Cisco PIX-525-UR-BUN - PIX 525 Unrestricted Bundle, PIX 525 User Manual

CHA PTER

6

PIX 525

This chapter guides you through the installation of the PIX 525, and includes the following sections:

• PIX 525 Product Overview, page 6-1

• Installing the PIX 525, page 6-3

• PIX 525 Feature Licenses, page 6-5

• Installing Failover, page 6-6

• Installing LAN-Based Failover, page 6-8

• Removing and Replacing the PIX 525 Chassis Cover, page 6-9

• Replacing a Lithium Battery, page 6-12

• Installing a Memory Upgrade, page 6-12

• Installing a Circuit Board in the PIX 525, page 6-15

• Installing a DC Power Supply, page 6-19

PIX 525 Product Overview

Figure 6-1 show the front view of the PIX 525.

78-15170-02

Figure 6-1 PIX 525 Front Panel

POWER

ACTIVE

CISCO SECURITY PIX 525

SERIES

FIREWALL

Cisco PIX Security Appliance Hardware Installation Guide

61906

6-1

PIX 525 Product Overview

Figure 6-2 shows the rear view of the PIX 525.

Figure 6-2 PIX 525 Rear Panel

F
A
I
L
O
V
E

1
00M

bps A

CT

L
INK

1
00M

bps

10/1

0

0 ETH

ER

N

ET

1

R

A

C
T

1

0/100

P
IX-525

LIN

K

E

T

H

ER

NE

T 0

U

SB

C
O

N

S

OLE

There are two LEDs on the front panel of the PIX 525 (see Figure 6-3).

Figure 6-3 PIX 525 Front Panel LEDs

Chapter 6 PIX 525

61907

61913

Table 6-1 lists the state of the PIX 525 front panel LEDs.

Table 6-1 PIX 525 Front Panel LEDs

LED Color State Description

POWER Green On On when the unit has power.

ACT Green On On when the unit is the active failover unit.

Off Off when the unit is in standby mode.

There are three LEDs for the each RJ-45 interface port and three types of fixed interface connectors on
the back of the PIX 525.

Cisco PIX Security Appliance Hardware Installation Guide

6-2

78-15170-02

Chapter 6 PIX 525

F
A

I
L
O
V
E
R

1

0

0M

b

ps A

C

T

1

00M

b

ps A

C

T

LIN

K

LIN

K

PIX

-5

25

10/100 ETHERNET 1

10/100 ETHERNET 0

USB

CONSOLE

Installing the PIX 525

Figure 6-4 shows the PIX 525 rear panel LEDs.

Figure 6-4 PIX 525 Rear Panel LEDs

ACT(ivity)

LED

100Mbps

LED

10/100 BaseTX

Ethernet 1

ACT(ivity)

LINK

LED

LED

LINK

LED

Failover

connector

USB

port

(RJ-45)

10/100 BaseTX

Ethernet 0

Console

port (RJ-45)

(RJ-45)

Table 6-2 lists the states of the PIX 525 rear panel LEDs.

Table 6-2 PIX 525 Rear Panel LEDs

61912

LED Color State Description

100 Mbps Green On Port 100 megabits per second 100BaseTX communication.

ACT Green Flashing Shows network activity.

LINK Green On Shows that data is passing through that interface.

The PIX 525 has RJ-45, network and console connectors, as well as a DB-15 Failover cable connector.
The USB port is not used at this time.

Installing the PIX 525

To install the PIX 525, perform the following steps:

Step 1 The PIX 525 provides one set of brackets for installing the unit in an equipment rack. Complete these

steps if the unit is going to be installed into an equipment rack:

a. Attach the brackets to the holes near the front of the unit on each side of the PIX 525 using the

supplied screws.

b. Attach the unit to the equipment rack.

78-15170-02

Off Port is using 10 megabits per second data exchange.

Cisco PIX Security Appliance Hardware Installation Guide

6-3

Installing the PIX 525

F
A
I
L

O

V
E
R

100

M

bps A

C

T

100M

bps AC

T

LIN

K

LIN

K

P

IX

-525

10/100 ETHERNET 1

10/100 ETHERNET 0

USB

CONSOLE

Step 2 Connect the cable so that you have either a DB-9 or DB-25 connector on one end as required by the serial

Step 3 Connect the RJ-45 serial cable connector to the PIX 525 console connector and connect the other end to

Chapter 6 PIX 525

port for your computer, and the other end is the RJ-45 connector as shown in Figure 6-5.

Note Use the Console port to connect a computer to enter configuration commands. Locate the serial

cable from the accessory kit. The serial cable assembly consists of a null modem cable with
RJ-45 connectors, and one DB-9 connector and a DB-25 connector.

the serial port connector on your computer.

Figure 6-5 PIX 525 Rear Panel

Console

port (RJ-45)

RJ-45 to
DB-9 or DB-25

PC terminal adapter DB-9

serial cable
(null-modem)

104944

Step 4

Connect the outside network cable to the remaining Ethernet port. Refer to the “PIX 525 Feature

Licenses” section on page 6-5 for information on how to configure the ports.

Note The inside or outside network connections can be made to any available interface port on the

PIX 525. If you are only using the ETHERNET 0 and ETHERNET 1 ports, connect the inside
network cable to the interface connector marked ETHERNET 0 or ETHERNET 1.

Step 5 If you need to install an optional circuit board, refer to the “Installing a Circuit Board in the PIX 525”

section on page 6-15. If you need to install memory, refer to the “Installing a Memory Upgrade” section
on page 6-12 for more information.

Note It is not necessary to remove the chassis cover of the PIX 525 to access the circuit boards or

memory.

Cisco PIX Security Appliance Hardware Installation Guide

6-4

78-15170-02

Chapter 6 PIX 525

Step 6 Connect the network cables to the expansion interface ports. (The inside, outside, or perimeter network

connections can be made to any available interface port on the PIX 525.) The first expansion port
number, at the top left, is interface 2. Starting from that port and going from left to right and top to
bottom, the next port is interface 3, the next is interface 4, and so on. Refer to the “PIX 525 Feature

Licenses” section on page 6-5 for information on how to configure the ports.

Step 7 If you have a second PIX security appliance to use as a failover unit, install the failover feature and cable

as described in the “Installing Failover” section on page 6-6.

Note Do not power on the standby failover unit until the primary unit is configured.

Step 8 When you are ready to start the PIX 525, power on the unit from the switch at the rear of the unit.

PIX 525 Feature Licenses

If you have the PIX-525-UR unrestricted feature license, the following options are available:

• If you have a second PIX 525 to use as a failover unit, install the failover feature and cable as

described in the “Installing Failover” section on page 6-6.

• If needed, install the PIX security appliance syslog server as described on the logging command

page in the command reference online at:

PIX 525 Feature Licenses

http://cisco.com/en/US/products/sw/secursw/ps2120/prod_command_reference_list.html

• If you need to install an optional circuit board, refer to the “Installing a Circuit Board in the

PIX 525” section on page 6-15.

• If you need to install additional memory, refer to the “Installing a Memory Upgrade” section on

page 6-12.

For information on upgrading feature licenses or downloading the latest software versions, refer to the
configuration guide online at:

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/config.html

This section includes the following topics:

• VPN Accelerator Card, page 6-6

• VPN Accelerator Card+, page 6-6

78-15170-02

Cisco PIX Security Appliance Hardware Installation Guide

6-5

Installing Failover

VPN Accelerator Card

The VPN Accelerator Card (VAC) for the Cisco PIX security appliance series is a card that provides
high-performance, tunneling and encryption services suitable for site-to-site and remote access applications.
The VAC is integrated with PIX 525 unrestricted (UR) and failover (FO) bundles. You can also purchase the
VAC as a spare for use with PIX 525 units that have a restricted (R) license.

VPN Accelerator Card+

The VAC+ is a 64-bit/66 MHz PCI card that provides faster tunneling and encryption services for Virtual
Private Network (VPN) remote access, and site-to-site intranet and extranet applications, than the VAC.
Each VAC+ occupies a single PCI slot in the system. The VAC+ is supported on any chassis that runs
software Version 6.3 or later, has an appropriate license to run VPN software, and at least one PCI slot
available. While the VAC continues to be supported in Version 6.3, if both types of cards, the VAC and
the VAC+, are installed in a system running Version 6.3, the VAC card is ignored. The VAC+ runs at both
32-bit/33 MHz and 64-bit/66 MHz, and does not slow down the bus when other 66 MHz cards are
installed. We strongly recommend that you install the VAC+ in a 64bit/66 MHz slot. Performance will be
degraded if this recommendation is not followed.

Chapter 6 PIX 525

The VAC+ driver supports the following:

• 3DES, DES, AES, SHA1, MD5 for (IPSec) ESP protocol (For AES, only the CBC mode and key

sizes of 128, 192, and 256 bits are supported).

• SHA1, MD5 for the (IPSec) AH protocol.

• Load sharing ESP and AH activity between up to three VAC+.

• Diffie-Hellman public key and shared secret generation.

• Any other crypto-related activity uses a software implementation.

Installing Failover

To install a failover connection, perform the following steps:

Step 1 Power off both the primary and secondary units.

Note Both PIX security appliances must have the same model number, have at least as much RAM,

have the same Flash memory size, and be running the same software version. Note that the
PIX-4FE and PIX-4FE-66 cards are considered equivalent and interchangeable. You can install
a PIX-4FE in the primary unit and a PIX-4FE-66 in the secondary unit, as long as you install
them in the same slot number of each chassis. For example, if you install a PIX-4FE in Slot 1 of
the primary unit, you must also install the PIX-4FE-66 in Slot 1 of the secondary unit.

Step 2 Locate the failover cable (shown in Figure 6-6). This cable is shipped separately from the PIX security

appliance. The cable is labeled “Primary” on one end and “Secondary” on the other.

Cisco PIX Security Appliance Hardware Installation Guide

6-6

78-15170-02

Chapter 6 PIX 525

Install the cable for the PIX 525 as shown in Figure 6-6.

Figure 6-6 PIX 525 Failover Cable Connection

F

A

I

L
O
V
E
R

Y

R

A

M

I

R

P

Primary end

Y

R

A

D

N

O

C

E

S

Secondary end

F
A

I
L
O
V
E
R

Installing Failover

12395

Step 3

Connect the Primary end of the failover cable to the first PIX security appliance; that is, the one you have
already configured.

Note We highly recommend that you use a GE failover link when connecting the PIX 525 with GE

interfaces.

Step 4 Connect the Secondary end of the failover cable to the standby unit.

Step 5 Connect a power cord to the power connector on the rear panel of each unit, and the other end of each

power cord to (preferably separate) power outlets.

Step 6 If you are using Stateful Failover, use one of the following types of connections, that is appropriate for

your system, between the dedicated interfaces on the PIX security appliance:

• Category 5 crossover cable directly connecting the primary unit to the secondary unit

• 100BaseTX half-duplex hub using Straight-through Category 5 cables

• 100BaseTX full duplex on a dedicated switch or dedicated VLAN of a switch

Note All enabled interfaces must be connected between the active and standby units. Only configure

the active unit. On the PIX 525, the active unit is indicated by the ACT LED on the front panel.
(See Figure 6-3.)

Caution Do not turn the power on until the units are connected and the primary unit is configured completely.

Step 7 Power on the primary unit first, then power on the secondary unit. Within a few seconds, the active unit

automatically downloads its configuration to the standby unit.

If the primary unit fails, the secondary unit automatically becomes active.

78-15170-02

Cisco PIX Security Appliance Hardware Installation Guide

6-7

Installing LAN-Based Failover

Installing LAN-Based Failover

LAN-based failover supports failover between two units connected over a dedicated Ethernet interface.
LAN-based failover eliminates the need for a special failover cable and overcomes the distance
limitations imposed by the failover cable.

Note Both PIX security appliances must be the same model number, have the same amount of RAM, Flash

memory, number and type of interfaces, and be running the same software version.

To set up a LAN-based failover connection, perform the following steps:

Step 1 Disconnect both PIX security appliance, so that there is no traffic flow between them. If the failover

cable is connected to the PIX security appliance, disconnect it.

Step 2 Configure the PIX security appliance for LAN-based failover. Refer to the chapter on configuring

LAN-based failover in the configuration guide online at:

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/config.html

Step 3 Power off both units.

Chapter 6 PIX 525

Step 4 Connect the LAN failover interfaces to the dedicated switch/hub, as shown in Figure 6-7.

Note A dedicated LAN interface and a dedicated switch (or VLAN) is required to implement

LAN-based failover. You cannot use a crossover Ethernet cable to connect the two PIX security
appliances.

Figure 6-7 LAN- Based Failover Connections

Dedicated Ethernet

interface

1

0
0
M

b
p
s

A
C

T

L

IN
K

1
0
0

M
b

p
s

A
C

T

1
0

/
1
0

0
E
T

H
E

R
N
E

T
1

1
0

/
1
0
0

E

T
H

Hub/switch

PIX 525

F
A
I
L
O
V
E
R

P
I
X

­5
2

5

L

IN
K

E
R

N
E

T
0

U
S

B

C
O

N
S
O

L
E

1
0
0

F
A
I
L
O
V
E
R

M
b

p
s

A

C

T

L
I
N

K

1
0
0

M
b

p
s

A
C

T

L
I
N

K

1

0
/
1

0
0

E
T

H
E
R

N
E

T
1

1

0
/
1

0
0

E
T

H
E

R
N

E
T

0

U
S

B

C
O

N
S

Dedicated Ethernet
interface

PIX 525

P
I
X

­5
2

5

O
L

E

87366

87367

Cisco PIX Security Appliance Hardware Installation Guide

6-8

78-15170-02

Chapter 6 PIX 525

Removing and Replacing the PIX 525 Chassis Cover

Step 5 If you are using Stateful Failover, use one of the following types of connections, that is appropriate for

your system, between the dedicated interfaces on the PIX security appliance units:

• 100BaseTX full duplex on a dedicated switch or dedicated VLAN of a switch

• 1000BaseSX full duplex on a dedicated switch or dedicated VLAN of a switch

Caution Do not turn the power on until the units are connected and the primary unit is configured completely.

Step 6 Power the primary unit on first, then power on the secondary unit. Within a few seconds, the active unit

automatically downloads its configuration to the standby unit.

If the primary unit fails, the secondary unit automatically becomes active.

Removing and Replacing the PIX 525 Chassis Cover

This section describes how to remove and replace the chassis cover from PIX 525. This section includes
the following topics:

• Removing the Chassis Cover, page 6-9

• Replacing the Chassis Cover, page 6-11

Removing the Chassis Cover

Note Removing the PIX security appliance chassis cover does not affect your Cisco warranty. Upgrading the

PIX security appliance does not require any special tools and does not create any radio frequency leak.

To remove the chassis cover, perform the following steps:

Step 1 Read the Regulatory Compliance and Safety Information document.

Step 2 Power off the PIX 525 and disconnect site power.

Note The power switch is part of the power supply.

Step 3 Place the PIX 525 so that the front panel is facing you. If you place the PIX 525 on a table, ensure that

you have clear access to all sides.

Step 4 Remove the four screws on the chassis cover. (See Figure 6-8.)

78-15170-02

Cisco PIX Security Appliance Hardware Installation Guide

6-9