM me mory in
the system startup messages or with the s how ve rs io n command.
Installing a Circuit Board in the PIX 515/515E
The informati on i n this sect ion r efer s to bot h the AC and DC mo dels of the PI X 51 5/515 E.
Complete the follow ing to install a circuit board in the PIX 515/515E:
Step 1 Locate the gr ou nding stra p from t he a cce ssory k i t. Fasten the g rou nding stra p to your wr ist so that it
contacts your bare skin. Attach the other end to bare metal inside the PIX 515/515E chassis as shown in
Figure 4-20.
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
4-17
Page 50
Installing a Circuit Board in the PIX 515/515E
Figure 4-20 Attaching the PIX 515/515E Grounding Strap
Chapter 4 PIX 515/515E
Copper foil
D
O
N
O
T
I
N
S
T
A
L
L
I
N
T
E
R
F
A
C
E
C
A
R
D
S
W
I
T
H
P
O
W
E
R
A
P
P
L
I
E
D
1
0
0
M
L
bp
in
s
k
F
D
X
10
0
M
b
p
s
Lin
k
F
D
1
0
/1
0
0
E
T
H
E
R
N
E
T
0
X
/0
1
0
/1
0
0
E
T
H
E
R
N
E
T
0
/0
PIX-515
FA
IL
O
V
E
R
C
O
N
S
O
L
E
24304
Step 2
Remove the screws from the rear assembly on the left and put the assembly aside.
Step 3 Insert a circuit bo ard t h rough t he c age openi ng a nd int o t he sl ot as shown in Figure 4-21.
Figure 4-21 Inserting a Circuit Board into the PIX 515/515E
61904
4-18
Note When you insert a four-port Ethe rnet circuit boa rd in the sl ot, the end of the circuit board’s
connector extends past the end of the slot. This does not affect the use or operation of the circuit
board.
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 51
Chapter4 PIX 515/515E
Step 4 Attach the back co v er plat e mak ing su re th at the conne cting flan ge o n the cir cuit b oar d goes thro ugh the
Installing a Circuit Board in the PIX 515/515E
slot on the ba ck cover p lat e a s s h own in Figu re 4-22.
Figure 4-22 Attaching PIX 515/515E Back Cover Plate
61905
Step 5 Attach the screw to hold the circuit board’s connecting flange to the cover plate, and install the screws
to attach the cover plate to the PIX 515/515E unit.
Step 6 Reattach the top panel.
Figure 4-23 4-Port Circuit Board Overlap
Overlap
78-15170-01
27884
Cisco PIX Firewall Hardware Installation Guide
4-19
Page 52
Installing the PIX 515/515E DC Model
Note If you are installing a 4-port circuit board, note that the circu it board will overlap the slot
connector on the motherbo ard. This does not affect the use or operation of the circuit board.
Figure 4-23 illustrates how this appears.
PIX Firewall VPN Accelerator Circuit Board
The VPN Accelerator (PIX-VPN-ACCEL) is an encryption and accelerator circuit board. The VPN
Accelerator uses a PCI interf ac e an d th er efo re can on ly be insta lled in PIX Firewall platfo r ms with PCI
slots. The VPN Accelerator begins to function immediately after installation without the need of special
installation configurations.
Note The new VPN Accelerator cannot be used with the former PIX Firewall IPSec accelerator in the same
chassis. The P I X F irewall IP Se c acc ele ra to r was also known as t he Pr ivate Link ca rd .
Chapter 4 PIX 515/515E
Installing the PIX 515/515E DC Model
Warning
Step 1 Read the Regulatory Compliance and Safety Information for the Cisco PIX Firewall document.
Step 2 Terminate the DC input wiring on a DC source capable of supplying at least 15 amps. A 15-amp circuit
Step 3 Power off the PIX 515/515E by checking the power swit ch a t the rea r of the uni t.
Step 4 As shown in Figure 4-24, the PIX 515/515E is equipped with two grounding holes at the back of the unit,
Before performing any of the following procedures, ensure that power is removed from the DC circuit.
To ensure that all power is OFF, locate the circuit breaker on the panel board that services the DC
circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit
breaker in the OFF position.
Complete the following to install the PIX 515/515E DC power model:
breaker is required at the 48 VDC facility power source. An easily accessible disconn ect device should
be incorporated into the facility wir ing.
which you can use to connect a two-hole grounding lug to the PIX 515/515E. Use 8-32 screws to connect
a copper standard barrel grounding lug to the holes. The PIX 515/515E requires a lug where the distance
between the center of e ach hole is 0.5 6 inch es. A lug is not sup plied wi th the PIX 515/515E.
4-20
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 53
Chapter4 PIX 515/515E
Figure 4-24 Attaching a Grounding Lug to the PIX Firewall
Installing the PIX 515/515E DC Model
wire
Ground wire wire
To rack
ground
8-32 screws
Grounding holes on
PIX Firewall DC model
2-hole copper
standard barrel
grounding lug
100 Mbps
Link
10/100 ETHERNET 1
FDX
27885
Step 5 Power off the u nit. Ensure that power is removed from the DC circuit. To ensure that all power is OFF,
locate the circuit breaker on the panel board that services the DC circuit, switch the circuit breaker to
the OFF position, and tap e the switch handle of the circuit breaker in the OFF position.
Step 6 Strip the ends of the wi res f or insert ion int o t he power c onne ct l ug s on the PI X 515/ 51 5E.
Step 7 Insert the ground wire i nto the co nnect or for the eart h groun d and tighte n the screw on the con nector.
Refer to Figure 4-24 a nd using the sa me met hod as f or the gr oun d wir e, conn ec t the negative wire an d
then the positive wire.
Step 8 After wiring the DC power supply, remove the tape from the circuit brea ke r switc h han dle and reinst ate
power by moving the handle of the circuit breaker to the ON position.
Step 9 Install any remaining interface boards as described in “Installing a Circuit Board in the PIX 515/515E”.
Step 10 Power on the unit from the switch at the rear of the unit.
78-15170-01
Note If you need to power cycle the DC PIX 515/515E, wait at least 5 seconds between powering off the unit
and powering it back on.
Cisco PIX Firewall Hardware Installation Guide
4-21
Page 54
Installing the PIX 515/515E DC Model
Chapter 4 PIX 515/515E
4-22
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 55
CHAPTER
5
PIX 520
This chapter guide s y ou thro ugh the insta ll ation of t he PI X 520, a nd i nclu des t he f oll owing sect ions:
• PIX 520 Produc t O verview, page 5-1
• Installing the PIX 520 , pag e 5-4
• PIX 520 Feature Lic enses, page 5- 6
• Installing Failover, page 5-7
• Installing LAN-Ba sed Failover, page 5-8
• Removing and Replacing th e PIX 520 Chassis Cover, page 5-10
• Replac i ng a L i th iu m B a tt er y, page 5 -1 2
• Installing a Mem ory Upg rade , page 5-12
• Installing a Circ uit Boar d in the PIX 520, page 5-15
• Installing the PIX 520 DC Model , page 5-2 1
PIX 520 Product Overview
This section desc ribe s the PIX 5 20 fr ont an d r ear pane ls a nd the p anel LE Ds .
Figure 5-1 shows the front view of the PIX 520.
Figure 5-1 PIX 520 Front Panel
PIX Firewall
R
ESE
T
78-15170-01
S
E
R
IE
S
67852
Cisco PIX Firewall Hardware Installation Guide
5-1
Page 56
PIX 520 Product Overview
Note Use of the four-port Ethernet ci rcuit boa rd change s the positi on of the outsi de and inside interfaces
Chapter 5 PIX 520
Figure 5-2 shows the re ar vi ew of the PIX 5 20.
Figure 5-2 PIX 520 Rear Panel
Auto-Range Selection
L:90-135V H:180-270V
RE
SET
PIX Firewall
S
E
R
IE
S
67853
depending on the slot in which the circuit board is installed. Four-port Ethernet connectors are numbered
from the top connector down sequentially. On horizontally mounted cards, the slots are numbered left to
right.
The PIX 520 c an be u sed w ith Et hern et circ uit bo ards .
The four-port Etherne t c irc uit b oa rd provide s four 10 /100 Eth er net conn ect ions an d h as a utose nse
capability. Connectors on the four-port Ethernet circuit board are numbered top to bottom sequentially;
however, th e actua l device number depe nds on the slo t in which the four-port Ethe rnet ci rcuit boa rd is
installed.
Table 5-1 shows how the top connector is numbered.
Table 5-1 Numbering Devices with a Four-Port Connector
Four-Port Top
Slot 0 Contain s Slot 1 Contains Slot 2 Cont a i ns
Connector
4-port Any Any ethernet0
Ethernet 4-port Any ethernet1
Ethernet Ethernet 4-port ethernet2
To ken Ring 4-port Any ethernet0
To ken Ring Token Ring 4- port ethernet0
To ken Ring Ethernet 4-por t ethernet1
Ethernet Token Ring 4- por t ethernet1
With the four-port Ethernet circuit board, having a circuit board in slot 3 makes the number of interfaces
greater than six; while the circuit boa rd in slot 3 cann ot be acc essed, its pre sence does not cause
problems with the PIX Firewall.
5-2
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 57
Chapter 5 PIX 520
PIX 520 Product Overview
Figure 5-3 shows the location of the interfaces if you install a four-port Ethernet circuit board in slot 0.
Figure 5-3 Four-Port Ethernet Circuit Board Installed in Slot 0
Interface 0
Interface 1
Interface 2
Interface 3
44306
Interface 5
Interface 4
Figure 5-4 shows how the slots are numbered if a single-port Ethernet circuit board is inserted in
slot 0, and a four-port Ethernet circui t board is inse rted in slot 1.
Figure 5-4 Single-Port Ether net Cir cuit Boar d In stalled i n Slot 0 and Fo ur-Port Ethe r net Circuit Board
Installed in Slot 1
Interface 1
Interface 2
Interface 3
Interface 4
44307
Interface 0
Figure 5-5 shows how the slots are numbered if single-port Ethernet circuit boards are installed in slot 0
and in slot 1, and a four-port Ethernet circuit b oard is inserte d in slot 2.
Figure 5-5 Single-Port Ether net Circuit Board Installed in Slot 0 and 1 and Four-Port Ethe rnet Circuit
Board Installed in Slot 2
Interface 2
Interface 3
Interface 4
Interface 5
44308
Interface 0
Interface 1
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
5-3
Page 58
Installing the PIX 520
Installing the PIX 520
Complete these steps to install the PIX 520:
Step 1 Refer to Figure 5-6 for information on the features of the PIX 520 unit.
Figure 5-6 PIX 520 Front, Rear, and Side Panels.
Front Rear
R
E
S
E
T
PIX Firewall
SERIES
Power connector
Power switch
Chapter 5 PIX 520
n
o
i
t
c
e
l
e
S
e
g
n
a
R
-
o
t
u
A
V
0
7
2
-
0
8
1
:
H
V
5
3
1
-
0
9
:
L
AC
Reset
button
Power
light
Diskette
compartment
1
To access,
loosen screws
counterclockwise
3
Insert
PIX Firewall
diskette
Slots for
network
interfaces
Failover
connector
2
Set plate
on surface
4
To remove
diskette,
push button
Console
connector
–
+
DC power connector
Fan duct
rackmount slide rails
(must be purchased
Rackmount
holes
Power switch
–
+
Left side
Holes to connect
separately from
outside vendor)
DC
Ground lugs
Holes to connect
rackmount brackets
(if rackmounting
is desired)
5-4
Step 2
Connect network cables to each of the PIX Firewall’s networ k interfaces. On the PIX 520 , connect the
cables at th e fro nt o f th e unit .
Cisco PIX Firewall Hardware Installation Guide
10656
Right side
78-15170-01
Page 59
Chapter 5 PIX 520
Installing the PIX 520
If you are not in stall ing a fo ur-port E the rnet circ uit b oa rd, add th e c abl es a s sh own in Fi gure 5-7.
Figure 5-7 Up to Four Single-Port Interfaces in the PIX Firewall
44305
Interface 3
Interface 2
Interface 1
Interface 0
Installing Interface Cables to the PIX 520
Complete these steps to install interface ca bles to the PIX 520:
Step 1 Locate the serial cable. The seri al cable assemb ly consis ts of a null modem cable with RJ-45 connec tors,
two separate DB-9 con ne ctor s, an d a sep arat e D B- 25 conne c tor as shown in Fi gure 5-8.
Step 2 Install the serial cable between the PIX Firewall and your console computer.
Figure 5-8 PIX Firewall Serial Cable Assembly
PIX Firewall
console connector
DB-9-to-DB-25
serial cable
(null-modem)
C
O
N
S
O
L
E
Console
port (DB-9)
Computer serial port
DB-25 or DB-9
12275
78-15170-01
Step 3 Connect one of the DB-9 serial connectors to the console connector on the front panel of the
PIX Firewall.
Step 4 Connect one end of the RJ-45 null modem cable to the DB-9 connector.
Step 5 If you are installing an A C voltag e PIX Firewall, co nnect the PIX Firewall unit’s power cord to the po wer
connector on the rear pa nel of the uni t, and to a power outlet .
Cisco PIX Firewall Hardware Installation Guide
5-5
Page 60
PIX 520 Feature Licenses
Step 6 The following optio ns ar e available:
Step 7 If you are ready to start conf iguring th e PIX Fire wall, p ower on the unit. Ref er to the Cisco PIX Firewall
Chapter 5 PIX 520
If you are installing a DC voltage PI X Firewall, refe r to “PI X Firewall 16 MB Flash Circuit Board”.
a. If you have a second PIX Firewall to use as a failover unit, install the failover feature and cable as
described in “Installing Failover”.
Note Do not power on the failover units until the primary unit is configured.
b. If needed, install the PIX Firewall Syslog Server as described in the logging co mm an d p age i n the
Cisco PIX Firewall Command Referen ce.
c. If you need to install an optional circuit board such as a single-port Ethernet board, or the four-port
Ethernet bo ar d, refer to “Installing LAN-Based Failover” for information about how to remove and
replace the chassis cover to install circuit boards.
d. If you need to install additional memory, refer to “Installing a Memory Upgrade”.
and VPN Configuration Guid e for configuration information.
Always check the release notes first before configuring the PIX Firewall for the latest release details.
This document is al so in you r acce sso ry kit.
PIX 520 Feature Licenses
If you have a PIX 520-UR unrestricted featur e license , the following options are available:
• If you have a second PIX 520 to use as a failover unit, install the failover feature and cable as
described in “Installing Failover”.
• If needed, install the PIX Firewall Syslog Server as described in the logging command page in t he
Cisco PIX Firewall Command Referen ce.
• Refer to “In stalling LAN -Based Failover”, for information about how to remove and replace the
chassis cover if you nee d to in stal l op tio nal circ uit bo ards.
Note It is very important to remove the chassis cover before installing circuit boards in the PIX 520. Even
though it may appear possible to add or remove circuit boards from the back panel, removing the chassis
cover greatly simpli fies the pr oces s.
• If you need to install additional memory, refer to “Installing a Memory Upgrade”.
5-6
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 61
Chapter 5 PIX 520
Installing Failover
Complete these steps to install a failover connection:
Note This section only applies to PIX Firewall units with a “UR” (unrestricted) license.
Step 1 Power off both the primary and seco nda ry un i ts.
Note Both PIX Firew all uni ts h as to b e the same model number, have at le ast as much RAM, have the
same Flash memory size , an d b e ru nning t he sa me sof tware ver sion.
Step 2 Locate the failover cable (shown in Figure 5-9). This cable is shipped separately from the PIX Firewall
unit. The cable is labeled Pri mary on one end and Second ary on the other. Install the cable for the PIX
520 as shown in Figure 5 -9.
Figure 5-9 PIX 520 Failover Cable Connection
Installing Failover
F
A
I
L
O
V
E
R
Y
R
A
M
I
R
P
Primary end
F
A
I
L
O
V
E
R
Y
R
A
D
N
O
C
E
S
12395
Secondary end
Step 3 Connect the Primary end of the failover cable to the first PIX Firewall unit, that is, the one you have
already configured.
Step 4 Connect the Secondary end of the failover cable to the standby unit.
Step 5 Connect a power cord to the power con necto r on the rear panel of each uni t, and th e other en d of eac h
power cord to (preferably separate) power outlets.
Step 6 If you are using Statef ul Failover, use one of the fol lowing type s of co nne ction s , tha t is approp ri ate fo r
your system, between the de dicated in terfaces on the PIX Firewall units:
• Cat 5 crossover cable direct ly conne cting th e primar y unit to the secondary unit.
78-15170-01
• 100BaseTX hal f-dup lex hub us ing st raig ht Ca t 5 c ables.
• 100BaseTX f ull du pl ex on a dedic a ted sw itch or dedi cate d VLAN of a s witc h.
Note All enabled interfac es must be co nne cte d bet wee n the a ctive and standby units. Only c onfigure
the active un it. On the PIX 520, you can access the console and determine which unit is active
with the show failover command.
Cisco PIX Firewall Hardware Installation Guide
5-7
Page 62
Installing LAN- Ba sed Failover
Caution Do not turn the power on until the units are conne cted a nd the prim ary unit is configured complete ly.
Step 7 Use the power switch at the back of the units to power the primary unit on and then power the standby
unit on.
Within a few seconds, the active unit autom ati call y downloads its c onfigura tio n to the sta ndby uni t.
If the primary unit fails, the secondary unit automatically becomes active.
Installing LAN-Based Failover
LAN-based failover supports failover between two units connected over a dedicated Ethernet interface.
LAN-based failover eliminates the need for a special failover cable and over comes the distance
limitations imposed by the failover cable.
For information on configuring a LAN -based failover, refer to the Cisco PIX Firewall and VPN
Configuration Guide.
Chapter 5 PIX 520
Note Both PIX Firewall units must be the same model number, have the same amount of RAM, Flash memory,
number and type of interfac es, an d be running the same sof tware version.
Complete these steps to set up a LAN-based failover connection:
Step 1 Disconnect both the PIX Firewall units, so that there is no traffic flow between them. If the Fa il ov er ca b le
is connected to the PIX Firewall, disconnect it.
Step 2 Configure the PIX Firewall units. For information on configuring the PIX Firewall, refer to “ Configuring
the LAN-Based Failover,” section in Chapter 10 “Using PIX Firewall Failover” in the Cisco PIX Firewall
and VPN Configuration Guide.
Step 3 Power off both the units.
Step 4 Connect the LAN failover interfaces to the dedicated switch/hub, as shown in Figure 5-10.
Note A dedicated LAN interface and a dedicated switch (or VLAN) is required to implement
LAN-based failover. You cannot use a crossover Ethernet cable to connect the two PIX
Firewalls.
5-8
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 63
Chapter 5 PIX 520
Installing LAN-Based Failover
Figure 5-10 LAN- Based Failover Connections
P
IX
F
R
irew
E
S
E
T
all
S
E
R
I
E
S
Dedicated Ethernet
interface
PIX 520
P
IX
F
irew
R
E
S
E
T
all
S
E
R
I
E
S
Dedicated Ethernet
interface
PIX 520
87366
Hub/switch
Step 5 If you are using Statef ul Failover, use one of the fol lowing type s of co nne ction s , tha t is approp ri ate fo r
your system, between the de dicated in terfaces on the PIX Firewall units:
• Cat 5 crossover cable direct ly conne cting th e primar y unit to the secondary unit.
• 100BaseTX f ull du pl ex on a dedic a ted sw itch or dedi cate d VLAN of a s witc h.
• 1000BaseTX full duplex on a dedicated switch or dedicated VLAN of a switch.
Note For Stateful Failover on the PIX 520, if you have Gigabit Ethernet (GE) interfaces,
then the failover link must be GE.
Caution Do not turn the power on until the units are conne cted a nd the prim ary unit is configured complete ly.
Step 6 Power the primary unit on first, then power on the secondary unit. Within a few seconds, the ac tive unit
automatically downloads its configuration to the standby unit.
If the primary unit fails, the secondary unit automatically becomes active.
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
5-9
Page 64
Removing and Replacing the PIX 520 Chassis Cover
Removing and Replacing the PIX 520 Cha ssis Cover
This section describes how to remove and replace the chassis cover from the PIX 520. This section
includes the following topics:
• Removing the Chassis Cover, page 5-10
• Replacing t he C has sis Cover, page 5-11
Removing the Chassis Cover
Complete these steps to remove the chassis cove r:
Note Removing the PIX Firewall case does not affect your Cisco warranty. Upgrading the PIX Firewall does
not require any special tools and does not create any radio fr equency leaks .
Step 1 Read the Regulatory Compliance and Safety Information for the Cisco PIX Firewall document.
Chapter 5 PIX 520
Step 2 Ensure that the PIX Firewall is powered off. Unplug the power cord from the power outlet. Once the
upgrade is complete, you can saf ely reconn ect the power cord.
Warning
Step 3 Remove the three screws holding the top pane l in place , as shown in Figure 5-11.
Before working on a system that has an On/Off switch, turn OFF the power and unplug the power cord.
Figure 5-11 Removing the Top Panel Screws
Top panel screws (3)
10370
PIX Firewall
R
ESET
S
E
R
IE
S
5-10
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 65
Chapter 5 PIX 520
Step 4 Remove the top panel as shown in Figure 5-12.
Figure 5-12 Removing the Top Panel
1 in.
PIX Firewall
RES
ET
S
E
R
IE
S
Removing and Replacing the PIX 520 Chassis C over
Pull lid 1 in. (50 mm)
back and then lift up
10371
Replacing the Chassis Cover
Caution Do not o perate PIX Firewall units without the top panel installed. The top panel protects the internal
components, prevents ele ctr ica l sho rts, a nd provi des p rop er ai r-flow for cool ing t he e lec tro ni c
components.
Complete these steps to replace the chassis cover:
Step 1 Replace the top panel, as shown in Figure 5-13.
Step 2 Secure the three screws.
Step 3 Reinstall all interface cables.
Figure 5-13 Replacing the Top Panel
78-15170-01
10380
PIX Firewall
RE
SET
S
E
R
IE
S
Cisco PIX Firewall Hardware Installation Guide
5-11
Page 66
Replacing a Lithium Ba tt ery
Replacing a Lithium Battery
The PIX Firewall has a lithium battery on its main circuit board. This battery has an operating life of
about 10 years. When the battery loses its charge, the PIX Firewall cannot function. The lithium battery
is no t a field replacable unit (FRU). Co n t act C isco TAC to repla c e t he batte r y.
Note Do not attempt to re place this ba tt ery your self.
Chapter 5 PIX 520
Warning
Danger of explosion exists if the lithium battery is in correctly replaced. Replace only with the s ame
or equivalent type recommended by the manufacturer. Dispose of used batteries according to the
manufacturer's instructions.
Installing a Memory Upgrade
Observe the following warnings, cautions, and notes when installing additional PIX Firewall system
memory.
The following statement applies to DC models:
Warning
Warning
Before performing any of the following procedures, ensure that power is removed from the DC circuit.
To ensure that all power is OFF, locate the circuit breaker on the panel board that services the DC
circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit
breaker in the OFF position.
The following statement ap plies to both AC and DC models :
Before working on a system that has an On/Off switch, turn OFF the power and unplug the power cord.
5-12
Caution Always remove old memory before insta lling new memory.
Note After installing ad ditiona l memory in the PIX 520, do not remove the memor y strips an d power on the
unit, or the PIX Firewall unit will become inoperable.
Caution If you remove the PIX Firewall chassis top panel, always reinstall the top panel. Running the PIX Firewall
without the top panel may cause overheating and damage to electrical components.
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 67
Chapter 5 PIX 520
Memory Installation Steps
Complete these steps to install additional system memory:
Step 1 If the unit is rack-mounted, remove network wires and any cords connecting to the PIX Firewall unit.
The PIX 520 should be removed from the rack and pl aced on a st able work ing surface . Ensure th at the
unit is unplugged fr om its p ower source .
Step 2 Unpack the items in the memory upgrade kit.
Remove the top panel from the PIX Firewall unit. Remove all screws holding the assembly in place.
Refer to “Installi ng LAN -Base d Failover” for information on how to remove and replace the top panel.
Step 3 Determine the location of your system memory sockets (see Figure 5- 14).
Step 4 Use the markings on the motherboar d to de ter mine the soc ket numbers. Always install the first memory
board into the l owest socket num be r. Progressively add memory boa rd s into hi gher nu mb er ed soc kets.
Figure 5-14 PIX 520 System Memory Location
Installing a Memory Upgrade
Bank 0
Bank 1
Bank 2
17996
Front
Step 5
Step 6 With the wrist stra p on your wrist, caref ul ly gra sp the me mor y strip f rom ei th er end . Note th at a DI MM
Step 7 To install a DIMM strip:
Locate the wrist grounding strap in the accessory kit and connect one end to the unit as shown in
Figure 5-17, or to the PIX Firewall chassis, a nd securely attach the other to your wrist so it contacts y our
bare skin.
strip has notches.
• Remove the old memory strip by opening the two plastic wing connectors, and pulling the old strip
up. Discard the old strip.
78-15170-01
• When installing the memory strip in the PIX 520, install the new strip in Bank 0 as shown in
Figure 5-15 and Figure 5-16, by opening the two plastic wi ng connec tors , inserti ng the strip, and
closing the w ing co nnect ors.
Cisco PIX Firewall Hardware Installation Guide
5-13
Page 68
Installing a Memory Upgrade
Figure 5-15 Inserting a DIMM Memory Strip in the PIX 520
Bank 2
Bank 1
Chapter 5 PIX 520
DIMM
17997
Bank 0
Figure 5-16 Securing a DIMM Memory Strip in the PIX 520
17998
Bank 2
Bank 1
Bank 0
When you finish inserting new RAM memory, replace the top panel on the PIX Firewall chassis.
Reattach the scre ws. If desired , rack mou nt the PIX Fire wall an d attach all cab les and cords as discusse d
in previous sections. After the PIX Firewall is inst alle d, y ou can vi ew the amou nt of RA M me mo ry in
the system startup messages or with the s how ve rs io n command.
5-14
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 69
Chapter 5 PIX 520
Installing a Circuit Board in the PIX 520
The information in this section refers to the installation of a circuit board in the PIX 520. This section
includes the following topics:
• PIX Firewall 16 MB Flas h Ci rcui t B oard, p age 5-18
• PIX Firewall VPN Acce ler ator C ircu it Board , pa ge 5-19
• Gigabit Etherne t C ir cuit Boar d, page 5 -20
• Installing the PIX 520 DC Model , page 5-2 1
Complete these steps to in stall a circuit board in the PIX 520:
Step 1 Locate the grou ndi ng st rap fr om the acc essor y k it. Fast en the grou ndi ng st rap t o your w rist so th at it
contacts your bar e ski n. A tt ach the othe r en d t o ba re me tal i ns ide the PIX Firewall chassi s as sh own in
Figure 5-17.
Figure 5-17 Attaching Grounding Strap to Your Wrist and to the PIX Firewall
Installing a Circuit Board in the PIX 520
Copper foil
18352
LNK
LNK
LNK
ACT
100
TX
DATA
RESET
PO
PIX
W
ER
Firewall
S
E
R
IE
S
LNK
ACT
ACT
ACT
100
100
100
TX
TX
TX
E
E
E
T
H
E
R
N
E
T
0
E
T
T
T
H
H
DATA
H
E
DATA
E
DATA
E
R
R
R
N
N
N
E
E
E
T
T
T
0
0
0
Step 2 Insert the new circuit board, as shown in Figu re 5 -18 , and secure it using the screw provided with the
circuit board.
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
5-15
Page 70
Installing a Circuit Board in the PIX 520
Figure 5-18 Installing the New Circuit Board
Step 3 Figure 5-19 displa ys h ow the circ uit b oards a re n umb er ed acc or ding to th eir po sitio n. If yo u have
Version 4.4 a nd a fo ur-port E t herne t c irc uit b oa rd, ref er t o “PIX 520 Product Overview”.
Chapter 5 PIX 520
12273
Note When adding a network interface or encryption circuit board, install the new circuit board in the
first empty slot to the right of the existing netwo rk interface circuit board.
Figure 5-19 PIX Firewall Network Circuit Boards
44305
Interface 3
Interface 2
Interface 1
Interface 0
Step 4 If you are installin g a 4-p ort c ircu it bo ar d, no te tha t the circ uit board wil l overlap the sl ot co nne cto r on
the motherboard. This does not affect the use or operation of the circuit board. Figure 5-20 illustrates
how this appears.
5-16
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 71
Chapter 5 PIX 520
Installing a Circuit Board in the PIX 520
Figure 5-20 4-Port Circuit Board Overlap
Overlap
27884
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
5-17
Page 72
Installing a Circuit Board in the PIX 520
PIX Firewall 16 MB Flash C irc uit Boar d
Along with upgradin g y our Fla sh me mor y to 16 MB, the PIX Firewall 16 MB Fla sh ci rcuit b oard
includes pre-installed PIX Fi re wall softw are and a UR (unrest ricted) 56-b it DES encr yption license. The
16 MB Flash circuit board installs into the PIX Firewall ISA slot.
An illustration of the 16 MB Flash circuit board is shown in Figure 5-2 1.
Figure 5-21 PIX Firewall 16 MB Flash Circuit Board
Chapter 5 PIX 520
5-18
33011
Use the following information to install a 16 MB Flash circuit board:
• The PIX Firewall must have a minimum of 32 MB of RAM mem ory.
• You must obt ain a new activation key if you will be using 3DES.
• The PIX Firewall should not be downgraded t o a software revision lower than 5.0( 3) after th e new
software from the 16 MB circuit board is installed.
• If you downgrade from software Version 5.3 to 5.2 or lower, you will lose private data (keys,
certifications, and CRLs) that are stored in Flash memory. You need to use the clear flashfs
command, downgrade 5.0 | 5.1 | 5.2 options if your PIX Firewall has 16 MB Flash memory, priv ate
data stored in the Flash memory, and you used the ca save all command to save these items in Flash
memory.
Complete the following steps to install the 16 MB Flash circuit board:
Step 1 Record the present PIX Fir ewall unit serial numbe r.
Step 2 Record the new seria l nu mb er fr om the 1 6 MB Fl ash ci rcui t b oar d.
After installation, the serial number of the PIX Firewall will be the serial number supplied with the
16 MB Flash circuit board.
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 73
Chapter 5 PIX 520
Step 3 Create a backup of your pr esent co nfiguration (t o use later to re configure you r system).
Step 4 Obtain a new Activation key (if using 3D ES ).
Step 5 Remove any previously installed Flash memory circuit board s from the unit .
Step 6 The jumper on the PIX Firewall 16 MB Flash cir cuit boa rd must not be removed or reposition ed. Th e
PIX Firewall system will not work if this jumper is moved.
Step 7 Install the 16 MB Flash circuit board into an available ISA slot in the PIX Firewall chassis.
PIX Firewall VPN Accelerator Circuit Board
The VPN Accelerator (PIX-VPN-ACCEL) is an encryption and accelerator circuit board. The VPN
Accelerator uses a PCI interf ac e an d th er efo re can on ly be insta lled in PIX Firewall platfo r ms with PCI
slots. The VPN Accelerator begins to function immediately after installation without the need of special
installation configurations.
Installing a Circuit Board in the PIX 520
Note The new VPN Accelerator cannot be used with the former PIX Firewall IPSec accelerator in the same
chassis. The P I X F irewall IP Se c acc ele ra to r was also known as t he Pr ivate Link ca rd .
An illustration of the VPN Accelerator is shown in Figure 5-22.
Figure 5-22 PIX Firewall VPN Accelerator Circuit Board
61921
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
5-19
Page 74
Installing a Circuit Board in the PIX 520
Gigabit Ethernet Circuit Board
PIX Firewall supports 1000 Mbps (Gi gab it) E ther net . The Giga bit E the rnet ci rcui t bo ar d use s the
gb-ethernet device na me a nd on ly h as on e ha rdware spe ed a nd the fol lowing dupl ex opt ions:
• 1000SXfull—Forces full-duplex op er at ion
• 1000BaseSX—Forces half-duplex oper ation
• 1000auto—Auto negotiates full or half duplex
The Gigabit Et herne t c irc uit b oard an d the fiber op tic ca ble conn ec ti on a re shown in Fi gure 5-23.
Figure 5-23 Gigabit Ethernet Circuit Board
Chapter 5 PIX 520
T
X
R
X
LIN
K
The Gigabit Ethe rne t c irc uit boa rd has t hr ee LE Ds :
• TX—Transmitting data
• RX—Rece iving data
• LINK—T he Gigab it Eth ernet circu it boar d has establ ished a ne twork connec tion
33010
5-20
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 75
Chapter 5 PIX 520
Installing the PIX 520 DC Model
Installing the PIX 520 DC Model
Warning
Before performing any of the following procedures, ensure that power is removed from the DC circuit.
To ensure that all power is OFF, locate the circuit breaker on the panel board that services the DC
circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit
breaker in the OFF position.
Complete these steps to install the PIX 520 DC power model:
Step 1 Read the Regulatory Compliance and Safety Information for the Cisco PIX Firewall docum ent.
Step 2 Terminate the DC input wiring on a DC source capable of supplyin g at least 15 amps. A 15-amp circuit
breaker is required at the 48 VDC facility power source. An easily accessible disconn ect device should
be incorporated into the facility wir ing.
Step 3 Be sure the PIX 520 power is off by checking the power switch at the rear of the unit.
Step 4 As shown in Figure 5-24, the PIX 520 is equipped with two grounding studs at the back of the unit, which
you can use to con ne ct a two-h ole ground i ng l ug to t he PIX 520. U se t he 10-3 2 nut s provid ed wi th t h e
PIX 520 to connect a copper standard barrel grounding lug to the studs. The PIX 520 requires a lug where
the distance between the center of each hole is 0.56 inches. A lug is not supplied with the PIX 520.
Figure 5-24 Attaching a Grounding Lug to the PIX Firewall
Rear of
PIX Firewall
–
+
11827
Step 5
To r a ck
ground
Ensure that power is removed from the DC circu it. To ensure that all power is OFF, locate the circuit
10-32 nuts
2-hole copper
standard barrel
grounding lug
Grounding studs on
PIX Firewall DC model
breaker on the panel board that services the DC circuit, switch the circuit breaker to the OFF position,
and tape the switch handle of the circuit breaker in the OFF position.
Step 6 Strip the ends of the wi res f or i nsert ion into t he power c onnec t l ugs on t he PI X 52 0.
Step 7 Insert the ground wire into the con nector for the earth gr ound and tighten the sc rew on the c onnector (see
Figure 5-25). Using the same method as for the ground wire, connect the negative wire and then the
positive wire.
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
5-21
Page 76
Installing the PIX 520 DC Model
Figure 5-25 Attaching DC power cables
Chapter 5 PIX 520
–
+
11779
Step 8
Reconnect power to the PIX 5 20. Aft er wir ing the D C p ower suppl y, remove the tape from the ci rcui t
breaker switch handle and reinstate power by moving the handle of the circuit breaker to the ON position.
Step 9 Insert the PIX 520 system diskette in the drive at the front of the unit.
Step 10 If needed, install the interface boards as described in “Installing a Circuit Board in the PIX 520”.
Step 11 Power on the unit from the switch at the rear of the unit.
Note If you need to power cycle the DC PIX Firewall, wait at least 5 sec onds betw een powering off the unit
and powering it back on.
5-22
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 77
CHAPTER
6
PIX 525
This chapter gui des y ou thro ugh the inst all ation of the PIX 525, and inc lude s the fol lowing sec tions:
• PIX 525 Produc t O verview, page 6-1
• Installing the PIX 525 , pag e 6-3
• PIX 525 Feature Lic enses, page 6- 5
• Installing Failover, page 6-6
• Installing LAN-Ba sed Failover, page 6-8
• Removing and Repla cin g th e PIX 5 25 Chassis C over, page 6-9
• Replac i ng a L i th iu m B a tt er y, page 6 -1 2
• Installing a Mem ory Upg rade , page 6-12
• Installing a Circ uit Boar d in the PIX 525, page 6-14
• Installing a DC Power Supply, page 6-19
PIX 525 Product Overview
Figure 6-1 show the fro nt vi ew of the PIX 5 25.
78-15170-01
Figure 6-1 PIX 525 Front Panel
P
O
W
E
R
A
C
T
I
V
E
CISCO SECURITY PIX 525
F
IR
E
W
A
S
E
R
IE
S
L
L
Cisco PIX Firewall Hardware Installation Guide
61906
6-1
Page 78
PIX 525 Product Overview
Figure 6-2 shows the re ar vi ew of the PIX 5 25.
Figure 6-2 PIX 525 Rear Panel
F
A
I
L
O
V
E
1
0
0
M
b
p
s
A
C
T
L
I
N
K
1
0
0
M
b
p
s
10/100 ETHERNET 1
R
A
C
T
10/100 E
P
I
X
5
2
5
L
I
N
K
THE
RN
ET 0
USB
C
ON
SO
LE
There are two LE Ds on t he fro n t p anel o f th e PIX 525 (se e Figure 6-3).
Figure 6-3 PIX 525 Front Panel LEDs
Chapter 6 PIX 525
61907
61913
Table 6-1 lists the state of the PIX 525 front panel LEDs.
Table 6-1 PIX 525 Front Panel LEDs
LED Status Description
POWER On On when the unit has power.
ACT On On wh en the unit is th e acti v e f ailo ve r unit. I f failo v er is prese nt, the ligh t is on
when the unit is the active unit.
Off off when the unit is in standby mode.
There are three LEDs for the each RJ-45 interface port and three types of fixed interface connectors on
the back of the PIX 525.
6-2
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 79
Chapter 6 PIX 525
F
A
I
L
O
V
E
R
100M
bps ACT
100M
bps A
CT
LIN
K
LIN
K
P
IX
-525
10/100 ETHERNET 1
10/100 ETHERNET 0
USB
CONSOLE
Installing the PIX 525
Figure 6-4 shows the PIX 52 5 rear pa nel LE Ds.
Figure 6-4 PIX 525 Rear Panel LEDs
ACT(ivity)
LED
100Mbps
LED
10/100 BaseTX
Ethernet 1
ACT(ivity)
LINK
LED
LED
LINK
LED
Failover
connector
USB
port
(RJ-45)
10/100 BaseTX
Ethernet 0
Console
port (RJ-45)
(RJ-45)
Table 6-2 lists the state of the PIX 525 rear panel LEDs.
Table 6-2 PIX 525 Rear Panel LEDs
61912
LED Status Description
100 Mbps On Port 100 megabits per se cond 10 0Bas eTX com mu nicat ion.
Off Port is using 10 megabits per secon d data exchange .
ACT On Shows network activity.
LINK On Shows that data is passing through that interface.
The PIX 525 has RJ-45, network a nd console connector s, as well as a DB-15 failover cab le conne ctor.
The USB port is not used at the pr ese nt tim e.
Installing the PIX 525
Complete these steps to install the PIX 525:
Step 1 The PIX 525 provides one set of bra ckets for in stalling th e unit in an eq uipmen t rack. Com ple te these
steps if the unit is going to be installed into an equipment rack:
a. Attach the brackets to the holes near the front of the unit on each side of the PIX 525 using the
supplied screws.
b. Attach the unit to the equipment rack.
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
6-3
Page 80
Installing the PIX 525
F
A
I
L
O
V
E
R
100M
bps AC
T
100M
bps AC
T
LIN
K
LIN
K
PIX
-525
10/100 ETHERNET 1
10/100 ETHERNET 0
USB
CONSOLE
Step 2 Connect the cable so that you have either a DB-9 or DB-25 connector on one end as required by the serial
Step 3 Connect the RJ-45 serial cable connector to the PIX 525 console connector and connect the other end to
Chapter 6 PIX 525
port for your co mpu ter, and the oth er e nd is t he RJ-4 5 con ne ctor as sh own in Figure 6-5.
Note Use the Console port to con nect a co mp u ter to en ter co nfiguration commands. Locate the serial
cable from the accesso ry kit. The se rial ca ble assemb ly consist s of a null mo dem cable with
RJ-45 connectors, and one DB-9 conne ctor an d a DB-25 connect or.
the serial port connector on your computer.
Figure 6-5 PIX 525 Rear Panel
Console
port (RJ-45)
Computer serial port
DB-9 or DB-25
RJ-45 to
DB-9 or DB-25
serial cable
(null-modem)
61914
Step 4 Connect the outside network cable to the re maini ng Ether n et port. Refer to “PIX 525 Feature Licenses”
for information on how to configu re t he p orts.
Note The inside or outside network connections ca n be made to any av ailable interface port on the PIX
525. If you are only usi ng the E T HERN ET 0 and ETHERN ET 1 ports, connec t t he i ns ide
network cable to the interface connector marked ETHERNET 0 or ETH ERNET 1.
Step 5 If you need to install an optional circuit board, refer to “Installing a Circuit Board in the PIX 525”. If
you need to install memory, refer to “I nsta lling a M e mory U pgrad e” for more inf orm a tio n.
Note It is not necessa ry to remove th e chassi s cover of the P IX 525 to access the cir cuit boards or
memory.
6-4
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 81
Chapter 6 PIX 525
Step 6 Connect the network cables to the expansion interface ports. (The inside, outside, or perimeter network
connections can be made to any available interface port o n the PIX 525. ) The first expansion port
number, at the top left, i s int erfac e 2. St arti ng from t hat po rt a nd g oi ng from l eft t o right an d top t o
bottom, the next port is interface 3, the next is in terface 4, and so on. Refer to “PIX 525 Featur e
Licenses” for information on how to configure the ports.
Step 7 If you have a second PIX Firewall to use as a failover unit, install the failover feature and cable as
described in “Installing Failover”.
Note Do not power on the standby failover unit until the primary unit is configured.
Step 8 When you are ready to start the PIX 525, power on the unit from the switch at the rear of the unit.
PIX 525 Feature Licenses
If you have the PIX-525-UR unrestricte d feature l icense, t he following opti ons are available:
PIX 525 Feature Licenses
• If you have a second PIX 525 to use as a fa ilover unit, insta ll the failover fea ture and c able as
described in “Installing Failover”.
• If needed, install the PIX Firewall Syslog Server as described on t he logging command page in the
Cisco PIX Firewall Command Reference.
• If you need to i nstal l a n op tio na l ci rcui t bo ar d, refe r to “Installing a Circuit Board in the PIX 525”.
• If you need to install additional memory, refer to “Installing a Memory Upgrade”.
Note If, for any reason, yo u m ay c hoose to downgra de to a ny softwa re version , note tha t y ou must use t h e
clear flashfs command before doing so . A new sect ion is ad de d to Flash m em ory t hat must be c leare d
before downgrading.
For information on upgrading feature license s or downloading the latest software versions, go to the
following website:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/p ix/pix_sw/v_63/config/upgrade.htm
This section includes the following topics:
• PIX Firewall VPN Accelerator Card, page 6-6
• PIX Firewall VPN Accelerator Card+, page 6-6
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
6-5
Page 82
Installing Failover
PIX Firewall VPN Accelerator Card
The VPN Accelerator Card (VAC) fo r the Cisco PIX Firewall s eries is a card that provid es high-performance,
tunneling and encryption services suitable for site-to-site and remote access applications. The VAC is
integrated with PIX 525 unrestricted (UR) and failover (FO) bundles. You can also purchase the VAC as a
spare for use with PIX 525 units that have a restricted (R) license.
PIX Firewall VPN Accelerator Card+
PIX Firewall Versio n 6.3 a dds sup por t fo r the V PN A cce ler at or Ca r d+ (VAC+) . T he VAC+ is a
64-bit/66 MHz PCI card, that provides faster tunneling and encryption services for Virtual Private
Network (VPN) remote acce ss, site -t o-site int ra net an d e x tr an et a pplic ation s than the VAC. Each VAC+
card occupies a single PCI slot in the system. The VAC+ is supported on any cha ssis that run s Version
6.3 software, has an appropriate license to run VPN software, and at least one PCI slot available. While
the VAC continues to be supported in Version 6.3, if bot h types of card s, the VAC and the VAC+, are
installed in a sy stem runn in g Version 6.3, the VAC card is ignored. T he VAC+ is a 64 -bit /66 MHz PCI
card, that runs at bo th 32- bi t/33 MHz , as well as 64- bit/6 6 MH z, a nd does no t slow down the bus when
other 66 MHz cards are installed. It is strongly recommended that the VAC+ be installed in a 64bit/66 MHz
slot. Performance will be degraded if this recommendation is not followed.
Chapter 6 PIX 525
The 6.3 VAC+ driver supports the following:
• 3DES, DES, AES, SHA1, MD5 for (IPSec) ESP pro tocol (For AES, only the CBC mode and key
sizes of 128, 192, and 256 bits are supporte d).
• SHA1, MD5 for the (I PSec) AH pr otocol.
• Load sharin g E SP and AH a ctivity be twee n up to thr e e VAC+ cards.
• Diffie Hellman public key and sha red s ec ret gene rat ion.
• Any other crypto-related activity uses a software implementation.
Installing Failover
Complete these steps to install a failover connection:
Step 1 Power off both the primary and seco nda ry un i ts.
Note Both PIX Firew all uni ts h as to b e the same model number, have at le ast as much RAM, have the
same Flash memory size , an d b e ru nning t he sa me sof tware ver sion.
Step 2 Locate the failover cable (shown in Figure 6-6). This cable is shipped separately from the PIX Firewall
unit. The cable is labeled Prima ry on one end an d Second ary on the other.
6-6
Install the cable fo r th e PIX 525 as shown in Figur e 6- 6.
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 83
Chapter 6 PIX 525
Step 3 Connect the Primary end of the failover cable to the first PIX Firewall unit, that is, the one you have
Figure 6-6 PIX 525 Failover Cable Connection
F
A
I
L
O
V
E
R
Y
R
A
M
I
R
P
Primary end
Y
R
A
D
N
O
C
E
S
Secondary end
already configured.
F
A
I
L
O
V
E
R
Installing Failover
12395
Note We highly recommend that you use a GE failover lin k when con ne cting the PIX 525 wi th G E inter f a ces.
Step 4 Connect the Secondary end of the failover cable to the standby unit.
Step 5 Connect a power cord to the power con necto r on the rear panel of each uni t, and th e other en d of eac h
power cord to (preferably separate) power outlets.
Step 6 If you are using Statef ul Failover, use one of the fol lowing type s of co nne ction s , tha t is approp ri ate fo r
your system, between the de dicated in terfaces on the PIX Firewall units:
• Category 5 crossover cable directly connecting the primary unit to the secondary unit.
• 100BaseTX hal f-dup lex hub us ing st raig ht Ca t 5 c ables.
• 100BaseTX f ull du pl ex on a dedic a ted sw itch or dedi cate d VLAN of a s witc h.
Note All enabled interfac es must be connected between the acti ve an d standby units. Only conf igure the acti ve
unit. On the PIX 525, the active unit is indicated by the ACT LED on the front of the unit.
Caution Do not turn the power on until the units are conne cted a nd the prim ary unit is configured complete ly.
Step 7 Power on the primary unit fir st, then power on the secondary unit. Within a few seconds, the active unit
automatically downloads its configuration to the standby unit.
If the primary unit fails, the secondary unit automatically becomes active.
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
6-7
Page 84
Installing LAN- Ba sed Failover
Installing LAN-Based Failover
LAN-based failover supports failover between two units connected over a dedicated Ethernet interface.
LAN-based failover eliminates the need for a special failover cable and over comes the distance
limitations imposed by the failover cable.
Note Both PIX Firewall units must be the same model number, have the same amount of RAM, Flash memory,
number and type of interfac es, an d be running the same sof tware version.
Complete these steps to set up a LAN-based failover connection:
Step 1 Disconnect both the PIX Firewall units, so that there is no traffic flow between them. If the Fa il ov er ca b le
is connected to the PIX Firewall, disconnect it.
Step 2 Configure the PIX Firewall units. For information on configuring the PIX Firewall, refer to “ Configuring
the LAN-Based Failover,” section in Chapter 10 “Using PIX Firewall Failover” in the Cisco PIX Firewall
and VPN Configuration Guide.
Step 3 Power off both the units.
Chapter 6 PIX 525
Step 4 Connect the LAN failover interfaces to the dedicated switch/hub, as shown in Figure 6-7.
Note A dedicated LAN interface and a dedicated switch (or VLAN) is required to implement
LAN-based failover. You cannot use a crossover Ethernet cable to connect the two PIX Firewall
units.
Figure 6-7 LAN- Based Failove r Connections
Dedicated Ethernet
interface
1
0
0
M
b
p
s
A
C
T
L
I
N
K
1
0
0
M
b
p
s
A
C
T
1
0
/
1
0
0
E
T
H
E
R
N
E
T
1
1
0
/
1
0
0
E
T
H
Hub/switch
PIX 525
F
A
I
L
O
V
E
R
P
I
X
5
2
5
L
I
N
K
E
R
N
E
T
0
U
S
B
C
O
N
S
O
L
E
1
0
0
F
A
I
L
O
V
E
R
M
b
p
s
A
C
T
L
I
N
K
1
0
0
M
b
p
s
A
C
T
L
I
N
K
1
0
/
1
0
0
E
T
H
E
R
N
E
T
1
1
0
/
1
0
0
E
T
H
E
R
N
E
T
0
U
S
B
C
O
N
Dedicated Ethernet
interface
PIX 525
P
I
X
5
2
5
S
O
L
E
87366
87367
6-8
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 85
Chapter 6 PIX 525
Removing and Replacing the PIX 525 Chassis C over
Step 5 If you are using Statef ul Failover, use one of the fol lowing type s of co nne ction s , tha t is approp ri ate fo r
your system, between the de dicated in terfaces on the PIX Firewall units:
• Cat 5 crossover cable direct ly conne cting th e primar y unit to the secondary unit.
• 100BaseTX f ull du pl ex on a dedic a ted sw itch or dedi cate d VLAN of a s witc h.
• 1000BaseTX full duplex on a dedicated switch or dedicated VLAN of a switch.
Caution Do not turn the power on until the units are conne cted a nd the prim ary unit is configured complete ly.
Step 6 Power the primary unit on first, then power on the secondary unit. Within a few seconds, the ac tive unit
automatically downloads its configuration to the standby unit.
If the primary unit fails, the secondary unit automatically becomes active.
Removing and Replacing the PIX 525 Cha ssis Cover
This section describes how to remove and replace the chassis cover from PIX 525. This section includes
the following topics:
• Removing the Chassis Cover, page 6-9
• Replacing t he C has sis Cover, page 6-11
Removing the Chassis Cover
This section describes how to remove the PIX 525 c hassis cover.
Note Removing the PIX Firewall case does not affect your Cisco warranty. Upgrading the PIX Firewall does
not require any special tools and does not create any radio fr equency leak.
Complete these steps to remove the chassis cover:
Step 1 Power off the PIX 525 and disconn ect site p ower.
Note Note that the p ower switch is p ar t of the power supply.
Step 2 Place the PIX 525 so t hat the f ron t pa nel is fac ing you . If you pla ce the PIX 52 5 on a ta ble, ensur e tha t
you have clear access to all sides.
78-15170-01
Step 3 Remove the four screws on the chassis cover. (See Figure 6-8.)
Cisco PIX Firewall Hardware Installation Guide
6-9
Page 86
Removing and Replacing the PIX 525 Chassis Cover
Figure 6-8 Removing the Chassis Cover Screws
P
O
W
E
R
A
C
T
I
V
E
Chapter 6 PIX 525
55324
C
I
S
C
O
S
E
C
U
R
I
F
T
Y
IR
P
I
E
X
5
W
2
A
5
S
L
E
R
L
I
E
S
Step 4 Lift the chassis cover upward and pull it aw ay fr om th e tabs on th e r ear of th e ch ass is . (Se e Figure 6-9.)
Figure 6-9 Removing the Chassis Cover
Chassis cover
P
O
W
E
R
A
C
T
I
V
E
55325
C
I
S
C
O
S
E
C
U
R
I
F
T
Y
IR
P
I
E
X
W
5
2
A
5
S
L
E
R
L
I
E
Front panel
S
Chassis bottom
6-10
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 87
Chapter 6 PIX 525
Replacing the Chassis Cover
This section descri bes re plac ing the cha ssis c over on t he PIX 525 .
Complete these steps to re move t he chass is co ver:
Step 1 Place the chassis bottom so that the front panel is facing you.
Step 2 Hold the chassis cover over the chassis bottom, and align each of the cover tabs with the chassis tabs at
the top rear of the chassis. (See Figure 6-10.)
Step 3 Lower the front of the top cover to close the chassis, and ensure the following:
• The chassis cover tabs fit under the edge of the chassis rear panel so that they are not expo sed.
• The chass is tab s fit under th e chas sis cover so tha t they are not expose d.
• The chassis cover side tabs on both sides fit inside the chassis side panels so that they are not
exposed.
When the chassis cover is properly assembled, no tab s are visible.
Step 4 Secure the chassis cover with four screws.
Step 5 Reinstall all interface cables.
Removing and Replacing the PIX 525 Chassis C over
Figure 6-10 Replacing the Chassis Cover
Chassis cover
P
O
W
E
R
A
C
T
I
V
E
C
I
S
C
O
S
E
C
U
R
I
F
T
Y
IR
P
I
E
X
W
5
2
A
5
S
L
E
R
L
I
E
Front panel
Chassis
tabs
55330
S
Chassis bottom
78-15170-01
Step 6
Connect the power to the site power and power on the PIX 525. The internal power supply fan should go
on.
Cisco PIX Firewall Hardware Installation Guide
6-11
Page 88
Replacing a Lithium Ba tt ery
Replacing a Lithium Battery
The PIX Firewall has a lithium battery on its main circuit board. This battery has an operating life of
about 10 years. When the battery loses its charge, the PIX Firewall cannot function. The lithium battery
is no t a field replacable unit (FRU). Co n t act C isco TAC to repla c e t he batte r y.
Note Do not attempt to re place this ba tt ery your self.
Chapter 6 PIX 525
Warning
Danger of explosion exists if the lithium battery is in correctly replaced. Replace only with the s ame
or equivalent type recommended by the manufacturer. Dispose of used batteries according to the
manufacturer's instructions.
Installing a Memory Upgrade
Observe the following warnings, cautions, and notes when installing additional PIX Firewall system
memory.
The following statement applies to DC models:
Warning
Warning
Before performing any of the following procedures, ensure that power is removed from the DC circuit.
To ensure that all power is OFF, locate the circuit breaker on the panel board that services the DC
circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit
breaker in the OFF position.
The following statement ap plies to both AC and DC models :
Before working on a system that has an On/Off switch, turn OFF the power and unplug the power cord.
Caution Always remove old memory before insta lling new memory.
Caution If you remove the PIX Firewall chassis top panel, always reinstall the top panel. Running the PIX Firewall
without the top panel may cause overheating and damage to electrical components.
Memory Installation Steps
Complete these steps to install additional system memory:
Step 1 If the unit is rack-mounted, remove network wires and any cords connecting to the PIX Firewall unit.
Ensure that th e un it i s un plugg ed f rom i ts power so urce .
Step 2 Unpack the items in the memory upgrade kit.
Cisco PIX Firewall Hardware Installation Guide
6-12
78-15170-01
Page 89
Chapter 6 PIX 525
Step 3 Use the markings on the motherboar d to de ter mine the soc ket numbers. Always install the first memory
Installing a Memory Upgrade
Remove the component tray and all the screws holding the assembly in place. Refer to “Removing and
Replacing the PIX 52 5 Cha ssis Cover” for information on how to remove and replace the top panel.
Determine the location of your system memory sockets (see Figure 6-11).
board into the l owest socket num be r. Progressively add memory boa rd s into hi gher nu mb er ed soc kets.
Figure 6-11 System Memory Location on the PIX 525 Component Tray
61910
Step 4
Locate the wrist grounding strap in the accessory kit and connect one end to the unit or to the
PIX Firewall chassis, and securely attach the other to your wrist so it contacts your bare skin.
Step 5 With the wrist stra p on your wrist, caref ul ly gra sp the me mor y strip f rom ei th er end . Note th at a DI MM
strip has notches.
Step 6 To install a DIMM strip:
• Remove the old memory strip by opening the two plastic wing connectors, and pulling the old strip
up. Discard the old strip.
• When installing the memory strip in a PIX 525, install the new strip in Bank 0 as shown in
Figure 6-12 and Figure 6-13, by opening the two plastic wi ng connec tors , inserti ng the strip, and
closing the w ing co nnect ors.
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
6-13
Page 90
Installing a Circuit Board in the PIX 525
Figure 6-12 Inserting a DIMM Memory Strip in the PIX 525
Bank 2
Bank 1
Bank 0
Chapter 6 PIX 525
DIMM
17997
Figure 6-13 Securing a DIMM Memory Strip in the PIX 525
Bank 2
Bank 1
Bank 0
When you finish inserting new RAM mem ory, reinstall the tray on the PIX 525. Reattach the screws. If
desired, rack mount the PIX Firewall and attach all cables and cords as discussed in previous sections.
After the PIX Firewall is installed, you can view the amount of RA M memory in the system star tup
messages or with the sh ow ver s io n command.
Installing a Circuit Board in the PIX 525
17998
6-14
The information in this section refers to all PIX 525 models. Table 6-3 lists the op tio nal cir cuit boa rd
combinations that are available for the PIX 525. This section includes the following topics:
• PIX Firewall VPN Acce ler ator C ircu it Board , pa ge 6-17
• Gigabit Etherne t C ir cuit Boar d, page 6 -18
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 91
Chapter 6 PIX 525
Note The PIX 525 Restrict ed In ter f a ce Op tio n s can h ave a maximum of 6 interfaces, an d f or th e Un re s tricted
Installing a Circuit Board in the PIX 525
Interface Options, a maximum of 8 interfaces.
Table 6-3 lists the possible options/examples of con figuration choices available for the PIX 525
restricted and unrestr icted interfa ce opti ons.
Table 6-3 PIX 525 Interface Options
Restricted Interface Options Unrestricted Interface Options
3 FE 3 FE
2 FE + 1 VPN Accelerator 2 FE + 1 VPN Accelerator
3 GE 3 GE
2 GE + 1 VPN Accelerator 2 GE + 1 VPN Accelerator
1 GE + 1 FE 1 GE + 2 FE
1 GE + 1 FE + 1 VPN Accelerator 1 GE + 1 FE + 1 VPN Accelerator
1 4-Port FE 1 4-port FE
1 4-Port FE + 1 VPN Acce ler ator 1 4-port FE + 2 FE
1 4-port FE + 2 GE
2 4-port Fast Ethernet 2 4-port Fast Ethernet
1 4-port FE + 1 V PN Ac cel era tor
1 4-port FE + 1 V PN A cce le ra tor + 1 FE
1 4-port FE + 1 V PN Ac cel era tor + 1 GE
Complete these steps to in stall a circuit board in the PIX 525:
Step 1 Locate the grou ndi ng st rap fr om the acc essor y k it. Fast en the grou ndi ng st rap t o your w rist so th at it
contacts your bar e skin. A ttach t he oth er end to bar e me ta l on the PIX 52 5 cha ssis.
Step 2 Remove the screws from the rear panel of the component tray and slide the tray out (see Figure 6-14).
Figure 6-14 The Component Tray at the Back of the PIX 525
F
A
I
L
O
V
E
10/100 ETHERNET 0
R
PIX-525
LINK
USB
CONSOLE
100Mbps ACT
LINK
100Mbps ACT
10/100 ETHERNET 1
Step 3 Remove the screw and cover plate from th e cir cuit boa rd slot .
Step 4 Use Figure 6-15 as a guide to install a circuit b oard into a PCI slot on the component tray.
61908
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
6-15
Page 92
Installing a Circuit Board in the PIX 525
Step 5 Attach the screw to hold the circuit board’s connecting flange to the rear cover plate on the component
tray.
Figure 6-15 Inserting an Expansion Board into a PCI Slot on the PIX 525 Component Tray
Step 6 Figure 6-16 shows circuit boards in PCI slots on th e component tray.
Figure 6-16 Expansion Boards in PCI Slots on the PIX 525 Component Tray
Chapter 6 PIX 525
61911
Step 7
61909
Reinstall the component tray into the PIX 525 chassis.
6-16
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 93
Chapter 6 PIX 525
Installing a Circuit Board in the PIX 525
Figure 6-17 4-Port Circuit Board Overlap
Overlap
Note If you are installing a 4-port circuit board, note that the circu it board will overlap the slot
connector on the motherbo ard. This does not affect the use or operation of the circuit board.
illustrates how this appears
PIX Firewall VPN Accelerator Circuit Board
The VPN Accelerator (PIX-VPN-ACCEL) is an encryption and accelerator circuit board. The VPN
Accelerator uses a PCI interf ac e an d th er efo re can on ly be insta lled in PIX Firewall platfo r ms with PCI
slots. The VPN Accelerator begins to function immediately after installation without the need of special
installation configurations.
Note The new VPN Accelerator cannot be used with the former PIX Firewall IPSec accelerator in the same
chassis. The P I X F irewall IP Se c acc ele ra to r was also known as t he Pr ivate Link ca rd .
27884
78-15170-01
An illustration of the VPN Accelerator is shown in Figure 6-18.
Cisco PIX Firewall Hardware Installation Guide
6-17
Page 94
Installing a Circuit Board in the PIX 525
Figure 6-18 PIX Firewall VPN Accelerator Circuit Board
Chapter 6 PIX 525
61921
Gigabit Ethernet Circuit Board
PIX Firewall supports 1000 Mbps (Gi gab it) E ther net . The Giga bit E the rnet ci rcui t bo ar d use s the
gb-ethernet device na me a nd on ly h as on e ha rdware spe ed a nd the fol lowing dupl ex opt ions:
• 1000SXfull—Forces full-duplex op er at ion
• 1000BaseSX—Forces half-duplex oper ation
• 1000auto—Auto negotiates full or half duplex
Note We highly recommend that you use a GE failover lin k when con ne cting the PIX 525 wi th GE inter f a ces.
6-18
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 95
Chapter 6 PIX 525
Installing a DC Power Supply
The Gigabit Et herne t c irc uit b oa rd an d th e fiber o pti c ca ble c on nect ion a re shown i n Figur e 6- 19.
Figure 6-19 Gigabit Ethernet Circuit Board
33010
T
X
R
X
LIN
K
The Gigabit Ethe rne t c irc uit boa rd has t hr ee LE Ds :
• TX—Transmitting data
• RX—Rece iving data
• LINK—T he Gigab it Eth ernet cir cuit bo ard has esta blished a ne twork con necti on
Installing a DC Power Supply
Warning
Step 1 Place the power supp ly as sho wn in Figure 6-20, and then slide it toward the rear panel. You will b e able
Step 2 Reinstall the three screws that secure the power supply on the back panel of the chassis.
Before performing any of the following procedures, ensure that power is removed from the DC circuit.
To ensure that all power is OFF, locate the circuit breaker on the panel board that services the DC
circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit
breaker in the OFF position.
Complete these steps to install the DC power supply:
to feel the chassis hook engage with the slot on the bottom of the power supply.
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
6-19
Page 96
Installing a DC Power Supply
Figure 6-20 Inserting the Power Supply in the Chassis
Chapter 6 PIX 525
Chassis hook
Power
Power
supply
supply
slot
55329
Chassis bottom
Step 3
Connect the six-pin connector to the motherboard.
Step 4 Route the fan cables on top of fans exactly as shown in Figu re 6-21. Note that the two l onges t cabl es ar e
connected to the two installed fans on the right. The connectors to these two fans will fit into the space
between the second and third fans.
Step 5 Reconnect the power conn ec tor.
6-20
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 97
Chapter 6 PIX 525
Installing a DC Power Supply
Figure 6-21 Routing the Fan Cables
31109
Sheet metal tabs
Step 6
Base tabs
Front panel
Insert the second fan as shown in Figure 6-21, making sure that the fan cable feeds to your left. Po sition
the cables to the two installed fans so that they will fit over the first and second fans. Press the fan into
place between the four sheet metal tabs.
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
6-21
Page 98
Installing a DC Power Supply
Step 7 Reconnect the t wo-pi n fan ca ble s to t he re m ainin g fa n, as shown in Figur e 6- 22.
Figure 6-22 Reconnecting the Fan Cables
Chapter 6 PIX 525
Fan
Fan connector
Front panel
31910
6-22
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Page 99
Chapter 6 PIX 525
Step 8 Reinstall the remaining fan. Make sure you orient the fan so that the cabl es fe ed to the r ight ( toward the
Step 9 Starting wit h the fan far thest away from th e power suppl y, bend the cable clamps over wires an d into
Installing a DC Power Supply
second fan). Route the cable over the fan before you reconnect it. When correctly assembled, the cables
appear as s hown in Fi gure 6-23.
the gap between chassi s and fan ho using.
31109
Sheet metal tabs
Base tabs
Front panel
Figure 6-23 Correct Fan Cable Routing
78-15170-01
Cisco PIX Firewall Hardware Installation Guide
6-23
Page 100
Installing a DC Power Supply
Step 10 Replace the air sepa ra tor as shown in Figure 6-24, holding all cables to the right of the separator as you
slip it into the chassis.
Figure 6-24 Replacing the Air Separator
Chapter 6 PIX 525
Air separator
Step 11 Replace the chassis cover as described in “Replacing the Chassis Cover.”
Rerouting the Fan Wiri ng
If the fan wiring in your router is not routed on top of the fans, you need to reroute the fan wiring. Thi s
will make future power supply replacement easier.
Complete these steps to reroute the fan wiring:
Step 1 Pull the fan closest to the power supply away fro m the sheet metal tabs. (See Figure 6-2 5.)
Note To help with reconnecting the cables, write down which colored cable connects to which fan.
See Table 6-4 for a list of the wire colors. Th ere are three dif ferent leng ths of two-wire ± 1 2 VDC
power cables. T he two shortest cable s go to the tw o f ans that you will r emo ve in Step 9. The tw o
longer cables go to the two rem aining fans you will remove in Step 10 and Step 11. The
remaining cable goes to the power conn ector on the backplane. These cables are color-coded.
Front panel
52021
6-24
Cisco PIX Firewall Hardware Installation Guide
78-15170-01
Loading...