Cisco PIX-515-RPS - PIX 515-R - Firewall, PIX 515E Quick Start Manual

Quick Start Guide

Cisco PIX 515E Security Appliance Quick Start Guide

1 Verifying the Package Contents 2 Installing the PIX 515E Security Appliance 3 Configuring the Security Appliance 4 Common Configuration Scenarios 5 Optional Maintenance and Upgrade Procedures

About the Cisco PIX 515E Security Appliance

The Cisco PIX 515E security appliance delivers enterprise-class security for small-to-medium businesses and enterprise networks in a modular, purpose-built security appliance. Ranging from compact, “plug-and-play” desktop appliances for small and home offices to carrier-class gigabit appliances for the most demanding enterprise and service-provider environments, Cisco PIX security appliances provide robust security, performance, and reliability for network environments of all sizes.

Part of the market-leading Cisco PIX 500 series, the Cisco PIX 515E security appliance provides a wide range of integrated security services, hardware VPN acceleration, award-winning high-availability and powerful remote management capabilities in an easy-to-deploy, high-performance solution.

About this document

This document describes how to install and configure the security appliance for use in a VPN or DMZ deployment. When you have completed the procedures outlined in this document, the security appliance will be running a basic VPN or DMZ configuration. The document provides only enough information to get the security appliance up and running with a basic configuration.

For more information, refer to the following documentation:

• Cisco PIX Security Appliance Release Notes

• Cisco PIX Security Appliance Hardware Installation Guide

• Cisco Security Appliance Command Line Configuration Guide

• Cisco Security Appliance Command Reference

• Cisco Security Appliance System Log Messages

You can find these documents online at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/index.htm

132235

POWER

ACT NETWORK

PIX Firewall

SERIES

1 Verifying the Package Contents

Verify the contents of the packing box to ensure that you have re ceived all items necessary to i nstall and configure your PIX 515E security appliance.

End User License and

Software Warranty

PIX 515E

Getting Started

Guide

Safety and

Compliance

Guide

PIX 515E

PC terminal adapter

(74-0495-01)

Documentation

Blue console cable

(72-1259-01)

Yellow Ethernet cable

(72-1482-01)

Cisco PIX

Security Appliance

Product CD

DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED

Link

FDX

100 Mbps

Link

100 Mbps

FAILOVER

PIX-515E

CONSOLE

10/100 ETHERNET 1

10/100 ETHERNET 0

Failover serial cable

(74-1213-01)

Mounting brackets

(700-01170-02 AO SSI-3)

7 flathead screws

(69-0123-01)

4 cap screws (69-0124-01)

4 spacers

(69-0125-01)

Rubber feet

97955

Power cable

2 Installing the PIX 515E Security Appliance

This section describes how to install your PIX 515E security appliance into your own network, which might resemble the model in Figure 1.

Figure 1 Sample Network Layout

To install the PIX 515E security a ppliance, complete these steps:

Step 1 Mount the chassis in a rack by performing the following steps:

a. Attach the brackets to the chassis with the supplied screws. The brackets attach to the holes

near the front of the chassis.

b. Attach the chassis to the equipment rack.

Step 2 Use one of the provided yellow Ethernet cables (72-1482-01) to connect the outside 10/100

Ethernet interface, Ethernet 0, to a DSL modem, cable modem, ro uter, or switch.

Step 3 Use the other provided yellow Ethernet cable (72-1482-01) to connect the inside 10/100

Ethernet interface, Ethernet 1, to a switch or hub.

Step 4 Connect one end of the power cable to the rea r of the PIX 515E security applianc e and the

other end to a power outlet.

Step 5 Power up the PIX 515E security appliance. The power switch is lo cated at the rear of the

chassis.

Internet

97998

DMZ server

Laptop

omputer

Printer

Personal computer

Switch

Inside

Outside

Router

PIX 515E

Power

cable

DMZ

3 Configuring the Security Appliance

This section describes the initial security appliance configuration. You can perform the setup steps using either the browser-based Adaptive Security Device Manager (ASDM) or the command-line interface (CLI).

Note To run the ASDM, you must ha ve a DES license or a 3DES -AES license.

About the Factory Default Configuration

Cisco security appliances are shipped with a factory-default configuration that enables quick startup. This configuration meets the needs of most small and m e d i u m b usin e s s networking environments. By default, the security appliance is configured as follows:

• The inside interface is configured with a default DHCP address pool. This configuration enables a client on the inside network to obtain a DHCP address from the

security appliance in order to connect to the appliance. Administrators can then configure and manage the security appliance using ASDM.

• The outbound interface is configured to deny all inbound traffic through the outside interface. This configuration protects your inside network from unsolicited traffic.

Based on your network security policy, you should also consider configuring the security appliance to deny all ICMP traffic through the outside interface or any other interface that is necessary. You can configure this access control policy using the icmp command. For more information about the icmp command, refer to the Cisco Security Appliance Command Reference.

About the Adaptive Security Device Manager

The Adaptive Security Device Manager (ASDM) is a feature-rich graphical interface that enables you to manage and monitor the security appliance. Its secure, web-based design provides secure access so that you can connect to and manage the security appliance from any location by using a web browser.

In addition to complete configuration and management capability, ASDM features intell igent wiza rds to simplify and accelerate security appliance deployment.

To run ASDM, you must have a DES license or a 3DES-AES license. Additionally, Java and JavaScript must be enabled in your web browser.

About Configuration from the Command-Line Interface

In addition to the ASDM web configuration tool, you can configure the security applianc e by using the command-line interface. For more information, refer to the Cisco Security Appliance Command Line Configuration Guide and the Cisco Security Appli ance Command Referenc e.

Using the Startup Wizard

ASDM includes a Startup Wizard to simplify the initial configuration of your security appliance. Wit h a few steps, the Startup Wizard enables you to configure the security appliance so that it allows packets to flow securely between the inside network and the outside network.

Before you launch the Startup Wizard, have the following information available:

• A unique hostname to identify the security appliance on your network.

• The IP addresses of your outside interface, inside interface, and other interfaces.

• The IP addresses to use for NAT or PAT configuration.

• The IP address range for the DHCP server.

To use the Startup Wizard to set up a simplified basic configuration on the security appliance, follow these steps:

Step 1 If you have not already done so, connect the inside Ethernet 1 inte rface o f the securi ty

appliance to a switch or hub by using the Ethernet cable. To this same switch, connect a PC for c o n fi g u ri n g th e security appliance.

Step 2 Configure your PC to use DHCP (to receive an IP address automatically from the security

appliance), or assign a static IP address to your PC by selecting an address out of the

192.168.1.0 network. (Valid addresses are 192.168.1.2 through 192.168.1.254, with a mask of

255.255.255.0 and default route of 192.168.1.1.)

Note The inside interface of the security appliance is assigned 192.168.1.1 by default, so

this address is unavailable.

Step 3 Check the LINK LED on the Ethernet 1 inte rface. When a connection is established, the LINK

LED on the Ethernet 1 interface of the security appliance and the corresponding LINK LED on the switch or hub will become solid green.

Step 4 Launch the Startup Wizard.

a. On the PC connected to the switch or hub, launch an Internet browser. b. In the address field of the browser, enter this URL: https://192.168.1.1/.

Note The security appliance ships with a default IP address of 192.168.1.1. Remember to

add the “s” in “https” or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser and the security appliance.

Step 5 In the popup window that requires a username and passwo rd, leave both fields empty. Press

Enter.

Step 6 Click Yes to accept certificates. Click Yes fo r any subsequent certificates or au thentication

requests.

Step 7 After ASDM starts, choose the Wizards menu, then choose Startup Wizard. Step 8 Follow the instructions in the Startup Wizard to set up your security applia nce.

For information about any field in the Startup Wizard, click the Help button at the bottom of the window.

4 Common Configuration Scenarios

This section provides configuration examples for two common security appliance configuration scenarios:

• Hosting a web server on a DMZ network

• Establishing a site-to-site VPN connection with other business partners or remote offices

Use these scenarios as a guide when you set up your network. Substitute your own network addresses and apply additional policies as needed.

Scenario 1: DMZ Configuration

A demilitarized zone (DMZ) is a separate network locate d in the ne utral zone betw een a private (inside) network and a public (outside) network. This scenario is a sample network topology that is common to most DMZ implementations that use the se curity appliance. The web server is on the DMZ interface, and HTTP clients from both the inside and outside networks are able to access th e web server securely.

In the Figure 2, an HTTP client (10.10.10.10) on the inside network initiates HTTP communications with the DMZ web server (30.30.30.30). HTTP access to the DMZ web server is provided for all clients on the Internet; all other communications are denied. The network is configured to use an IP pool of addresses between 30.30.30.50 and 30.30.30.60. (The IP pool is the range of IP addresses available to the DMZ interface.)

Figure 2 Network Layout for DMZ Configuration Scenario

97999

PIX 515E

Internet

HTTP client

0.10.10.10

Web server

30.30.30.30

DMZ

30.30.30.0

Inside

10.10.10.0

HTTP clie

Outside

209.165.156.10

Because the DMZ web server is located on a private DMZ network , it is necessary to translate its private IP address to a public (routable) IP address. This public address allows external clients to have HTTP access to the DMZ web server in the same way the clients would access any server on the Internet.

This DMZ configuration scenario, shown in Figure 2, provides two routable IP addresses tha t are publicly available: one for the outside interface (209.165.156.10) and one for the translated DMZ web server (209.165.156.11). The following procedure describes how to use ASDM t o co nfig ure the security appliance for secure communications between HTTP clients and the web server.

In this DMZ scenario, the security appliance already has an outside interface configured, called dmz. Set up the security appliance interface for your DMZ by using the Startup Wizard. Ensure that the security level is set between 0 and 100. (A common choice is 50).

Information to Have Available

• Internal IP addresses of the servers inside the DMZ that you want to make available to clients on the public network (in this scenario, a web server).

• External IP addresses to be used for servers inside the DMZ. (Cli ents on the public network will use the external IP address to access the server inside the DMZ.)

• Client IP address to substitute for internal IP addresses in outgoing traffic. (Outgoing client traffic will appear to come from this address so that the internal IP address is not exposed.)

Step 1: Configure IP Pools for Network Translations

For an inside HTTP client (10.10.10.10) to access the web server on the DMZ network (30.30.30.30), it is necessary to define a pool of IP addresses (30.30.30.50–30.30.30.60) for the DMZ interface. Similarly, an IP pool for the outside interface (209.165.156.10) is required for the inside HTTP client to communicate with any device on the public network. Use ASDM to manage IP pools efficiently and to facilitate secure communications between protected network clients and devices on the Internet.

1. Launch ASDM by entering this factory default IP address in the address field of a web browser: https://192.168.1.1.

2. Click the Configuration button at the top of the ASDM window.

3. Choose the NAT feature on the left side of the ASDM window.

4. Click the Manage Pools button at the bottom of the ASDM window. The Manage Global Address

Pools window appears, allowing you to add or edit global address pools.

Note For most configurations, global pools are added to the less secure, or public, interfaces.

5. In the Manage Global Address Pools window:

a. Choose the dmz interface. b. Click the Add button.

The Add Global Pool Item window appears.

6. In the Add Global Pool Item window:

a. Choose dmz from the Interface drop-down menu. b. Click the Range radio button to enter the IP address range. c. Enter the range of IP addresses for the DMZ interface. In this scenario, the range is

30.30.30.50 to 30.30.30.60.

d. Enter a unique Pool ID. (For this scenario, the Pool ID is 200.) e. Click the OK button to go back to the Manage Global Address Pools window.

Note You can also choose Port Address Translation (PAT) or Port Address Translation

(PAT) using the IP address of the interface if there are limited IP addresses available for the DMZ interface.

7. In the Manage Global Address Pools window:

a. Choose the outside interface. b. Click the Add button.

The Add Global Pool Item window appears.

8. When the Add Global Pool Item window appears:

a. Choose outside from the Interface drop-down menu. b. Click the Port Address Tra nslation (PAT) usin g the IP address of the interfa ce ra dio button. c. Assign the same Pool ID for this pool as you did in Step 6d above. (For this scenario, the Pool

ID is 200.)

d. Click the OK button. The configuration should be similar to the following:

9. Confirm that the configuration values are correct, then:

a. Click the OK

button.

b. Click the Apply button in the main window.

Note Because there are only two public IP addresses available, with one reserved for the

DMZ server , all traffic initiated by the inside HTTP client exits the security appliance using the outside interface IP address. This configuration allows traffic from the inside client to be routed to and from the Internet.

Step 2: Configure Address Translations on Private Networks

Network Address Translation (NAT) replaces the source IP addresses of network traffic exchanged between two security appliance interfaces. This translation prevents the private address spaces from being exposed on public networks and permits routing through the public networks. Port A ddress Translation (PAT) is an extension of the NAT function that allows several hosts on the private networks to map into a single IP address on the public network. PAT is essential for small and medium businesses that have a limited number of public IP addresses available to them.

To configure NAT between the inside interface and the DMZ interface for the inside HTTP client, complete the following steps starting from the main ASDM page:

1. Click the Configuration button at the top of the ASDM window.

2. Choose the NAT feature on the left side of the ASDM window.

3. Click the Tran slation Rules radio bu tton, and then click the Add button at the right side of the

ASDM page. The Add Address Translation Rule window appears.

4. In the Add Address Translation Rule window, make sure that the Use NAT radio button is selected, and then choose the inside interface from the drop-down menu.

+ 29 hidden pages

Cisco PIX-515-RPS - PIX 515-R - Firewall, PIX 515E Quick Start Manual

Specifications and Main Features

Frequently Asked Questions

User Manual