Cisco PIX515E User Manual

Cisco PIX 515E Firewall

1 Check Items Included

2 Install the PIX 515E

3 Configure the PIX 515E

4 Example Configurations

5 Optional Maintenance and Upgrade Procedures

Quick Start Guide

About the Cisco PIX 515E Firewall

Hard

Sof

The Cisco PIX 515E delivers enterprise-class security
for small-to-medium business and enterprise networks,
in a modular, purpose-built appliance. Its versatile
one-rack unit (1RU) design supports up to 6 10/100

POWER

ACT

NETWORK

Fast Ethernet interfaces, making it an excellent choice
for businesses requiring a cost-effective, resilient security solution with demilitarized zone (DMZ)
support. It delivers up to 188 Mbps of firewall throughput with the ability to handle over
130,000 simultaneous sessions. Some PIX 515E models include award-winning high-availability
services as well as integrated hardware VPN acceleration, delivering up to 130 Mbps of 3DES and
256-bit AES VPN throughput.

PIX Firewall

S
E

R
IE

S

99550

ware Features

• 433-MHz Intel Celeron processor

• 32-MB RAM with the restricted (R) license;

64-MB RAM with the unrestricted (UR) and
failover (FO) licenses

• 16-MB Flash memory

• 128-KB level 2 cache memory at 433 MHz

• 32-bit, 33-MHz system bus

• Up to 6 10/100 Fast Ethernet interfaces

• Serial console port for administrative access

• Front panel LEDs for power, failover, and

network status

• Up to 188-Mbps firewall throughput

• Supports 56-bit DES, 168-bit 3DES, and

128- or 256-bit AES data encryption to
ensure data privacy

• Up to 60/130-Mbps VPN throughput

(VAC/VAC+)

tware Features

• Includes Cisco PIX Device Manager (PDM)

for intuitive, web-based administration of
PIX Firewalls

• Supports three licensing models with

additional host capacity and failover
capability

• Internal DHCP server supports up to

256 address leases per interface

• Supports up to 2000 remote access and

site-to-site VPN peers

• Supports up to 130,000 simultaneous

connections

• Supports up to eight 802.1Q VLAN-based

logical interfaces

• Intrusion protection from many different

types of popular network-based attacks
ranging from malformed packet attacks to
DoS attacks

• Delivers highly resilient network security
services via award-winning

on certain PIX 515E models

stateful failover

2

1 Check Items Included

PC terminal adapter

(74-0495-01)

DO NOT INSTALL INTERFACE
CARDS WITH POWER APPLIED

1
0

0
M

b

L

in

p

s

k

10/100 ETHERNET 1

PIX 515E

F

D

X

1

0

0

M

b

p

s

L

in

k

F

D

X

10/100 ETHERNET 0

CONSOLE

PIX-515E

F

A

IL

O

V

E

R

Blue console cable

(72-1259-01)

Yellow Ethernet cable

(72-1482-01)

Failover serial cable

(74-1213-01)

Power cable

Rubber feet

7 flathead screws

(69-0123-01)

Security Appliance

Cisco PIX

Product CD

Mounting brackets

(700-01170-02 AO SSI-3)

4 cap screws
(69-0124-01)

End User License and

Software Warranty

Getting Started

Safety and

Compliance

Guide

PIX 515E

Guide

Documentation

4 spacers

(69-0125-01)

97955

3

2 Install the PIX 515E

DMZ server

Laptop

computer

Printer

Follow these steps to install the PIX 515E:

Step 1 Install the rubber feet onto the five, round, recessed areas on the bottom of the chassis.

Note The chassis is also rack-mountable. For rack-mounting and failover instructions, refer to

the Cisco PIX Firewall Hardware Installation Guide.

Step 2 Use the yellow Ethernet cable (72-1482-01) provided to connect the outside 10/100 Ethernet

interface, Ethernet 0, to a DSL modem, cable modem, or switch.

Step 3 Use the other yellow Ethernet cable (72-1482-01) provided to connect the inside 10/100

Ethernet interface, Ethernet 1, to a switch or hub.

Step 4 Connect the power cable to the rear of the PIX 515E and a power outlet.

Step 5 Power up the PIX 515E. The power switch is located at the rear of the chassis.

Switch

Switch

Personal
computer

DMZ

Inside

PIX 515E

Outside

Router

Internet

Power

cable

97998

Note For additional hardware installation procedures, refer to the Cisco PIX Firewall Hardware

Installation Guide.

4

3 Configure the PIX 515E

The PIX 515E comes with a factory-default configuration that meets the needs of most small and
medium business networking environments. A default DHCP server address pool is included for hosts on
the inside interface. The factory-default configuration on the PIX 515E protects your inside network
from unsolicited traffic.

By default, the PIX 515E denies all inbound traffic through the outside interface. Based on your
network security policy, you should also consider configuring the PIX 515E to deny all ICMP traffic
to the outside interface, or any other interface you deem necessary, by entering the icmp command.
For more information about the icmp command, refer to the Cisco PIX Firewall Command Reference.

The PIX 515E contains an integrated web-based configuration
tool called the Cisco PIX Device Manager (PDM), that is
designed to help you set up the PIX Firewall. PDM is
preinstalled on the PIX 515E. To access PDM, make sure that
JavaScript and Java are enabled in your web browser. Refer to
the Cisco PIX Device Manager Installation Guide for more
information on the operating system and web browser
environments supported by PDM.

PDM includes a Startup Wizard for simplified initial
configuration of your PIX Firewall. With just a few steps, the
PDM Startup Wizard enables you to efficiently create a basic configuration that allows packets to flow
through the PIX Firewall from the inside network to the outside network securely. Follow these steps to
use the Startup Wizard:

Step 1 If you have not already done so, connect the inside Ethernet 1 interface of the PIX 515E to a

switch or hub using the Ethernet cable. To this same switch, connect a PC for configuring the
PIX 515E.

Step 2 Configure your PC to use DHCP (to receive an IP address automatically from the PIX 515E)

or assign a static IP address to your PC by selecting an address out of the 192.168.1.0
network. (Valid addresses are 192.168.1.2 through 192.168.1.254 with a mask of 255.255.255.0
and default route of 192.168.1.1.)

Note The inside interface of the PIX 515E is assigned 192.168.1.1 by default, so this

address is unavailable.

Step 3 Check the LINK LED on the PIX 515E Ethernet 1 interface. When connectivity occurs, the

LINK LED on the Ethernet 1 interface of the PIX Firewall and the corresponding LINK LED on
the switch or hub lights up solid green.

5

Step 4 To access the Startup Wizard, use the PC connected to the switch or hub and enter the URL

https://192.168.1.1/startup.html into your Internet browser.

Note Remember to add the “s” in “https” or the connection fails. HTTPS (HTTP over SSL)

provides a secure connection between your browser and the PIX 515E.

Step 5 Leave both the username and password boxes empty. Press Enter.

Step 6 Select Yes to accept the certificates and follow the instructions in the Startup Wizard to set up

your PIX 515E. For online Help, click the Help button at the bottom of the Startup Wizard
window.

4 Example Configurations

The following section provides configuration examples for two common PIX 515E configuration
scenarios: hosting a web server on a DMZ network and establishing a site-to-site VPN connection with
other business partners or remote offices. Use these examples to set up your network. Substitute
network addresses and apply additional policies as needed.

DMZ Configuration

A demilitarized zone (DMZ) is a neutral zone between private (inside) and public (outside) networks.
A DMZ allows you to have a presence on the public Internet, while protecting private network
resources that are accessed by users on the public Internet; for example, mail servers or web servers.
The illustration below shows a sample network topology that is common to most DMZ
implementations using the PIX 515E, in which the web server is on the DMZ interface. HTTP clients
from the inside and the outside networks are able to access the web server securely.

In the illustration below, an HTTP client (10.10.10.10) on the inside network initiates HTTP
communications with the DMZ web server (30.30.30.30). HTTP access to the DMZ web server is
provided for all clients on the Internet; all other communications are denied. The network is
configured such that the range of available IP addresses on the DMZ interface are between

30.30.30.50–30.30.30.60. There are two publicly routable IP addresses available, one for the
PIX 515E outside interface (209.165.156.10) and one for the translated DMZ server
(209.165.156.11). Because the DMZ server is located on a private DMZ network, it is necessary to
translate its private IP address to a public (routable) IP address. This public address allows external
clients HTTP access to the DMZ server as though it was located on the Internet. Use PDM to quickly
configure your PIX 515E for secure communications between HTTP clients and web servers.

6

HTTP client

10.10.10.10

Inside

10.10.10.0

PIX 515E

DMZ

30.30.30.0

Outside

209.165.156.10

Internet

HTTP client

HTTP client

Web server

30.30.30.30

97999

Step 1 Manage IP Pools for Network Translations

For an inside HTTP client (10.10.10.10) to access the web server on the DMZ network (30.30.30.30),
it is necessary to define an IP pool (30.30.30.50–30.30.30.60) for the DMZ interface. Similarly, an IP
pool for the outside interface (209.165.156.10) is required for the inside HTTP client to communicate
with any device on the public network. Use PDM to manage IP pools efficiently and easily to facilitate
secure communications between protected network clients and devices on the Internet.

a. Launch PDM.

b. Click the Configuration button at the top of the PDM window.

7

c. Select the Translation Rules tab.

d. Click the Manage Pools button and a new window appears, allowing you to add or edit global

address pools.

Note For most configurations, global pools are added to the less secure, or public, interfaces.

In the Manage Global Address Pools window:

a. Select the dmz interface.

b. Click the Add button.

In the Add Global Pool Item window:

a. Select dmz from the Interface drop-down menu.

8

b. Click the Range radio button to enter the IP address range.

c. Because the range of IP addresses for the DMZ interface is 30.30.30.50– 30.30.30.60, enter

these values in the two fields.

d. Enter a unique Pool ID (in this case, enter 200).

e. Click the OK button to go back to the Manage Global Address Pools window.

Note You can also select PAT or PAT using the IP address of the interface if there are limited IP

addresses available for the DMZ interface.

Because there are only two public IP addresses available, with one reserved for the DMZ server, all
traffic initiated by the inside HTTP client exits the PIX 515E using the outside interface IP address.
This allows traffic from the inside client to be routed to and from the Internet.

In the Manage Global Address Pools window:

a. Select the outside interface.

b. Click the Add button.

9

When the new window comes up:

a. Select outside from the Interface drop-down menu.

b. Click the Port Address Translation (PAT) using the IP address of the interface radio button.

c. Assign the same Pool ID for this pool as in Step d above (200).

d. Click the OK button.

Once the pools are configured, confirm their values before applying the rules to the PIX 515E.

Confirm the configurations:

a. Click the OK

button.

b. Click the Apply button in the main window.

10

Step 2 Configure Address Translations on Private Networks

Network Address Translation (NAT) replaces the source IP addresses of network traffic traversing
between two PIX interfaces. This translation prevents the private address spaces from being exposed
on public networks and permits routing through the public networks. Port Address Translation (PAT)
is an extension of the NAT function that allows several hosts on the private networks to map into a
single IP address on the public network. PAT is essential for small and medium businesses that have
a limited number of public IP addresses available to them.

To configure NAT between the inside and the DMZ interfaces for the inside HTTP client, complete
the following steps starting from the main PDM page:

a. Select the Translation Rules tab. Ensure that the Translation Rules radio button is selected.

11

b. Right click in the gray area below the Manage Pools button and select Add.

c. In the new window, select the inside interface.

d. Enter the IP address of the client (10.10.10.10).

e. Select 255.255.255.255 from the Mask drop-down menu.

Note You can select the inside host by clicking on the Browse button.

f. Select the DMZ interface on which the translation is required.

g. Click the Dynamic radio button in the Translate Address to section.

h. Select 200 from the Address Pools drop-down menu for the appropriate Pool ID.

i. Click the OK

button.

12

Note Enter the entire network range (10.10.10.0) or select the network using the Browse

button and select the Pool ID if there are multiple HTTP clients.

13