Cisco PIX-515-RPS - PIX 515-R - Firewall, PIX 515E Quick Start Manual

Page 1

Quick Start Guide

Cisco PIX 515E Security Appliance Quick Start Guide

1 Verifying the Package Contents 2 Installing the PIX 515E Security Appliance 3 Configuring the Security Appliance 4 Common Configuration Scenarios 5 Optional Maintenance and Upgrade Procedures

Page 2

About the Cisco PIX 515E Security Appliance

The Cisco PIX 515E security appliance delivers enterprise-class security for small-to-medium businesses and enterprise networks in a modular, purpose-built security appliance. Ranging from compact, “plug-and-play” desktop appliances for small and home offices to carrier-class gigabit appliances for the most demanding enterprise and service-provider environments, Cisco PIX security appliances provide robust security, performance, and reliability for network environments of all sizes.

Part of the market-leading Cisco PIX 500 series, the Cisco PIX 515E security appliance provides a wide range of integrated security services, hardware VPN acceleration, award-winning high-availability and powerful remote management capabilities in an easy-to-deploy, high-performance solution.

About this document

This document describes how to install and configure the security appliance for use in a VPN or DMZ deployment. When you have completed the procedures outlined in this document, the security appliance will be running a basic VPN or DMZ configuration. The document provides only enough information to get the security appliance up and running with a basic configuration.

For more information, refer to the following documentation:

• Cisco PIX Security Appliance Release Notes

• Cisco PIX Security Appliance Hardware Installation Guide

• Cisco Security Appliance Command Line Configuration Guide

• Cisco Security Appliance Command Reference

• Cisco Security Appliance System Log Messages

You can find these documents online at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/index.htm

132235

POWER

ACT NETWORK

PIX Firewall

SERIES

Page 3

1 Verifying the Package Contents

Verify the contents of the packing box to ensure that you have re ceived all items necessary to i nstall and configure your PIX 515E security appliance.

End User License and

Software Warranty

PIX 515E

Getting Started

Guide

Safety and

Compliance

Guide

PIX 515E

PC terminal adapter

(74-0495-01)

Documentation

Blue console cable

(72-1259-01)

Yellow Ethernet cable

(72-1482-01)

Cisco PIX

Security Appliance

Product CD

DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED

Link

FDX

100 Mbps

Link

100 Mbps

FAILOVER

PIX-515E

CONSOLE

10/100 ETHERNET 1

10/100 ETHERNET 0

Failover serial cable

(74-1213-01)

Mounting brackets

(700-01170-02 AO SSI-3)

7 flathead screws

(69-0123-01)

4 cap screws (69-0124-01)

4 spacers

(69-0125-01)

Rubber feet

97955

Power cable

Page 4

2 Installing the PIX 515E Security Appliance

This section describes how to install your PIX 515E security appliance into your own network, which might resemble the model in Figure 1.

Figure 1 Sample Network Layout

To install the PIX 515E security a ppliance, complete these steps:

Step 1 Mount the chassis in a rack by performing the following steps:

a. Attach the brackets to the chassis with the supplied screws. The brackets attach to the holes

near the front of the chassis.

b. Attach the chassis to the equipment rack.

Step 2 Use one of the provided yellow Ethernet cables (72-1482-01) to connect the outside 10/100

Ethernet interface, Ethernet 0, to a DSL modem, cable modem, ro uter, or switch.

Step 3 Use the other provided yellow Ethernet cable (72-1482-01) to connect the inside 10/100

Ethernet interface, Ethernet 1, to a switch or hub.

Step 4 Connect one end of the power cable to the rea r of the PIX 515E security applianc e and the

other end to a power outlet.

Step 5 Power up the PIX 515E security appliance. The power switch is lo cated at the rear of the

chassis.

Internet

97998

DMZ server

Laptop

omputer

Printer

Personal computer

Switch

Inside

Outside

Router

PIX 515E

Power

cable

DMZ

Page 5

3 Configuring the Security Appliance

This section describes the initial security appliance configuration. You can perform the setup steps using either the browser-based Adaptive Security Device Manager (ASDM) or the command-line interface (CLI).

Note To run the ASDM, you must ha ve a DES license or a 3DES -AES license.

About the Factory Default Configuration

Cisco security appliances are shipped with a factory-default configuration that enables quick startup. This configuration meets the needs of most small and m e d i u m b usin e s s networking environments. By default, the security appliance is configured as follows:

• The inside interface is configured with a default DHCP address pool. This configuration enables a client on the inside network to obtain a DHCP address from the

security appliance in order to connect to the appliance. Administrators can then configure and manage the security appliance using ASDM.

• The outbound interface is configured to deny all inbound traffic through the outside interface. This configuration protects your inside network from unsolicited traffic.

Based on your network security policy, you should also consider configuring the security appliance to deny all ICMP traffic through the outside interface or any other interface that is necessary. You can configure this access control policy using the icmp command. For more information about the icmp command, refer to the Cisco Security Appliance Command Reference.

Page 6

About the Adaptive Security Device Manager

The Adaptive Security Device Manager (ASDM) is a feature-rich graphical interface that enables you to manage and monitor the security appliance. Its secure, web-based design provides secure access so that you can connect to and manage the security appliance from any location by using a web browser.

In addition to complete configuration and management capability, ASDM features intell igent wiza rds to simplify and accelerate security appliance deployment.

To run ASDM, you must have a DES license or a 3DES-AES license. Additionally, Java and JavaScript must be enabled in your web browser.

About Configuration from the Command-Line Interface

In addition to the ASDM web configuration tool, you can configure the security applianc e by using the command-line interface. For more information, refer to the Cisco Security Appliance Command Line Configuration Guide and the Cisco Security Appli ance Command Referenc e.

Using the Startup Wizard

ASDM includes a Startup Wizard to simplify the initial configuration of your security appliance. Wit h a few steps, the Startup Wizard enables you to configure the security appliance so that it allows packets to flow securely between the inside network and the outside network.

Before you launch the Startup Wizard, have the following information available:

• A unique hostname to identify the security appliance on your network.

• The IP addresses of your outside interface, inside interface, and other interfaces.

• The IP addresses to use for NAT or PAT configuration.

• The IP address range for the DHCP server.

Page 7

To use the Startup Wizard to set up a simplified basic configuration on the security appliance, follow these steps:

Step 1 If you have not already done so, connect the inside Ethernet 1 inte rface o f the securi ty

appliance to a switch or hub by using the Ethernet cable. To this same switch, connect a PC for c o n fi g u ri n g th e security appliance.

Step 2 Configure your PC to use DHCP (to receive an IP address automatically from the security

appliance), or assign a static IP address to your PC by selecting an address out of the

192.168.1.0 network. (Valid addresses are 192.168.1.2 through 192.168.1.254, with a mask of

255.255.255.0 and default route of 192.168.1.1.)

Note The inside interface of the security appliance is assigned 192.168.1.1 by default, so

this address is unavailable.

Step 3 Check the LINK LED on the Ethernet 1 inte rface. When a connection is established, the LINK

LED on the Ethernet 1 interface of the security appliance and the corresponding LINK LED on the switch or hub will become solid green.

Step 4 Launch the Startup Wizard.

a. On the PC connected to the switch or hub, launch an Internet browser. b. In the address field of the browser, enter this URL: https://192.168.1.1/.

Note The security appliance ships with a default IP address of 192.168.1.1. Remember to

add the “s” in “https” or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser and the security appliance.

Step 5 In the popup window that requires a username and passwo rd, leave both fields empty. Press

Enter.

Step 6 Click Yes to accept certificates. Click Yes fo r any subsequent certificates or au thentication

requests.

Step 7 After ASDM starts, choose the Wizards menu, then choose Startup Wizard. Step 8 Follow the instructions in the Startup Wizard to set up your security applia nce.

For information about any field in the Startup Wizard, click the Help button at the bottom of the window.

Page 8

4 Common Configuration Scenarios

This section provides configuration examples for two common security appliance configuration scenarios:

• Hosting a web server on a DMZ network

• Establishing a site-to-site VPN connection with other business partners or remote offices

Use these scenarios as a guide when you set up your network. Substitute your own network addresses and apply additional policies as needed.

Scenario 1: DMZ Configuration

A demilitarized zone (DMZ) is a separate network locate d in the ne utral zone betw een a private (inside) network and a public (outside) network. This scenario is a sample network topology that is common to most DMZ implementations that use the se curity appliance. The web server is on the DMZ interface, and HTTP clients from both the inside and outside networks are able to access th e web server securely.

In the Figure 2, an HTTP client (10.10.10.10) on the inside network initiates HTTP communications with the DMZ web server (30.30.30.30). HTTP access to the DMZ web server is provided for all clients on the Internet; all other communications are denied. The network is configured to use an IP pool of addresses between 30.30.30.50 and 30.30.30.60. (The IP pool is the range of IP addresses available to the DMZ interface.)

Figure 2 Network Layout for DMZ Configuration Scenario

97999

PIX 515E

Internet

HTTP client

0.10.10.10

Web server

30.30.30.30

DMZ

30.30.30.0

Inside

10.10.10.0

HTTP clie

Outside

209.165.156.10

Page 9

Because the DMZ web server is located on a private DMZ network , it is necessary to translate its private IP address to a public (routable) IP address. This public address allows external clients to have HTTP access to the DMZ web server in the same way the clients would access any server on the Internet.

This DMZ configuration scenario, shown in Figure 2, provides two routable IP addresses tha t are publicly available: one for the outside interface (209.165.156.10) and one for the translated DMZ web server (209.165.156.11). The following procedure describes how to use ASDM t o co nfig ure the security appliance for secure communications between HTTP clients and the web server.

In this DMZ scenario, the security appliance already has an outside interface configured, called dmz. Set up the security appliance interface for your DMZ by using the Startup Wizard. Ensure that the security level is set between 0 and 100. (A common choice is 50).

Information to Have Available

• Internal IP addresses of the servers inside the DMZ that you want to make available to clients on the public network (in this scenario, a web server).

• External IP addresses to be used for servers inside the DMZ. (Cli ents on the public network will use the external IP address to access the server inside the DMZ.)

• Client IP address to substitute for internal IP addresses in outgoing traffic. (Outgoing client traffic will appear to come from this address so that the internal IP address is not exposed.)

Step 1: Configure IP Pools for Network Translations

For an inside HTTP client (10.10.10.10) to access the web server on the DMZ network (30.30.30.30), it is necessary to define a pool of IP addresses (30.30.30.50–30.30.30.60) for the DMZ interface. Similarly, an IP pool for the outside interface (209.165.156.10) is required for the inside HTTP client to communicate with any device on the public network. Use ASDM to manage IP pools efficiently and to facilitate secure communications between protected network clients and devices on the Internet.

1. Launch ASDM by entering this factory default IP address in the address field of a web browser: https://192.168.1.1.

2. Click the Configuration button at the top of the ASDM window.

3. Choose the NAT feature on the left side of the ASDM window.

Page 10

4. Click the Manage Pools button at the bottom of the ASDM window. The Manage Global Address

Pools window appears, allowing you to add or edit global address pools.

Note For most configurations, global pools are added to the less secure, or public, interfaces.

5. In the Manage Global Address Pools window:

a. Choose the dmz interface. b. Click the Add button.

The Add Global Pool Item window appears.

Page 11

6. In the Add Global Pool Item window:

a. Choose dmz from the Interface drop-down menu. b. Click the Range radio button to enter the IP address range. c. Enter the range of IP addresses for the DMZ interface. In this scenario, the range is

30.30.30.50 to 30.30.30.60.

d. Enter a unique Pool ID. (For this scenario, the Pool ID is 200.) e. Click the OK button to go back to the Manage Global Address Pools window.

Note You can also choose Port Address Translation (PAT) or Port Address Translation

(PAT) using the IP address of the interface if there are limited IP addresses available for the DMZ interface.

7. In the Manage Global Address Pools window:

a. Choose the outside interface. b. Click the Add button.

The Add Global Pool Item window appears.

Page 12

8. When the Add Global Pool Item window appears:

a. Choose outside from the Interface drop-down menu. b. Click the Port Address Tra nslation (PAT) usin g the IP address of the interfa ce ra dio button. c. Assign the same Pool ID for this pool as you did in Step 6d above. (For this scenario, the Pool

ID is 200.)

d. Click the OK button. The configuration should be similar to the following:

9. Confirm that the configuration values are correct, then:

a. Click the OK

button.

b. Click the Apply button in the main window.

Note Because there are only two public IP addresses available, with one reserved for the

DMZ server , all traffic initiated by the inside HTTP client exits the security appliance using the outside interface IP address. This configuration allows traffic from the inside client to be routed to and from the Internet.

Page 13

Step 2: Configure Address Translations on Private Networks

Network Address Translation (NAT) replaces the source IP addresses of network traffic exchanged between two security appliance interfaces. This translation prevents the private address spaces from being exposed on public networks and permits routing through the public networks. Port A ddress Translation (PAT) is an extension of the NAT function that allows several hosts on the private networks to map into a single IP address on the public network. PAT is essential for small and medium businesses that have a limited number of public IP addresses available to them.

To configure NAT between the inside interface and the DMZ interface for the inside HTTP client, complete the following steps starting from the main ASDM page:

1. Click the Configuration button at the top of the ASDM window.

2. Choose the NAT feature on the left side of the ASDM window.

3. Click the Tran slation Rules radio bu tton, and then click the Add button at the right side of the

ASDM page. The Add Address Translation Rule window appears.

4. In the Add Address Translation Rule window, make sure that the Use NAT radio button is selected, and then choose the inside interface from the drop-down menu.

Page 14

5. Enter the IP address of the inside client. In this scenario, the IP address is 10.10.10.10.

6. Choose 255.255.255.255 from the Mask drop-down menu.

7. Choose the DMZ interface from the Translate Address on Interface drop-down menu.

8. Click the Dynamic radio button in the Translate Address To to section.

9. Choose 200 from the Address Pools drop-down menu for the appropriate Pool ID.

10. Click the OK

button.

11. A pop-up window displays asking if you want to proceed. Click the Proceed button.

12. On the NAT Translation Rules page, verify that the displayed configuration is accurate.

13. Click the Apply

button to complete the configuration changes.

The configuration should display as follows:

Page 15

Step 3: Configure External Identity for the DMZ Web Server

The DMZ web server needs to be easily accessible by all hosts on the Internet. This configuration requires translating the web server IP address so that it appears to be located on the Internet, enabling outside HTTP clients to access it unaware of the security appliance. Complete the following steps to map the web server IP address (30.30.30.30) statically to a public IP address (209.165.156.11):

1. Click the Configuration button at the top of the ASDM window. Then choose the NAT feature on the left side of the ASDM window.

2. Click the Translation Rules radio button. Then click the Add button at the right side of the page.

3. Choose the outside dmz interface from the drop-down menu of interfaces.

4. Enter the IP address (30.30.30.30) of the web server , or click the Browse button to select the server.

5. Choose 255.255.255.255 from the Mask drop-down menu. Then click the Static radio button.

6. Enter the external IP address (209.165.156.11) for the web server. The Advanced button allows

you to configure features such as limiting the number of connections per static entry and DNS rewrites. Then click the OK button.

7. Verify the values that you entered. Then click the Apply

button.

The configuration should display as follows:

Page 16

Step 4: Provide HTTP Access to the DMZ Web Server

By default, the security appliance denies all traffic coming in from the public network. Y ou must create access control rules on the security appliance to allow specific traffic types from the public network through the security appliance to resources in the DMZ.

T o configure an access control rule that allows HTTP traffic through the security appliance so that any client on the Internet can access a web server inside the DMZ, complete the following steps:

1. In the ASDM window:

c. Click the Configuration button. d. Choose the Security Policy button on the left side of the ASDM screen. e. In the table, choose Add.

2. In the Add Rule window:

a. Under Action, choose permit from the drop-down menu to allow traffic through the security

appliance.

b. Under Source Host/Network, click the IP Address radio button. c. Choose outside from the Interface drop-down menu. d. Enter the IP address of the Source Host/Network information. (Use 0.0.0.0 to allow traffic

originating from any host or network.)

e. Under Destination Host/Network, click the IP Address radio button.

f. Choose the dmz interface from the Interface drop-down menu.

g. In the IP address field, enter the IP address of the destination host or network, such as a web

server. (In this scenario, the IP addre ss of the web server is 30.30 .30.30.)

h. Choose 255.255.255.255 from the Mask drop-down menu.

Note Alternatively, y ou can select the Hosts/Netwo rks in both cases by cl icking the

respective Browse buttons.

Page 17

3. Specify the type of traffic that you want to permit:

Note HTTP traffic is always directed from any TCP source port number toward a fixed

destination TCP port number 80.

a. Click the TCP radio button under Protocol and Service. b. Under Source Port, choose “=” (equal to) from the Service drop-down menu. c. Click the button labeled with ellipses (...), scroll through the options, and choose Any. d. Under Destination Port, choose “=” (equal to) from the Service drop-down menu. e. Click the button labeled with ellipses (...), scroll through the options, and select HTTP.

Page 18

f. Click the OK button.

Note For additional features, such as system log messages by ACL, click the More Options

radio button at the top at the top of the screen. You can provide a name for the access rule in the window at the bottom.

g. Verify that the information you entered is accurate, and click the OK

button.

Note Although the destination address specified above is the private address of the DMZ

web server (30.30.30.30), HTTP traffic from any host on the Internet destined for

209.165.156.11 is permitted through the security appliance. The address translation (30.30.30.30 = 209.165.156.11) allows the traffic to be permitted.

h. Click the Apply

button in the main window.

The configurations should display as follows:

The HTTP clients on the private and public networks can now securely access the DMZ web se rver.

Page 19

Scenario 2: Site-to-Site VPN Configuration

Site-to-site VPN (Virtual Private Networking) features provided by the security appliance enable businesses to extend their networks across low-cost public Internet connections to business partners and remote offices worldwide while maintaining their network security. A VPN connection enables you to send data from one location to another over a secure connection, or “tunnel,” first by authenticating both ends of the connection, and then by automatically encrypting all data sent between the two sites.

Figure 3 shows an example VPN tunnel between two security appliances.

Figure 3 Network Layout for Site-to-Site VPN Configuration Scenario

Creating a VPN connection such as the one in the above illustration requires you to configure two security appliances, one on each side of the co nnection.

ASDM provides an easy-to-use configuration wizard to guide you quickly through the p rocess of configuring a site-to-site VPN in a few simple steps.

Step 1: Configure the PIX security appliance at the first site.

Configure the security appliance at the first site, which in this scenario is PIX security appliance 1 (from this point forward referred to as PIX 1).

1. Launch ASDM by entering the factory default IP address in the address field o f a web browser: https://192.168.1.1/admin.

2. In the main ASDM page, choose the VPN Wizard option from the Wizards drop-down menu. ASDM opens the first VPN Wizard page.

132067

PIX security

appliance 2

Internet

Inside

10.10.10.0

Outside

1.1.1.1

Outside

2.2.2.2

PIX security

appliance 1

Site A

Inside

20.20.20.0

Site B

Page 20

In the first VPN Wizard page, do the following:

a. Choose the Site-to-Site VPN option.

Note The Site-to-Site VPN option connects two IPSec security gateways, which can include

security appliances, VPN concentrators, or other devices that support site-to-site IPSec connectivity.

b. From the drop-down menu, choose outside as the enabled interface for the current VPN

tunnel.

c. Click the Next button to continue.

Page 21

Step 2: Provide information about the VPN peer.

The VPN peer is the system on the other end of the connection, usually at a remote site. Provide information about the VPN peer. In this scenario, the VPN peer is PIX security appliance 2

(from this point forward referred to as PIX 2).

1. Enter the Peer IP address (for PIX 2) and a tunnel group name.

2. Specify the type of authentication that you want to use by performing one of the followin g:

–

To use a pre-shared key for authentication (for example, “CisCo”), click the Pre-Shared Key radio button, and enter a pre-shared key , which is shared for IPSec negotiations between both security appliances.

Note When you configure the PIX 2 at the remote site, the VPN peer is PIX 1. Be sure to

enter the same Pre-shared Key (CisCo) that you use here.

–

To use digital certificates for authentication, click the Certificate radio button, and then choose a Trustp oint Name from the dro p-down menu.

3. Click the Next button to continue.

Page 22

Step 3: Configure the IKE Policy

IKE is a negotiation protocol that includes an encr yption method to protect data and ensure privacy, and an authentication method to ensure the identity of the peers. In most c ases, the A SDM defa ult values are sufficient to establish secure VPN tunnels between two peers.

To specify the IKE policy, complete the following steps:

1. Select the Encryption (DES/3DES/AES), Authentication algorithms (MD5/SHA), and the Diffie-Hellman group (1/2/5) used by the security appliance during an IKE security association.

Note When configuring PIX 2, enter the exact values for each of the options that you chose for

PIX 1. Encryption mismatches are a common cause of VPN tunnel failures and can slow down the process.

2. Click the Next button to continue.

Page 23

Step 4: Configure IPSec Encryption and Authentication parameters

1. Choose the Encryption algorithm (DES/3DES/AES) and Authentication algorithm (MD5/SHA).

2. Click the Next button to continue.

Step 5: Specify Local Hosts and Networks

Identify hosts and networks at the local site to be allowed to use this IPSec tunnel to communicate with the remote-site peers. (The remote-site peers will be specified in a later step.)

Add or remove hosts and networks dynamically from the Selected panel by clicking on the >> or << buttons respectively. In the current scenario, traffic from Network A (10.10.10.0) is encrypted by SA 1 and transmitted through the VPN tunnel.

Page 24

To specify a local host or network to be allowed access to th e IPSec tunnel, complete the follow ing steps:

1. Click IP Address.

2. Specify whether the interface is inside or outside by choosing one of the i nterfaces from the

drop-down menu.

3. Enter the IP address and mask.

4. Click Add.

5. Repeat steps 1 through step 5 for each host or network that you want to have access to the tunnel.

6. Click the Next button to continue.

Step 6: Specify Remote Hosts and Networks

Identify hosts and networks at the remote site to be allowed to use this IPSec tunnel to communicate with the local hosts and networks you identified in Step 5. Add or remove hosts and networks dynamically from the Selected panel by clicking on the >> or << buttons respectively. In the current scenario, for PIX 1, the remote network is Network B (20.20.20.0), so traffic encrypted from this network is permitted through the tunnel.

Page 25

To specify a remote host or network to be allowed access to the IPSe c tun nel, comple te the following steps:

1. Click IP Address.

2. Specify whether the interface is inside or outside by choosing one location from the Interface

drop-down menu.

3. Enter the IP address and mask.

4. Click Add.

5. Repeat step 1 through step 5 for each host or network that you want to have access to the tunnel.

6. Click the Next button to continue.

Note When configuring PIX 2, ensure that the values are correctly entered. The remote network

for PIX 1 is the local network for PIX 2, and the reverse.

Page 26

Step 7: View VPN Attributes and Complete Wizard

Review the configuration list for the VPN tunnel you just created. If you are satisfied with the configuration, click Finish to complete the Wizard and apply the

configuration changes to the security appliance.

Note When configuring PIX 2, enter the same values for each of the options that you selected for

PIX 1. Encryption and algorithm mismatches are a common cause of VPN tunnel failures and can slow down the process.

This concludes the configuration process for PIX 1.

Page 27

What to Do Next

You have just co nfigured the local security appliance. Now you need to configure the security appliance at the remote site.

At the remote site, configure the second security appliance to serve as a VPN peer. Use the procedure you used to configure the local security appliance, starting at Step 1: Configure the PIX secu rity appliance at the first site on page 19, and finishing with Step 7: View VPN Attributes and Complete Wizard on page 26.

Note When configuring PIX 2, enter the exact same values for each of the options that you selected

for PIX 1. Mismatches are a common cause of VPN configuration failures.

5 Optional Maintenance and Upgrade Procedures

Obtaining DES and 3DES/AES Encryption Licenses

The security appliance offers the option to purchase a DES or 3DES-AES license to enab le specific features that provide encryption technology , such as secure remote management (SSH, ASDM, and so on), site-to-site VPN, and remote access VPN. Enabling the license requires an encryption license key.

If you ordered your security appliance with a DES or 3DES-AES lic ense, the en cryption license key comes with the security appliance.

If you did not order your security appliance with a DES or 3DES-AES license and would like to purchase one now, the encryption licenses are av ailable at no cha rge on

Cisco.com.

If you are a registered user of Cisco.com and would like to obtain a DES or 3DES/AES encryption license, go to the following website:

http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl If you are not a registered user of Cisco.com, go to the following website: http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl Provide your name, e-mail address, and the serial number for the security appliance as it appears in

the show version command output.

Note You will receive the new activation key for your security appliance within two hours (or less)

on requesting the license upgrade.

Page 28

To use the activation key, follow these steps:

Restoring the Default Configuration

You can resto re your configuration back to th e factory defaul t values in one of the foll owing ways:

• You can start the Startup Wizard at this URL: https://192.168.1.1/.

• Using the command line as specifi ed in the follow ing procedure.

To restore your default configuration back to the factory-default values, follow these steps:

Command Purpose

Step 1

pix# show version Shows the software release, hardware configuration, license key,

and related uptime data.

Step 2

pix#

configure terminal Enters global configuration mode.

Step 3

pix(config)#

activation-key

activation-5-tuple-key

Updates the encryption activation key by replacing the activation-4-tuple-key variable with the activation key obtained with your new license. The activation-5-tuple-key

variable is a

five-element hexadecimal string with one space between each element. An example is 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e. The “0x” is optional; all values are assumed to be hexadecimal.

Step 4

pix(config)# exit Exits global configuration mode.

Step 5

pix# copy running-config startup-config

Saves the configuration.

Step 6

pix# reload Reboots the security appliance and reloads the co nfiguration.

Command Purpose

Step 1

hostname> enable Accesses privileged EXEC mode.

Step 2

Password: Enter password.

Step 3

hostname# configure terminal Accesses global configuration mode.

Page 29

Alternative Ways to Access the Security Appliance

You can access the CLI for administration using the console port on the security appliance. To do so, you must run a serial terminal emulator on a PC or workstation

To set up your system so that you can administer the security appliance from the command line using the console port, follow these steps:

Step 1 Connect the blue console cable so that you have a DB-9 connector on one end, as required by

the serial port for your computer, and the RJ-45 connector on the other end.

Note Use the console port to connect to a computer to enter configuratio n commands.

Locate the blue console cable from the accessory kit. The blue console cable assembly consists of a null-modem cable with RJ-45 connectors and a DB-9 connector.

Step 2 Connect the RJ-45 connector to the PIX 515E security appliance console port, and connect

the other end to the serial port connector on your computer. (See Figure 4.)

Step 4

hostname(config)# configure factory-default [inside_ip_address

[address_mask]]

Erases the running configuration and replaces it with the factory default configuration. Entering the configure factory-default command erases the current running configuration.

Step 5

hostname(config)# write memory Writes the factory default configuration to Flash

memory.

1. If the optional inside IP address and address mask are specified, the factory-default configuration reflects that.

Command Purpose

Page 30

Figure 4 Cisco PIX Security Appliance Back Panel

• If your PIX 515E security appliance has a four-port Ethernet circuit board already installed, the Ethernet circuit boards are numbered as shown in Figure 5. The four-port Ethernet circuit board is required to access the PIX 515E security appliance unre st rict e d license.

Figure 5 Four-Port Ethernet Circuit Board

• If your PIX 515E security appliance has one or two single-port Ethernet circuit boards installed in the auxiliary assembly on the left of the unit at the rear , the circuit boards are numbered top to bottom so that the top circuit board is Ethernet 2 and the bottom circuit board is Ethernet 3.

99547

RJ-45 to DB-9 serial cable (null-modem)

PC terminal adapter DB

-9

CONSOLE

10/100 ETHERNET 0/0

FDX

Link

100 Mbps

FAILOVER

PIX-515

Console

port (RJ-45)

DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED

CONSOLE

10/100 ETHERNET 0/0

Link

FDX

100 Mbps

Link

100 Mbps

FAILOVER

10/100 ETHERNET 0/0

PIX-515

9544

Ethernet 2

Ethernet 4

Ethernet 1

Ethernet 0

Ethernet 3

Ethernet 5

Page 31

Figure 6 Ethernet Circuit Boards Installed in Auxiliary Assembly

Note If you need to install an optional circuit board, refer to the “Installing a Circuit Board

in the PIX 515E” section in the Cisco PIX Security Appliance Hardware Installation Guide.

If you have a second PIX 515E security appliance to use as a failover unit, install the failover feature and cable as described in the “Installing Failover” section in the Cisco PIX Security Appliance Hardware Installation Guide.

Step 3 Connect the inside, outside, or perimeter network cables to the interface ports. Starting from

the top left, the connectors are Ethernet 2, Ethernet 3, Ethernet 4, and Ethernet 5. The maximum number of allowed interfaces is six with an unrestricted license.

Note Do not add a single-port circuit board in the extra slot below the four-port circuit

board because the maximum number of allowed interfaces is six.

Step 4 Power on the unit from the switch at the rear to start the PIX 515E security appliance. Do not

power on the failover units until the active unit is configured.

DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED

CONSOLE

10/100 ETHERNET 0/0

Link

FDX

100 Mbps

Link

100 Mbps

FAILOVER

10/100 ETHERNET 0/0

PIX-515

9545

Ethernet 1

Ethernet 0

Ethernet 3

Ethernet 2

Page 32

Checking the LEDs

Table 1 PIX 515E Security Appliance Front Panel LEDs

Figure 7 PIX 515E Security Appliance Front Panel LEDs

LED Color State Description

POWER Green On On when the unit has power. ACT Green On On when the unit is the active failover unit. If failover is present,

the light is on when the unit is the active unit.

Off Off when the unit is in standby mode. If failover is not enabled, this

light is off.

NETWORK Green Flashing On when at least one network interface is passing traffic.

POWER ACT NETWORK

7779

97784

DO NOT INSTALL INTERFACE

CARDS WITH POWER APPLIED

CONSOLE

10/100 ETHERNET 0

ACT

LINK

100 Mbps

ACT

100 Mbps

FAILOVER

USB

10/100 ETHERNET 1

PIX-515

10/100BaseTX

ETHERNET 0

(RJ-45)

10/100BaseTX

ETHERNET 1

(RJ-45)

Console

port (RJ-45)

Power switch

ACT LED

100 Mbps

LED

LINK

LED

ACT LED

100 Mbps

LED

LINK

LED

USB

Page 33

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/univercd/home/home.htm

You can ac cess the Cisco website at this URL:

http://www.cisco.com

You can access internatio nal Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Page 34

Documentation DVD

Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit.

Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.

Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/

Cisco Marketplace:

http://www.cisco.com/go/marketplace/

Ordering Documentation

You can find instructions for ordering documentation at th is URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Ci sco documentation in these ways:

• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/

• Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).

Documentation Feedback

You can send comments about technical documentation to bug-doc@cisco.com. You can submit comments by u sing the response ca rd (if present) behind the front cover of your

document or by writing to the following address: Cisco Systems

Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883

We appreciate your comments.

Page 35

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you can perform these tasks:

• Report security vulnerabilities in Cisco products.

• Obtain assistance with security incidents that involve Cisco products.

• Register to receive security information from Cisco.

A current list of security advisories and notice s for Cisco products i s available at this URL:

http://www.cisco.com/go/psirt

If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:

• Emergencies—security-alert@cisco.com

• Nonemergencies—psirt@cisco.com

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any

sensitive information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x.

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one that has the most recent creation date in this public key server list:

http://pgp.mit.edu:11371/pks/lookup?search=psirt%40cisco.com&op=index&exact=on

In an emergency, you can also reach PSIRT by telephone:

• 1 877 228-7302

• 1 408 525-6532

Page 36

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technica l Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technica l Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.

Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. Th e website is available 24 hours a day, 365 days a year, at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco T echnical Support W ebsite requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before

submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate th e serial number label on your product and record the information before placing a service call.

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which yo u require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

Page 37

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco T AC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the follow ing numbers: Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)

EMEA: +32 2 704 55 55 USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all se rvice re quests are rep orted in a stan dard format, Cisco has established severi ty definitions.

Severity 1 (S1)—Your network i s “down,” or there is a critical impact to y our business operations. You and Cisco w ill commit all necessary resources around the clock to resolve the situa tion.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and C isco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—Y ou require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

• Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

• Cisco Press publishes a wide range of general networking, training and certificatio n titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

Page 38

• Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and

networking investments. Each quarter, Pa cket deliver s covera ge of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

• iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these compan ies and the technologi es to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private i nternets and intranets. You can a ccess the In ternet Protocol Jo urnal at this URL:

http://www.cisco.com/ipj

• World-class netwo rking training is available from Cisco. You can view current offerings at this URL:

http://www.cisco.com/en/US/learning/index.html

Page 39

Page 40

Corporate Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

European Headquarters

Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100

Americas Headquarters

Cisco Systems, Inc. 170 West Ta sman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883

Asia Pacific Headquar t er s

Cisco Systems, Inc. 168 Robinson Road #28-01 Capital Tower Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799

Cisco Systems has more than 200 offices in the following countri es. Addresses, phone numbers, and fax numbers are listed on the

Cisco Website at www.cisco.com/g o/offices

Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Cyprus • Czech Republic • Denmark • Dubai, UAE Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indon esia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore Slovakia • Sloven ia • Sou th Africa • S pain • Swe den • Switze rland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe

Printed in the USA on recycled paper containing 10% postconsumer waste.

78-16824-01 DOC-7816824=

Page 41

Page 42