Cisco PIX 520 - PIX Firewall 520, PIX 520 User Manual
CHA PTER
5
PIX 520
This chapter guides you through the installation of the PIX 520, and includes the following sections:
• PIX 520 Product Overview, page 5-1
• Installing the PIX 520, page 5-4
• PIX 520 Feature Licenses, page 5-6
• Installing Failover, page 5-7
• Installing LAN-Based Failover, page 5-8
• Removing and Replacing the PIX 520 Chassis Cover, page 5-10
• Replacing a Lithium Battery, page 5-12
• Installing a Memory Upgrade, page 5-12
• Installing a Circuit Board in the PIX 520, page 5-15
• Installing the PIX 520 DC Model, page 5-21
PIX 520 Product Overview
This section describes the PIX 520 front and rear panels and the panel LEDs.
Figure 5-1 shows the front view of the PIX 520.
Figure 5-1 PIX 520 Front Panel
PIX Firewall
RESE
T
78-15170-02
SERIES
67852
Cisco PIX Security Appliance Hardware Installation Guide
5-1
PIX 520 Product Overview
Note Use of the four-port Ethernet circuit board changes the position of the outside and inside interfaces
Chapter 5 PIX 520
Figure 5-2 shows the rear view of the PIX 520.
Figure 5-2 PIX 520 Rear Panel
Auto-Range Selection
L:90-135V H:180-270V
R
ESET
PIX Firewall
SERIES
67853
depending on the slot in which the circuit board is installed. Four-port Ethernet connectors are numbered
from the top connector down sequentially. On horizontally mounted cards, the slots are numbered left to
right.
The PIX 520 can be used with Ethernet circuit boards.
The four-port Ethernet circuit board provides four 10/100 Ethernet connections and has autosense
capability. Connectors on the four-port Ethernet circuit board are numbered top to bottom sequentially;
however, the actual device number depends on the slot in which the four-port Ethernet circuit board is
installed.
Table 5-1 describes how the top connector is numbered.
Table 5-1 Numbering Devices with a Four-Port Connector
Four-Port Top
Slot 0 Contains Slot 1 Contains Slot 2 Contains
Connector
4-port Any Any ethernet0
Ethernet 4-port Any ethernet1
Ethernet Ethernet 4-port ethernet2
Token Ring 4-port Any ethernet0
Token Ring Token Ring 4-port ethernet0
Token Ring Ethernet 4-port ethernet1
Ethernet Token Ring 4-port ethernet1
With the four-port Ethernet circuit board, having a circuit board in slot 3 makes the number of interfaces
greater than six; while the circuit board in slot 3 cannot be accessed, its presence does not cause
problems with the PIX security appliance.
Cisco PIX Security Appliance Hardware Installation Guide
5-2
78-15170-02
Chapter 5 PIX 520
PIX 520 Product Overview
Figure 5-3 shows the location of the interfaces if you install a four-port Ethernet circuit board in slot 0.
Figure 5-3 Four-Port Ethernet Circuit Board Installed in Slot 0
Interface 0
Interface 1
Interface 2
Interface 3
44306
Interface 5
Interface 4
Figure 5-4 shows how the slots are numbered if a single-port Ethernet circuit board is inserted in
slot 0, and a four-port Ethernet circuit board is inserted in slot 1.
Figure 5-4 Single-Port Ethernet Circuit Board Installed in Slot 0 and Four-Port Ethernet Circuit Board
Installed in Slot 1
Interface 1
Interface 2
Interface 3
Interface 4
44307
Interface 0
Figure 5-5 shows how the slots are numbered if single-port Ethernet circuit boards are installed in slot 0
and in slot 1, and a four-port Ethernet circuit board is inserted in slot 2.
Figure 5-5 Single-Port Ethernet Circuit Board Installed in Slot 0 and 1 and Four-Port Ethernet Circuit
Board Installed in Slot 2
Interface 2
Interface 3
Interface 4
Interface 5
44308
Interface 0
Interface 1
78-15170-02
Cisco PIX Security Appliance Hardware Installation Guide
5-3
Installing the PIX 520
Installing the PIX 520
To install the PIX 520, perform the following steps:
Step 1 Refer to Figure 5-6 for information on the features of the PIX 520.
Figure 5-6 PIX 520 Front, Rear, and Side Panels.
Front Rear
RE
S
E
T
PIX Firewall
SERIES
Power connector
Power switch
Chapter 5 PIX 520
Selection
ge
an
uto-R
A
V
70
-2
:180
V H
-135
L:90
AC
Reset
button
Powe r
light
Diskette
compartment
1
To access,
loosen screws
counterclockwise
3
Insert PIX
security appliance
diskette
Slots for
network
interfaces
Failover
connector
2
Set plate
on surface
4
To remove
diskette,
push button
Console
connector
+–
DC power connector
Fan duct
rackmount slide rails
(must be purchased
Rackmount
holes
Power switch
–
+
Left side
Holes to connect
separately from
outside vendor)
DC
Ground lugs
Holes to connect
rackmount brackets
(if rackmounting
is desired)
Step 2
Connect network cables to each of the PIX security appliance network interfaces. On the PIX 520,
connect the cables at the front of the unit.
Cisco PIX Security Appliance Hardware Installation Guide
5-4
10656
Right side
78-15170-02
Chapter 5 PIX 520
Installing the PIX 520
If you are not installing a four-port Ethernet circuit board, add the cables as shown in Figure 5-7.
Figure 5-7 Up to Four Single-Port Interfaces in the PIX Security Appliance
44305
Interface 3
Interface 2
Interface 1
Interface 0
Installing Interface Cables to the PIX 520
To install interface cables to the PIX 520, perform the following steps:
Step 1 Locate the serial cable. The serial cable assembly consists of a null modem cable with RJ-45 connectors,
two separate DB-9 connectors, and a separate DB-25 connector as shown in Figure 5-8.
Step 2 Install the serial cable between the PIX security appliance and your console computer.
Figure 5-8 PIX Security Appliance Serial Cable Assembly
PIX security appliance
console connector
DB-9-to-DB-25
serial cable
(null-modem)
C
O
N
S
O
L
E
Console
port (DB-9)
Computer serial port
DB-25 or DB-9
12275
Step 3
Connect one of the DB-9 serial connectors to the console connector on the front panel of the PIX security
appliance.
Step 4 Connect one end of the RJ-45 null modem cable to the DB-9 connector.
Step 5 If you are installing an AC voltage PIX security appliance, connect the power cord to the power
connector on the rear panel of the PIX security appliance, and to a power outlet.
78-15170-02
Cisco PIX Security Appliance Hardware Installation Guide
5-5
PIX 520 Feature Licenses
Step 6 The following options are available:
Chapter 5 PIX 520
If you are installing a DC voltage PIX security appliance, refer to the “Installing the PIX 520 DC Model”
section on page 5-21.
a. If you have a second PIX security appliance to use as a failover unit, install the failover feature and
cable as described in the “Installing Failover” section on page 5-7.
Note Do not power on the failover units until the primary unit is configured.
• If needed, install the PIX security appliance syslog server as described in the logging command page
in the command reference online at:
http://cisco.com/en/US/products/sw/secursw/ps2120/prod_command_reference_list.html
b. If you need to install an optional circuit board such as a single-port Ethernet board, or the four-port
Ethernet board, refer to the “Installing a Circuit Board in the PIX 520” section on page 5-15 for
more information.
c. If you need to install additional memory, refer to the “Installing a Memory Upgrade” section on
page 5-12.
If you are ready to start configuring the PIX security appliance, power on the unit. Refer to the
configuration guide online at:
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/config.html
Always check the release notes first before configuring the PIX security appliance for the latest release
details. You can find the latest versions of release notes online at:
http://preview.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_notes_list.html
PIX 520 Feature Licenses
If you have a PIX 520-UR unrestricted feature license, the following options are available:
• If you have a second PIX 520 to use as a failover unit, install the failover feature and cable as
described in the “Installing Failover” section on page 5-7.
• If needed, install the PIX security appliance syslog server as described in the logging command in
the command reference online at:
http://cisco.com/en/US/products/sw/secursw/ps2120/prod_command_reference_list.html
• Refer to the “Installing LAN-Based Failover” section on page 5-8 for information about how to
remove and replace the chassis cover if you need to install optional circuit boards.
Note It is very important to remove the chassis cover before installing circuit boards in the PIX 520. Even
though it appears possible to add or remove circuit boards from the back panel, removing the chassis
cover greatly simplifies the process.
• If you need to install additional memory, refer to the “Installing a Memory Upgrade” section on
page 5-12.
Cisco PIX Security Appliance Hardware Installation Guide
5-6
78-15170-02
Chapter 5 PIX 520
Installing Failover
To install a failover connection, perform the following steps:
Note This section only applies to PIX security appliance units with a “UR” (unrestricted) license.
Step 1 Power off both the primary and secondary units.
Note Both PIX security appliances must be the same model number, have at least as much RAM, have
the same Flash memory size, and be running the same software version.
Step 2 Locate the Failover cable (shown in Figure 5-9). This cable is shipped separately from the PIX security
appliance. The cable is labeled Primary on one end and Secondary on the other. Install the cable for the
PIX 520 as shown in Figure 5-9.
Figure 5-9 PIX 520 Failover Cable Connection
Installing Failover
F
A
I
L
O
V
E
R
Y
R
A
M
I
R
P
Primary end
F
A
I
L
O
V
E
R
Y
R
A
D
N
O
C
E
S
12395
Secondary end
Step 3
Connect the Primary end of the Failover cable to the first PIX security appliance unit, that is, the one
you have already configured.
Step 4 Connect the Secondary end of the Failover cable to the standby unit.
Step 5 Connect a power cord to the power connector on the rear panel of each unit, and the other end of each
power cord to (preferably separate) power outlets.
Step 6 If you are using Stateful Failover, use one of the following types of connections, that is appropriate for
your system, between the dedicated interfaces on the PIX security appliance units:
• 100BaseTX half-duplex hub using straight Category 5 cables.
• 100BaseTX full duplex on a dedicated switch or dedicated VLAN of a switch.
• All enabled interfaces must be connected between the active and standby units. Only configure the
active unit. On the PIX 520, you can access the console and determine which unit is active with the
show failover command in the command reference online at:
http://cisco.com/en/US/products/sw/secursw/ps2120/prod_command_reference_list.html.
78-15170-02
Cisco PIX Security Appliance Hardware Installation Guide
5-7
Installing LAN-Based Failover
Caution Do not turn the power on until the units are connected and the primary unit is configured completely.
Step 7 Use the power switch at the back of the units to power the primary unit on and then power on the standby
unit.
Within a few seconds, the active unit automatically downloads its configuration to the standby unit.
If the primary unit fails, the secondary unit automatically becomes active.
Installing LAN-Based Failover
LAN-based failover supports failover between two units connected over a dedicated Ethernet interface.
LAN-based failover eliminates the need for a special Failover cable and overcomes the distance
limitations imposed by the Failover cable.
For information on configuring a LAN-based failover, refer to the configuration guide online at:
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/config.html
Chapter 5 PIX 520
Note Both chassis must be the same model number, have the same amount of RAM, Flash memory, number
and type of interfaces, and be running the same software version.
To set up a LAN-based failover connection, perform the following steps:
Step 1 Disconnect both the PIX security appliances, so that there is no traffic flow between them. If the Failover
cable is connected to the PIX security appliance, disconnect it.
Step 2 Configure the PIX security appliances for LAN-based failover. Refer to the chapter on configuring
LAN-based failover in the configuration guide online at:
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/config.html
Step 3 Power off both units.
Step 4 Connect the LAN failover interfaces to the dedicated switch/hub, as shown in Figure 5-10.
Note A dedicated LAN interface and a dedicated switch (or VLAN) is required to implement
LAN-based failover. You cannot use a crossover Ethernet cable to connect the two PIX security
appliances.
Cisco PIX Security Appliance Hardware Installation Guide
5-8
78-15170-02
Loading...