Cisco PIX 520 - PIX Firewall 520, PIX Device Manager 1.1 Online Help Manual

Download

Page 1

Index Glossary About PDM - New for PDM 1.1 PDM Icon Legend

Getting Started Applying Configuration Changes in PDM Refresh More about Internet Protocol (IP) Unsupported Commands

Help Topics by Location

Access Rules Translation Rules Hosts/Networks System Properties Monitoring Menus

Additional Resources

Top Security Resources PIX Firewall Documentation Cisco Technical Assistance Center>PIX Firewall PIX Firewall Top Issues PIX Firewall Product Literature

Page 2

This topic includes the following sections:

Introduction● About PDM Software● System Requirements●

Introduction

Cisco PIX Device Manager (PDM) is the graphical user interface (GUI) for configuring and monitoring the Cisco PIX Firewall.

PDM is available on all PIX 501, PIX 506, PIX 515, PIX 520, PIX 525, and PIX 535 platforms that are running PIX Firewall software version 6.0 or higher.

PDM is designed to assist you in managing your network security. For example, PDM does the following:

Helps you configure your PIX Firewall using visual tools like task-oriented selections and drop-down menus.

●

Sends PIX Firewall command-line interface (CLI) commands to the PIX Firewall unit for you.● Enables you to visually monitor your PIX Firewall system, connections, IDS, and traffic on the interfaces.● Can create new PIX Firewall configurations or modify existing configurations that were originally

implemented using the PIX Firewall CLI or Cisco Secure Policy Manager (Cisco Secure PM).

●

Monitors and configures one PIX Firewall unit at a time, but you can point your browser to more than one PIX Firewall unit and administer several PIX Firewall units from a single workstation.

●

Runs on platforms that support Java and does not require a separate plug-in. (The PDM applet uploads to your workstation when you point your browser at the PIX Firewall.)

●

Uses Secure Socket Layer (SSL) to secure communication between itself (PDM) and the PIX Firewall and is a signed applet.

●

About PDM Software

If your PIX Firewall unit is new and shipped with PIX Firewall software version 6.0 or higher, the PDM software is already loaded in the PIX Firewall Flash memory for you.

If you are upgrading from a previous version of PIX Firewall, you need to use TFTP from the PIX Firewall to copy the PDM image to your PIX Firewall. For instructions on how to do this, refer to the PDM Installation

Guide and Using a TFTP Server.

Note If using PDM with an existing PIX Firewall configuration, refer to "PDM Support for PIX Firewall CLI

Page 3

Commands," for information on which commands are supported and which are not.

System Requirements

This section includes the following topics:

PIX Firewall Requirements● Browser Requirements● PC/Workstation Requirements●

PIX Firewall Requirements

Caution The PIX Firewall must have PIX Firewall software version 6.0 or higher installed and running

for PDM to run. PDM does not run with earlier PIX Firewall software versions

If you are using a PIX Firewall already running PIX Firewall software version 6.0 or higher, then you have already met all the requirements to run PDM that are discussed in "PIX Firewall Requirements"and can continue

to the "Browser Requirements" section. For example, PIX Firewall units that contain PIX Firewall software version 6.0 or higher ship with a pre-installed DES activation key.

Otherwise, a PIX Firewall unit must meet the following requirements to successfully install and run PDM:

You must have an activation key that enables Data Encryption Standard (DES) or the more secure 3DES, which PDM requires for support of the Secure Socket Layer (SSL) protocol.

●

If your PIX Firewall is not enabled for DES, you can have a new activation key sent to you by completing the form at the following website:

http://www.cisco.com/kobayashi/sw-center/internet/pix-56bit-license-request.shtml

●

Verify that your PIX Firewall meets all PIX Firewall software version 6.0 requirements listed in the Release Notes for the Cisco Secure PIX Firewall Version 6.0(1) or higher. You must have version 6.0 installed on the PIX Firewall unit before using PDM. You can download version 6.0 and the PDM software from the following website: http://www.cisco.com/cgi-bin/tablebuild.pl/pix

●

You must have at least 8 MB of Flash memory on the PIX Firewall unit.● Ensure that your configuration is less than 100 KB (approximately 1500 lines). Configurations over 100

KB cause PDM performance degradation. You can view the size of your configuration with the CLI show flashfs command as the length for "file 1."

●

Browser Requirements

The following are required to access one or more PIX Firewall units through PDM:

A JavaScript and Java enabled browser running JDK 1.1.4 or higher. If these are not enabled in the browser, PDM guides you on how to enable them. To check which version you have, launch PDM. When the PDM information window appears, the field "JDK Version" indicates your JDK version. If you have an older JDK version, you can get the latest JVM from Microsoft by downloading the product called "Virtual Machine."

●

Page 4

Browser support for Secure Socket Layer (SSL) must be enabled. The supported versions of Internet Explorer and Netscape Navigator support SSL without requiring additional configuration.

Note PIX Firewall software version 6.0 supports SSL 2.0, SSL 3.0, and TLS 1.0 in web browsers. PIX

Firewall supports all browser encryption levels.

●

PC/Workstation Requirements

PDM has different requirements depending on the platform from which you access it. PDM is not supported for use on computers equipped with the Macintosh, Windows 3.1, or Windows 95

operating systems. This section includes the following topics:

Windows Requirements● SUN Solaris Requirements● Linux Requirements●

Windows Requirements

The following requirements apply to the use of PDM with Windows. PDM does not support use on Windows 3.1 or Windows 95.

●

Windows 2000 (Service Pack 1), Windows NT 4.0 (Service Pack 4 and higher), Windows 98, or Windows ME.

●

Supported browsers: Internet Explorer 5.0 (Service Pack 1) or higher (5.5 recommended), Netscape Communicator 4.51 or higher (4.76 recommended). We recommend Internet Explorer on Windows as PDM may load faster into this browser on this operating system.

●

Any Pentium or Pentium-compatible processor running at 350 MHz or higher.● At least 128 MB of random-access memory (RAM). We recommend 192 MB or more.● An 800 x 600 pixel display with at least 256 colors. We recommend a 1024 x 768 pixel display and at least

High Color (16-bit) colors.

Note The use of virus checking software may dramatically increase the time required for PDM to start.

This is especially true for Netscape Communicator on any Windows platform or Windows 2000 running any browser.

●

SUN Solaris Requirements

The following requirements apply to the use of PDM with Sun SPARC:

Sun Solaris 2.6 or later running CDE or OpenWindows window manager.● SPARC microprocessor.● Supported browser: Netscape Communicator 4.51 or higher (4.76 recommended).● At least 128 MB of random-access memory (RAM).● An 800 x 600 pixel display with at least 256 colors. We recommend a 1024 x 768 pixel display and at least

High Color (16-bit) colors.

●

Page 5

Note PDM does not support Solaris on IBM PC

Linux Requirements

The following requirements apply to the use of PDM with Linux:

Red Hat Linux 7.0 running the GNOME or KDE 2.0 desktop environment.● Supported browser: Netscape Communicator 4.75 or later version.● At least 64 MB of random-access memory (RAM).● An 800 x 600 pixel display with at least 256 colors. We recommend a 1024 x 768 pixel display and at least

16-bit colors.

●

Page 6

A-D

AAA—Authentication, Authorization, and Accounting. See also TACACS+, RADIUS Access Control, Access Control Rule, ACE—Information entered into the configuration which allows you to

specify what type of traffic to permit or deny into an the interface. By default, traffic that is not explicitly permitted is denied.

ACL—Access Control List. A collection of Access Control Entries. An access list allows you to specify what type of traffic to allow into an interface. By default, traffic that is not explicitly permitted is denied. See also Rule

ActiveX—A set of object-oriented programming technologies and tools used to create mobile or portable programs. An ActiveX program is roughly equivalent to a Java applet.

Address Translation—The translation of a network address and/or port to another network address/or port.. See also IP Address, NAT, PAT, Static PAT, Interface PAT.

A record address—"A" stands for address, and refers to name-to-address mapped records in DNS. ARP—Address Resolution Protocol—A low-level TCP/IP protocol that maps a node's hardware address (called a

"MAC" address) to its IP address. ASA—Adaptive Security Algorithm. Allows one-way (inside to outside) connections without an explicit

configuration for each internal system and application. Cache—A temporary repository of information accumulated from previous task executions that can be reused,

decreasing the time required to perform the tasks. CLI—Command Line Interface. The primary interface for entering configuration and monitoring commands to

the PIX Firewall. Refer to the Configuration Guide for the Cisco Secure PIX Firewall Version x.x for information on what commands you can enter from the CLI.

Cookie—A cookie is a web browser feature which stores or retrieves information, such as a user's preferences, to persistent storage. In Netscape and Internet Explorer, cookies are implemented by saving a small text file on your local hard drive. The file can be loaded the next time you run a Java applet or visit a website. In this way information unique to you as a user can be saved between sessions. The maximum size of a cookie is approximately 4KB.

Client/server computing—Term used to describe distributed computing (processing) network systems in which transaction responsibilities are divided into two parts: client (front end) and server (back end). Also called distributed computing. See also RPC.

Page 7

Conduit—An exception to the PIX Firewall Adaptive Security Algorithm permitting connections from external to internal networks. Refer to the Configuration Guide for the Cisco Secure PIX Firewall Version x.x for information on conduits.

Configuration, Config, Config File—The PIX Firewall file which represents the equivalent of settings, preferences, and properties administered by PDM or the CLI. See also Configuration File Terminology.

CSPM—Cisco Secure Policy Manager (CSPM) is a multi-device management tool for Cisco security products including PIX firewalls, Cisco IOS firewalls, VPN routers and Intrusion Detection System (IDS) Sensors. CSPM also provides other management services including monitoring, notification and reporting. For more information, see http://wwwin.cisco.com/cmc/cc/pd/sqsw/sqppmn/prodlit/csp22_rg.htm . Caution: CSPM operates on the

assumption that it is the only management interface for the PIX, and it will overwrite configuration changes made through other means, including PDM. See CSPM and PDM in Applying Configuration Changes for additional

information. Cut-Through Proxies—User-based authentication of inbound or outbound connections. Allows security policies

to be enforced on a per-user-ID basis, providing faster traffic flow after authentication. DHCP—Dynamic Host Configuration Protocol. Provides a mechanism for allocating IP addresses to hosts

dynamically, so that addresses can be reused when hosts no longer need them.

DMZ—See Interface DNS—Domain Name System (or Service). An Internet service that translates domain names, which are

alphabetic, into IP addresses, which are composed of numbers. Dynamic PAT, NAT—See NAT, PAT, Address Translation.

E-H

ECHO—See Ping, ICMP. See also Fixup. Failover, Failover mode—The PIX Firewall feature which links a primary unit and standby (or secondary) unit

together, sharing the same configuration file, so that, if the primary fails, the standby unit can continue to provide network services. See also System Properties>Failover.

Fixup—A procedure the PIX Firewall employs to process certain application-level protocols. The specific processing performed by a Fixup will vary by protocol, and can include tasks such as translating IP addresses

embedded in the protocol payload and providing access through the PIX Firewall for dynamically-created data sessions.

Flash, Flash memory—A memory chip which retains data without power. A type of nonvolatile storage device.

The PIX Firewall configuration may written to its internal Flash by a menu item or . Note: Not related to Macromedia Flash, a web animation plug-in and file format standard.

FragGuard feature—a Cisco feature that provides IP fragment protection and performs full reassembly of all

ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the PIX

Page 8

Firewall.

FTP—File Transfer Protocol. Part of the TCP/IP protocol stack, used for transferring files between hosts. See also Fixup.

H.323—A standard that enables video conferencing over local-area networks (LANs) and other packet-swiched networks, as well as video over the Internet. See also Fixup.

Host—A computer, such as a PC, or other computing device, such as a server, associated with an individual IP

address and optionally a name. The name for any device on a TCP/IP network that has an IP address. In PIX

Firewall configuration, a host is distinguished from a network. Also any network-addressable device on any network. The term "node" includes devices such as routers and printers which would not normally be called

"hosts". Host/Network—An IP address and mask (or netmask) used with other information to identify a single host or

network subnet for PIX Firewall configuration, such as an address translation (xlate) or access control rule

(ACE). HTTP, HTTPS—Hypertext Transfer Protocol, Hypertext Transfer Protocol, Secure. The protocol used by Web

browsers and Web servers to transfer files, such as text and graphic files. See also Fixup.

I-L

ICMP—Internet Control Message Protocol. Network layer Internet protocol that reports errors and provides other information relevant to IP packet processing.

Implicit Rule—An Access Rule automatically created by the PIX Firewall based on default rules or as a result of user-defined rules.

Inside—See Interface. Interface, Interface Name—The physical connection between a particular network and a PIX Firewall. The

inside interface default name is "inside" and the outside interface default name is "outside." Any perimeter interface default names are "intfn," such as "intf2" for the first perimeter interface, "intf3" for the second perimeter interface, and so on to the last interface. The numbers in the intf string corresponds to the interface card's position in the PIX Firewall. You can use the default names or, if you are an experienced user, give each interface a more meaningful name.

Interface Names—Human readable name assigned to a PIX Firewall network interface, a physical network connector. These names are customary and referenced by PIX Firewall documentation:

inside—The first interface, usually port 1, which connects your internal, "trusted" network protected by your PIX Firewall.

●

outside—The first interface, usually port 0, which connects to other "untrusted" networks outside your PIX Firewall; the Internet.

●

intfn—Any interface, usually beginning with port 2, which connects to a subset network of your design that you can custom name and configure, for example, dmz to be an "inside" or "outside" type.

●

Interface PAT—The use of Port Address Translation where the PAT IP address is also the IP address of●

Page 9

the outside interface. See PAT.

Internet—The global network which uses IP, Internet protocols. Not a LAN. See also intranet. Intranet—Intranetwork. A LAN which uses IP, Internet protocols. See also network, Internet. IP—Internet Protocol. The Internet protocols are the world's most popular open-system (nonproprietary) protocol

suite because they can be used to communicate across any set of interconnected networks and are equally well suited for LAN and WAN communications.

IP Address—IP version 4 addresses are 32-bits, or 4 bytes, in length. This address "space" is used to designate the following:

network number● optional subnetwork number● a host number●

The 32 bits are grouped into four octets (8 binary bits), represented by 4 decimal numbers separated by periods or "dots". The meaning of each of the four octets is determined by their use in a particular network.

LAN—Local Area Network. A network residing in one location or belonging to one organization, typically, but not necessarily using the Internet protocols. Not the global Internet. See also intranet, network, Internet.

M-P

Mask, IP Subnet Mask, Netmask, —A 32-bit bit mask which shows how an Internet address is to be divided into network, subnet and host parts. The netmask has ones in the bit positions in the 32-bit address which are to be used for the network and subnet parts, and zeros for the host part. The mask should contain at least the standard network portion (as determined by the address's class), and the subnet field should be contiguous with

the network portion. See also IP Address, TCP/IP, host , host/network. NAT—Network Address Translation. Mechanism for reducing the need for globally unique IP addresses. NAT

allows an organization with addresses that are not globally unique to connect to the Internet by translating those addresses into globally routable address space. There are two types of NAT—static and dynamic. See also, PAT,

Static PAT.

Netmask—See Mask. Network—In the context of PIX Firewall configuration, a network is a group of computing devices which share

part of an IP address space and not a single host. A network consists of multiple "nodes" or devices with IP address, any of which may be referred to as "hosts". See also Internet, Intranet, IP, LAN.

Node—See host, network Nonvolatile storage, memory—Storage or memory which, unlike RAM (Random Access Memory) retains its

contents without power. Data in a nonvolatile storage device survives a power-off, power-on cycle or reboot. Outbound—Outbound CLI commands lets you specify whether inside users can create outbound connections.

Page 10

Outside—See Interface. PAT, Dynamic—Port Address Translation. Dynamic PAT lets multiple outbound sessions appear to originate

from a single IP address. With PAT enabled, the PIX Firewall unit chooses a unique port number from the PAT IP address for each outbound translation slot (xlate). This feature is valuable when an Internet service provider

cannot allocate enough unique IP addresses for your outbound connections. The global pool addresses always come first, before a PAT address is used. See also, Static PAT, More information about Dynamic NAT, NAT.

Perfmon—PIX feature which gathers and reports a wide variety of feature statistics, such as connections/second, xlates/second, etc.

Ping—An ICMP request sent between hosts to determine if a host is accessible on the network. PPTP—Point-to-Point Tunneling Protocol.

Primary, Primary unit—The PIX Firewall unit normally operating when two units are operating in Failover

mode.

Proxy-ARP—This feature enables the PIX Firewall to reply to an ARP request for IP addresses in the global pool. See also

Q-T

RADIUS—Remote Authentication Dial-In User Service. See also AAA, TACACS+

Refresh—

RPC—remote procedure call. RPCs are procedure calls that are built or specified by clients and executed on

servers, with the results returned over the network to the clients. See also client/server computing.

Caution: RPC is not a very secure protocol and should be used with caution.

Route—path through an internetwork. RPF—Reverse Path Forwarding. RSA—A public-key cryptographic system which may be used for encryption and authentication. (Acronym

stands Rivest, Shamir, and Adelman, the inventors of the technique.) RSH—Remote Shell Protocol. A protocol that allows a user to execute commands on a remote system without

having to log in to the system. For example, RSH can be used to remotely examine the status of a number of access servers without connecting to each communication server, executing the command, and then disconnecting from the communication server. See also Fixup.

RTSP—Real Time Streaming Protocol. Enables the controlled delivery of real-time data, such as audio and video. RTSP is designed to work with established protocols, such as Routing Table Protocol (RTP) and HTTP.

Page 11

See also Fixup.

Rule—Information added to the configuration to define your security policy in the form of conditional statements that instruct the PIX Firewall how to react to a particular situation. See also, address translation and access

control rules.

Serial transmission—Method of data transmission in which the bits of a data character are transmitted sequentially over a single channel.

SIP—Session Initiation Protocol. Enables call handling sessions, particularly two-party audio conferences, or "calls." SIP works with Session Description Protocol (SDP) for call signaling. SDP specifies the ports for the media stream. Using SIP, the PIX Firewall can support any SIP Voice over IP (VoIP) gateways and VoIP proxy servers. See also Fixup.

SMTP—Simple Mail Transfer Protocol. Internet protocol providing e-mail services. See also Fixup. Spoofing—The act of a packet illegally claiming to be from an address from which it was not actually sent.

Spoofing is designed to foil network security mechanisms such as filters and access lists. SQL*Net—Structured Query Language protocol. An Oracle protocol used to communicate between client and

server processes. See also Fixup. SSH—Secure Shell) is an application running on top of a reliable transport layer, such as TCP/IP, that provides

strong authentication and encryption capabilities. Up to five SSH clients are allowed simultaneous access to the PIX Firewall console. See also Fixup.

Note: You must generate an RSA key-pair for the PIX Firewall before clients can connect to the PIX Firewall

console. To use SSH, your PIX Firewall must have a Data Encryption Standard (DES) or 3DES (Triple DES) activation key.

Standby, Standby Unit, Secondary Unit—The backup PIX Firewall unit when two are operating in Failover mode.

State, Stateful, Stateful Inspection—Network protocols maintain certain data, called state information, at each end of a network connection between two hosts. State information is necessary to implement the features of a protocol, such as guaranteed packet delivery, data sequencing, flow control, and transaction or session IDs. Some

of the protocol state information is sent in each packet while each protocol is being used. For example, a web browser connected to a web server uses HTTP and supporting TCP/IP protocols. Each protocol layer maintains

state information in the packets it sends and receives. PIX Firewalls inspect the state information in each packet to verify that it is current and valid for every protocol it contains. This is called stateful inspection and is designed to create a powerful barrier to certain types of computer security threats.

Static PAT—Static Port Address Translation. A static address maps a local IP address to a global IP address. Static PAT is a static address that also maps a local port to a global port. See also dynamic PAT.

Telnet—A terminal emulation protocol for TCP/IP networks such as the Internet. Telnet is a common way to control web servers remotely.

TACACS+—Terminal Access Controller Access Control System Plus. Provides remote access authentication and related services, such as event logging. User passwords are administered in a central database rather than in individual network devices, providing an easily scalable network security solution. See also AAA, RADIUS

Page 12

TCP Intercept—With the TCP intercept feature, once the optional embryonic connection limit is reached, and until the embryonic connection count falls below this threshold, every SYN bound for the affected server is intercepted. For each SYN, PIX Firewall responds on behalf of the server with an empty SYN/ACK segment. PIX Firewall retains pertinent state information, drops the packet, and waits for the client's acknowledgment. If the ACK is received, then a copy of the client's SYN segment is sent to the server and the TCP three-way handshake is performed between PIX Firewall and the server. If and only if, this three-way handshake completes, may the connection resume as normal. If the client does not respond during any part of the connection phase, then PIX Firewall retransmits the necessary segment using exponential back-offs.

TCP/IP—Transmission Control Protocol. Connection-oriented transport layer protocol that provides reliable full-duplex data transmission. See also IP, IP address.

TFTP—Trivial File Transfer Protocol. TFTP is a simple protocol used to transfer files. It runs on UDP and is explained in depth in Request For Comments (RFC) 1350. See also Fixup.

Translate, Translation, Address Translation—See Xlate.

U-Z

UDP—User Datagram Protocol. Connectionless transport layer protocol in the TCP/IP protocol that belongs to the Internet protocol family.

URL—Universal Resource Locator. A standardized addressing scheme for accessing hypertext documents and other services using a browser, for example, http://www.cisco.com/go/pix.

Websense—A third party filtering application that works with the PIX Firewall to deny users access to web sites based on the company security policy. Websense enables group and username authentication between a host and a PIX Firewall. The PIX Firewall performs a username lookup, and then the Websense server handles URL filtering and username logging. See www.websense.com.

WINS—Windows Internet Naming Service. A Windows system that determines the IP address associated with a particular network computer.

Xlate—An xlate, also referred to as a translation entry, represents a mapping of one IP address to another, or a mapping of one IP address/port pair to another. See also NAT, PAT, Address Translation, IP Address.

Page 13

A-D

AAA

AAA Authentication AAA Server Groups AAA Servers

About PDM Access Rules Address, IP Administration Antispoof Apply, Applying Config Changes Authentication, See also Password Authorization Bookmarks, Graph CLI Tool

Console Sessions, Secure Shell Sessions, Telnet Console Sessions,

PDM Users Default Route, Wizard, See also Route DHCP Admin, Monitor DHCP Clients

E-H

Failover FixUps, FixUps List Fragment FTP FixUp Glossary Graphs H323 FixUp History Metrics Hosts/Networks HTTP FixUp HTTPS, PDM, Monitoring>Connection Graphs>HTTPS

M-P

Mail Server, Wizard, SMTP FixUp Mask, Netmask Menu Miscellaneous Help Monitor, Monitoring, Monitoring Graphs NAT, Wizard

Navigation Contents, Getting Started,

Glossary, About PDM Netmask

Options, Preferences, Unparsed Commands

Password Admin PAT, Translation Rules PAT, Wizard PDM, About PDM PDM Icon Legend PDM Logging, View PDM Log, Monitor PDM Users Ping Tool Policy, IDS Policy, Security Preferences, Options Print ProxyARPs Admin

Q-T

Refresh RIP Admin

Route, Routing, Static Route, RIP, Proxy

ARPs, Hosts/Networks NAT, Routing RSH FixUp RTSP FixUp Search Field (Access Rules or Translation Rules), Search Hosts/Networks

Page 14

I-L

ICMP Admin

IDS Policy, IDS Signatures, IDS Monitor

Interfaces Admin IP IP Address Icon Legend Location of Help Topics

Log, Logging, Admin, Setup, PDM, Syslog, Other, Log, Logging, Monitor PDM Log, View PDM Log

Signatures, IDS SIP FixUp SKINNY FixUp SMTP FixUp SNMP Administration, SNMP FixUP

Spoof, Antispoof

SQL*Net FixUP SSH (Secure Shell) Administration, Monitor Secure Shell Sessions Start (Getting Started) Static Routes, Wizard Syslog Logging System Properties Tabs TCP Telnet Admin, Telnet Console Sessions TFTP Server Admin, Write TFTP Server Timeout, System Properties Topics, Help Topics by Location Translation Rules, Edit Translation Rules

U-Z

UDP Unparsed Configuration Commands Unsupported Configuration Commands URL Filtering, System Properties Web Server, Wizard Wizard Write TFTP Server

Page 15

Menu Tabs Wizard Miscellaneous

Menu Help Files

File Rules Search Options Tools Help

Write to TFTP... Add... By field... Show Unparsed CLI Legend...

Edit... By Host/Net... Preferences Ping

Tab Help Files

Access Rules

Translation Rules

Hosts/Networks

System Properties

Monitoring

Access Rules Translation Rules Hosts/Networks Interfaces PDM Log Edit Edit Rule Edit Failover View PDM Log

Print Manage Pools... Add - 1

Routing

SSHl Sessions

Search Field Print Add - 2 RIP Telnet Sessions

NAT - Dynamic Add - 3 Static Route PDM Users NAT - Static Add - 3 - NAT Proxy ARPs DHCP Client Search Field Add - 3 - Map/Pools DHCP Server Graphs Introduction

Edit NAT

PIX Admin

New Graph

Edit Routing Authentication System Graphs Search

Hosts/Networks

Password

Blocks

Telnet

CPU

Secure Shell

Failover

SNMP

Memory

Page 16

ICMP Connection Graphs TFTP Server

Xlates

Logging Perfmon

Logging Setup

Miscellaneous

PDM Logging

IDS

Syslog

Interface Graphs

Others

AAA

AAA Server

Groups

AAA Servers Auth. Prompt

URL Filtering

Intrusion Detection

IDS Policy IDS Signatures

Advanced

FixUp FTP H.323 HTTP RSH RTSP SIP Skinny SMTP SQL*Net Anti-Spoofing Fragment TCP Options Timeout

History Metrics

Wizard Help Files

Interfaces Default Route

Page 17

Static Routes Address Translation NAT PAT Mailserver Check Boxes Web Server End

Miscellaneous

Print PDM Icon Legend Applying Changes Refresh More about Internet Protocol (IP) Unsupported

Page 18

File>Write Configuration to TFTP Server

The Write Configuration to TFTP Server panel lets you write the current running configuration to a Trivial File Transfer Protocol (TFTP) server.

The following sections are included in this Help topic:

Important Notes● Field Descriptions● Defining a TFTP Server and Configuration File Name●

Important Notes If you have already set up a TFTP server in System Properties > PIX Administration > TFTP Server, you can

select the Click here to use the existing TFTP server Configuration on PIX, then Apply to PIX to have the configuration written to a TFTP server immediately. If not, follow the steps listed in Defining a TFTP Server

and Configuration File Name.

Field Descriptions

This panel displays the following fields.

Click here to use the existing TFTP server Configuration on PIX—If you have already set up a TFTP server in System Properties>PIX Administration>TFTP Server, this box will be selected by default.

●

Interface Name—The interface on which your TFTP server resides. This information reflects what is configured in System Properties>PIX Administration>TFTP Server. If Click here to use the existing TFTP server Configuration on PIX is not selected, the default interface is inside.

●

TFTP Server IP Address—Enter the IP address of the TFTP server.● Configuration File Name—Enter the path and filename of the configuration file to be saved on your

TFTP Server.

●

Apply to PIX—Sends changes made in PDM to the PIX Firewall unit and applies them to the running configuration.

●

Cancel—Discards changes and returns to the previous panel. .●

Defining a TFTP Server and Configuration File Name

Follow these steps to define a TFTP server and Configuration File Name.1. If you have already set up a TFTP server in System Properties>PIX Administration>TFTP Server, you2.

Page 19

can select the Click here to use the existing TFTP server Configuration on PIX, then Apply to PIX to have the configuration written to a TFTP server immediately. If not, proceed to the following steps.

Enter the IP address of the TFTP server you wish to write the configuration file to.3. Enter the TFTP server Path/filename, beginning with "/" (forward slash) and ending in the file name, to

which the running configuration file will be written. Note: The path must begin with a forward slash, "/".

Example TFTP server path: /tftpboot/pixfirewall/config3

Click Apply to PIX.5.

Page 20

System Properties>PIX Administration >TFTP Server

This panel allows you to configure the PIX Firewall unit for saving its configuration to a file server using the Trivial File Transfer Program (TFTP).

Note: This panel does not write the file to the server. Configure the PIX Firewall for using a TFTP server in this

panel, then use File>Write Configuration to TFTP Server... .

The following sections are included in this Help topic::

TFTP and the PIX Firewall● Field Descriptions● Applying Changes to the PIX Firewall●

TFTP Servers and the PIX Firewall

TFTP is a simple client/server file transfer protocol described in RFC783 and RFC1350 Rev. 2. This panel allows you to configure the PIX Firewall as a TFTP client so that The PIX Firewall can transfer a copy of its running configuration file to a TFTP server using File>Write Configuration to TFTP Server... or the CLI tool. In this way,

configuration files can be backed up and propagated to multiple PIX Firewall units. This panel uses the configure net command to specify the IP address of the TFTP server and the tftp-server

command to specify the interface and the path/filename on the server where the running configuration file will be written. Once this information is applied to the running configuration, PDM File>Write Configuration to TFTP

Server... uses the write net command execute the file transfer.

PIX Firewall supports only one TFTP server. The full path to the TFTP server is specified in System Properties>PIX Administration>TFTP Server. Once configured here, you can use a colon (:) to specify the IP address in the CLI configure net and write net commands. However, any other authentication or configuration of intermediate devices necessary for communication from the PIX Firewall to the TFTP server is done apart from this function.

The show tftp-server command lists the tftp-server command statements in the current configuration. The no tftp server command disables access to the server.

For more information on the PIX Firewall and TFTP, refer to the "Advanced Configurations" chapter of the Cisco Secure PIX Firewall Configuration Guide for your respective software version.

Page 21

Field Descriptions

The TFTP panel provides the following fields:

Enable—Click to select and enable these TFTP server settings in the configuration.● Interface—Select the name of the PIX Firewall interface which will use these TFTP server settings..● IP Address—Enter the IP address of the TFTP server.● Path/filename—Type in the TFTP server path, beginning with "/" (forward slash) and ending in the file

name, to which the running configuration file will be written.

Example TFTP server path: /tftpboot/pixfirewall/config3

Note: The path must begin with a forward slash, "/".

●

Apply to PIX—Sends changes made in PDM to the PIX Firewall unit and applies them to the running configuration.

●

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

●

For more information on PIX Firewall and TFTP, refer to the PIX Firewall Configuration Guide for your respective software version.

Applying Changes to the PIX Firewall

Changes to the table made by Add, Edit, or Delete are not immediately applied to the running PIX configuration. You must click on one of the following buttons to apply or discard changes:

Apply to PIX—Sends changes made in PDM to the PIX Firewall unit and applies them to the running configuration. Use the File menu to write a copy the running configuration to Flash, a TFTP server, or a

failover standby PIX Firewall unit. See Notes on Applying Configuration Changes.

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

Page 22

File Menu

Refresh

Refresh—Loads a fresh copy of the running configuration into your PDM by File>Refresh Configuration from PIX or .

Write Configuration to Flash

Write Configuration to Flash—Writes a copy of the running configuration to Flash memory in the PIX Firewall unit. Use File>Write Configuration to Flash... or

Write Configuration to TFTP Server...

TFTP server file(s)—Configuration file copies stored on a TFTP server by File>Write to TFTP Server… For more information, refer to

System Properties>PIX Administration>TFTP Server .

Page 23

Write Configuration to Standby Unit...

Failover Standby Unit—A copy of the running configuration file on the primary unit becomes the running configuration of a failover

standby unit by File>Write Configuration to Standby Unit. For more information, refer to System Properties>Failover.

Page 24

Refresh

Refresh PDM with current configuration from PIX by selecting or File>Refresh PDM with Current Configuration from PIX.Refer to

Notes on Applying Configuration Changes.

Page 25

Applying Configuration Changes

Following is important information about how and when the running configuration is modified by PDM or CLI console sessions, and how to update Flash memory, TFTP servers, and failover standby units.

The following sections are included in this Help topic:

Configuration File Terminology● How and When Changes to Configuration Files are Applied● CLI console sessions● Multiple PDM and CLI Console Sessions● Cisco Secure Policy Manager (CSPM) and PDM●

When deployed for operation in your network, there are multiple copies of a PIX Firewall running configuration file.

Internal

Running configuration❍ Flash memory❍

●

External

TFTP server❍ Failover standby unit❍

●

PIX Firewall Configuration File Terminology

The numbers in the list below correspond to the figure above.

Page 26

Default configuration—The configuration file which shipped with the PIX Firewall unit in Flash memory. This file is loaded into RAM at boot and becomes the running configuration.

Flash memory file—A running configuration copy, written by File>Write Configuration to Flash to nonvolatile storage. This file is

loaded into RAM at boot or by command to become the running configuration.

Running configuration—The configuration currently running in RAM on the PIX Firewall unit which determines its operational characteristics.

PDM session copy—Each PDM session displays a copy of the running configuration made at the time it opened or the last time

Refresh was clicked. Note: Multiple PDM sessions may be in operation at the same time and each will have a copy of the running

configuration at the time their PDM opened or their Refresh was clicked.

TFTP server file—Copies of the running configuration stored on a TFTP server by File>Write to TFTP Server... which can also be

download to become the running configuration.

Failover Standby Unit—A copy of the running configuration in the primary unit which becomes the running configuration of a

failover standby unit using File>Write Configuration to Standby Unit.... A copy of the running configuration of the standby unit can

also be stored in its Flash memory by using File>Write Configuration to Flash.

CLI Console (Terminal) Sessions—Administrative sessions using the Command Line Interface (CLI) to affect the running configuration immediately. A PC with terminal emulation software is connected directly to the console port or by a network. Refer to

CLI console sessions

Multiple PDM Sessions—The PIX Firewall can support multiple PDM sessions at the same time. If other PDM sessions make changes to the running configuration, you will not see them in your PDM session until you click Refresh. You may see if there are

other PDM sessions active by using Monitoring>PDM Users.

How and When Changes to Configuration Files are Applied

Add, Edit, Delete, Enable, Disable...—Any changes made in a PDM panel do not immediately affect the running configuration.1. Apply to PIX—Sends changes made in PDM to the PIX Firewall unit and applies them to the running configuration.2. Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked

while open. The running configuration is not affected.

File>Refresh PDM with Current Configuration from PIX or —Loads a fresh copy of the running configuration into your PDM.4.

File>Write Configuration to Flash... or —Writes a copy of the the running configuration to the Flash memory on the PIX

Firewall.

File>Write Configuration to TFTP Server... —Writes a copy of the running configuration to a TFTP server. Refer to System Properties> PIX Administration>TFTP Server for more information.

File>Write Configuration to Standby Unit —Copies the running configuration of the primary PIX Firewall to the running

configuration of another PIX Firewall configured as a failover standby unit.

Tools>PDM Command Line Interface —Changes made with the PDM CLI tool affect the running configuration immediately.8.

Other CLI Console Sessions—Changes made by other CLI console sessions affect the running configuration immediately.9.

Page 27

CLI Console Sessions

In addition to PDM, PIX Firewall administrators may use Command Line Interface (CLI) console sessions. One of the following types of preconfigured connections must be used for CLI console sessions:

Serial console port—PC with serial interface and terminal emulation software connected directly to the PIX Firewall console port.1. Telnet protocol—A network connection using the Telnet protocol.2. PDM/HTTPS protocol—A network connection using the HTTPS (Hypertext Transfer Protocol-Secure) protocol for Tools>CLI. Note:

PDM uses HTTPS for all communication with the PIX Firewall.

Secure Shell (SSH) protocol—A network connection using the Secure Shell (SSH) protocol.4.

Before configuring your PIX Firewall from the PDM CLI tool, we recommend that you review the Cisco PIX Firewall Command Reference for your respective version. Refer also to Password, Authentication.

Multiple PDM and CLI Console Sessions

Changes made from Tools>CLI or other CLI console sessions take effect immediately in the running configuration. However, the changes will not be reflected in your PDM session until you exit the CLI tool and click Refresh or File>Refresh PDM with Current Configuration

from PIX....

You may view active PDM and CLI console sessions in the Monitoring panel:

Monitoring>PDM Users● Monitoring>Secure Shell Sessions● Monitoring>Telnet Console Sessions●

If any other PDM sessions are in operation, when you make changes using your PDM CLI tool, your changes will affect all the other PDM sessions when they click Refresh.

Refer also to Serial, Telnet, PDM/HTTPS, SSH, Password, Authentication.

CSPM (Cisco Secure Policy Manager) and PDM

Caution: If you are using both CSPM and PDM to manage the same PIX Firewall unit, changes made by PDM can be lost.

CSPM keeps its own internal copy of the configuration file currently running in a PIX Firewall unit it manages and assumes that it is the only entity making changes. If changes are made by PDM (or any other method) to a PIX that CSPM is also managing, when it next checks the status of that PIX, CSPM will attempt to verify that the configuration matches the internal copy it maintains for that PIX. If it does not match, CSPM will change the running configuration on that PIX Firewall unit back to the "known good" copy it maintains for that unit.

While you can use PDM to modify the configuration of a PIX that is also managed by CSPM, any modification that you make with PDM will be negated the next time CSPM checks that PIX Firewall.

Page 28

System Properties>Failover

The Failover dialog box allows you to configure two PIX Firewall units so that one will take over operation should the other fail.

The following sections are included in this Help topic:

Field Descriptions● Enabling Failover● Editing Failover IP Addresses● Setting the Failover Poll Time● Enabling Stateful Failover●

Failover configures two PIX Firewall units so that a secondary or secondary unit can take over processing network connections in the event the primary or active unit fails. Stateful Failover allows the standby unit to maintain the state of all connections, except those started by web connections, by maintaining a network connection to a fast interface on the active PIX Firewall unit dedicated for this purpose.

The Failover panel allows you to enable, disable, and/or configure failover and stateful failover.

Field Descriptions

The Failover panel provides the following information fields:

Failover:

Enable Failover—Selecting this check box allows the Failover Interface and IP Addresses displayed

in the table to be selected and then edited by clicking on the Edit button. This lets you assign IP addresses for the standby unit. To change the IP address for the primary unit, change speed or other interface settings use the System Properties>Interfaces dialog box.

❍

Interface—Displays the name of the interface on the active PIX Firewall unit which it will use for communication with the standby unit for failover. When configured for Stateful Failover, this interface is directly connected to the standby unit.

❍

IP Address—Displays the IP address of the interface on the standby unit which it will use to communicate the active unit. Use Edit to change. Note: Use this IP address with the Ping tool to

check the status of the standby unit.

❍

Failover Poll Time—Specifies how long failover waits before determining if other units are still available between the primary and standby units over all network interfaces and the failover cable. The default is 15 seconds. The minimum value is 3 seconds and the maximum is 15 seconds.

❍

Edit—Edit—Opens the Edit dialog box. The Failover IP Addresses > Edit dialog box allows you❍

●

Page 29

edit the IP address of the interface that you selected from the Failover dialog box.

Stateful Failover:

Enable Stateful Failover—Enables the Stateful Failover interface.❍ HTTP Replication—Enables Stateful Failover to copy active HTTP sessions to the standby PIX

Firewall.

❍

Interface where a fast LAN link is available for Stateful Failover—Choose which interface has the fastest LAN link. In addition to the failover cable, a dedicated fast LAN link is required to support Stateful Failover. We suggest you do not use FDDI because of its blocksize or Token Ring because Token Ring requires additional time to insert into the ring. The default Stateful Failover interface is the highest LAN port with failover configured.

❍

●

Apply to PIX—Sends changes made in PDM to the PIX Firewall unit and applies them to the running configuration.

●

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

●

Failover Reset—Resets the settings to their startup values or to the last time you clicked Apply to PIX.● Edit—Edit—Opens the Edit dialog box.The Failover IP Addresses>Edit dialog box allows you to edit

the IP address of the interface that you selected from the Failover dialog box.

●

Enabling Failover

Follow these steps to enable failover: Note: Before enabling failover, make sure that the configuration in the standby unit is the same as the primary

unit, using File>Write Configuration to Standby Unit, then update its Flash memory using File>Write

Configuration to Flash... For more information, refer to Notes on Applying Configuration Changes.

Click Enable Failover to open the Failover IP Addresses dialog box.1. Select the speed and IP address for each interface that will be used on the standby unit.2. Enter the IP address of each interface.3. Click OK.4.

Editing Failover IP Addresses

Follow these steps to edit failover IP addresses:

Select the interface that you want to edit.1. Click Edit to open the Failover IP Addresses Edit dialog box.2. Make any changes to the IP address.3. To return to the previous panel, click one of the following:4.

OK—Accepts changes and returns to the previous panel.● Cancel—Discards changes and returns to the previous panel.● Help—Provides more information.●

Page 30

Setting the Failover Poll Time

Enter the time, in seconds, that you want the PIX Firewall unit to ARP itself. The default is 15 seconds. The minimum is 3 seconds, and the maximum is 15 seconds.

Enabling Stateful Failover

Follow these steps to enable Stateful Failover:

Select the checkbox for Enable Stateful Failover.1. Select an interface where a fast LAN link is available from the drop down menu.2.

Page 31

System Properties>Interfaces

The Interfaces panel allows you to enable, disable, and/or edit the configuration of network interfaces. The following sections are included in this Help topic:

Field Descriptions● Enable, Disable, and Edit Interfaces● Applying Changes to the PIX Firewall●

The PIX Firewall requires that you configure and then enable each interface which will be active. Inactive interfaces can be disabled. When disabled, the interface will not transmit or receive data, but the configuration information is retained.

The physical location of each interface and corresponding connector on the PIX Firewall unit can be identified by their Hardware ID name, such as ethernet0 or ethernet1. The Interface Name is a logical name that relates to how it is used in your network configuration. For example, inside (connects to your internal network) or outside (connects to an external network or the public Internet).

In addition to their names, this panel displays and allows you to edit additional configuration information required for each interface. Your configuration edits are captured by PDM but not sent to the PIX Firewall unit until Apply to PIX is clicked.

You can monitor interfaces using Monitoring>Interface Graphs. Using Tools>CLI, the show interface command provides additional useful information about interface configurations:

Result of PIX command: "show interface"

interface ethernet0 "outside" is up, line protocol is up Hardware is i82559 ethernet, address is 0050.54ff.3772 IP address 172.23.59.230, subnet mask 255.255.255.224 MTU 1500 bytes, BW 10000 Kbit half duplex 1370126 packets input, 138813980 bytes, 0 no buffer Received 40491 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 2482258 packets output, 1682123205 bytes, 0 underruns 0 output errors, 8259 collisions, 0 interface resets 0 babbles, 0 late collisions, 1179 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/6) output queue (curr/max blocks): hardware (2/6) software (0/4)

interface ethernet1 "inside" is up, line protocol is up

Page 32

Hardware is i82559 ethernet, address is 0050.54ff.3773 IP address 10.1.1.1, subnet mask 255.255.255.0 MTU 1500 bytes, BW 10000 Kbit full duplex 279855 packets input, 26155384 bytes, 0 no buffer Received 274299 broadcasts, 0 runts, 0 giants 1 input errors, 0 CRC, 1 frame, 0 overrun, 0 ignored, 0 abort 70405 packets output, 11885724 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/1) output queue (curr/max blocks): hardware (0/2) software (0/1)

interface ethernet2 "pix/intf2" is up, line protocol is down Hardware is i82559 ethernet, address is 00d0.b792.409d IP address 127.0.0.1, subnet mask 255.255.255.255 MTU 1500 bytes, BW 10000 Kbit full duplex 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 1 packets output, 64 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/0) output queue (curr/max blocks): hardware (0/2) software (0/1)

Field Descriptions

The Interfaces panel provides the following following information:

Hardware ID—Displays the hardware name of the interface located on your PIX Firewall unit.● Speed—The physical level interface speed, such as 10BaseT, 100BaseTX, or 10Mbit, full duplex. Note:

Even though the default is to set automatic speed sensing for the interfaces, we recommend that you specify the speed of the network interfaces in case your network environment includes switches or other devices that do not handle auto sensing correctly.

●

Interface Name—The logical name of the interface which relates to your use, such as inside or outside. Note, unless you are an expert user, do not change the Interface Name.

●

Security Level—The security level (1-99) which the interface will enforce.● IP Address—The IP Address of the interface.● Netmask—The mask for the IP address of the interface.● DHCP/Static—Static routing or DHCP is enabled.● DHCP Setroute—DHCP setroute enable (if DHCP/Static = DHCP)● Retry Count—The number of times DHCP will try before returning an error.●

Page 33

Apply to PIX—Sends changes made in PDM to the PIX Firewall unit and applies them to the running configuration.

●

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

●

Edit—Opens the Edit dialog box.●

Enable, Disable, and Edit Interfaces

Follow these steps to enable, disable, and/or edit the configuration of an interface:

Select a interface from the table on the Interface panel.1. Click Edit to open the Edit Interfaces panel.2. Make any necessary changes to the fields provided. See above descriptions for each field.3. Click Enable Interface to enable or disable the interface. When disabled, the configuration information is

retained, but the interface will not transmit or receive.

To return to the previous panel click:

OK—Accepts changes and returns to the previous panel.❍ Cancel—Discards changes and returns to the previous panel.❍ Help—Provides more information.❍

After returning to the Interfaces panel, changes will not be applied unless you clic Apply to PIX or Reset.

Applying Changes to the PIX Firewall

Changes to the table made by Add, Edit, or Delete are not immediately applied to the running PIX configuration. You must click on one of the following buttons to apply or discard changes:

failover standby PIX Firewall unit. See Notes on Applying Configuration Changes.

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

Page 34

Monitoring>Interface Graphs

The Interface Graphs panel allows you to monitor per-interface statistics, such as packet counts and bit rates, for each enabled interface on the PIX Firewall. These graphs may be bookmarked for quick opening by your browser, printed, and the data may also be exported to other applications.

The following sections are included in this Help topic:

Important Notes● Interface Graph Types●

Building a New Graph Window● Displaying a New Graph Window

Bookmarking Graphs❍ Printing Graphs❍ Exporting Data❍

●

Important Note

If an interface is not enabled using the System Properties>Interfaces panel, no graphs will be available for that interface.

Interface Graph Types

The following graphs are available for each enabled interface:

Packet Rates—Displays the number of packets per second (pps) input and output on the interface. The Packet Rates displayed in the Real-time and Last 10 minute views are calculated based on a 10-second time period. The rates displayed for the other history views are calculated based on an average of the 10-second periods between each data point on the graph.

●

Bit Rates—Displays the bits per second (bps) of traffic input and output on the interface. The Bit Rates displayed in the Real-time and Last 10 Minute views are calculated based on a 10-second time period. The rates displayed for the other history views are calculated based on an average of the 10-second periods between each data point on the graph.

●

Byte Counts—Displays the total number of kilobytes (KB) input and output on the interface since the interface counters were last cleared or the PIX Firewall was rebooted.

●

Page 35

Packet Counts—Displays the total number of packets (KP) input and output on the interface since the interface counters were last cleared or the PIX Firewall was rebooted.

●

Buffer Resources—Displays the total number of buffer overruns, underruns and nobuffer conditions, in packets, on the interface since the interface counters were last cleared or the PIX Firewall was rebooted.

●

Packet Errors—Displays the total number of CRC errors, frame errors, input errors, runts, giants and deferred packets on the interface since the interface counters were last cleared or the PIX Firewall was rebooted.

●

Miscellaneous—Displays the total number of received broadcasts, in packets, on the interface since the interface counters were last cleared or the PIX Firewall was rebooted.

●

Collision Counts—Displays the total number of output errors, collisions and late collisions, in packets, on the interface since the interface counters were last cleared or the PIX Firewall was rebooted.

●

Input Queue—Displays the instantaneous hardware and software input queue depths, in blocks, on the interface.

●

Output Queue—Displays the instantaneous hardware and software output queue depths, in blocks, on the interface.

●

Page 36

Monitoring>Building Graph Windows

This main help topic for the Graph function of the Monitoring tab provides information about building Graph Windows which is common to all the Graph Categories and Graph Types.

The following sections are included in this Help topic:

Overview of PDM Graphs● Field Descriptions● Building a New Graph Window● Displaying a Graph Window●

Note: For more information now on a Graph Category select it here:

Overview of PDM Graphs

The Monitoring tab allows the building of Graph Windows which combine up to four Graphs in a single window, following these basic steps:

Select a Graph Category from the tree list to the left● Select a Graph Type under the Category● Select an individual Graph from the Available Graphs list● Add it to the Selected Graph(s) list● Name the Graph Window●

Graph It!●

Graph It! opens new Graph Window and displays the graphs which were added to the Selected Graphs list.

The graphs displayed in the new Graph Window can be bookmarked in your browser for later recall, printed, and their data may be exported for use by other applications.

Field Descriptions

The main panel of the Monitoring tab displays the following fields for the Graphs function:

Graph Category>Type tree—Displays in a tree list of available Graph Categories and Types on the left.●

Page 37

Available Graphs for—Displays the list of individual graphs available for each Interface.● Graph Window—Allows you to give the Graph Window a name. If unspecified, the graph window name

will be "Unnamed (n)" where n increments as each unnamed graph window is created.

●

Selected Graph(s)—Displays up to four graphs you have selected from the Available Graphs for list and added to the Graph Window.

●

Add—Adds to the Selected Graph(s) list all graphs you have selected from the Available Graphs for list.● Remove—Removes graphs you have currently selected in Selected Graph(s) list.● Graph It!—Opens a Graph Window which displays the graphs in the Selected Graph(s) list.●

Building a New Graph Window

Follow these steps to build a new Graph Window:

Select one of the following Graph Categories from the graph selection tree on the left of the Monitoring tab:

Select one or more of the Graph Types under your selected graph Category.2.

Page 38

A list of Available Graphs for that Category>Type will be displayed in a list to the right of the graph selection tree.

Click Add to add your selections to the Selected Graph(s) list.4. You may also select additional Graph Category>Types from the graph tree and add them to the Selected

Graph(s) list.

Optionally, you can name the Graph Window in Graph Window box or select previous Graph Windows by clicking on the drop down.

Displaying a Graph Window

Click to open a new Graph Window and display the graph(s) which can be bookmarked, printed and exported.

Page 39

Monitoring>Miscellaneous>IDS

The IDS panel allows you to monitor Intrusion Detection statistics, including packet counts for each Intrusion Detection System IDS signature supported by the PIX Firewall. These graphs may be bookmarked for quick opening by your brwoser, printed, and the data may also be exported to other applications.

The following sections are included in this Help topic:

Important Notes● IDS Graph Types●

Building a New Graph Window● Displaying a New Graph Window

Bookmarking Graphs❍ Printing Graphs❍ Exporting Data❍

●

Important Notes

IDS statistics are tracked by the PIX Firewall, thus available for graphing, only when one or more IDS Policies are enabled using the System Properties>Intrusion>IDS Policy and System Properties>Intrusion>IDS

Signatures panels.

IDS Graph Types

The IDS graphs represent the complete collection of IDS signatures supported by the PIX Firewall, categorized into subsets with one graph per subset. Each graph contains one to five IDS informational or attack signatures, with packet counts representing hits for each signature since the IDS statistics were last cleared or the PIX Firewall rebooted.

IP Options● IP Route Options● IP Attacks● ICMP Requests● ICMP Responses● ICMP Replies●

Page 40

ICMP Attacks● TCP Attacks● UDP Attacks● DNS Attacks● FTP Attacks● RPC Requests to Target Hosts● YP Daemon Portmap Requests● Miscellaneous Portmap Requests● Miscellaneous RPC Calls● RPC Attacks●

Page 41

Monitoring>Graph Windows

Graph Windows display up to four graphs which were added to the Selected Graphs list for that Graph Window. Graph Windows can be bookmarked for later recall in your browser, printed, and their data may be exported for use by other applications.

The following sections are included in this Help topic:

Field Descriptions● Bookmarking Graph Windows● Recalling Previously Bookmarked Graph Windows● Printing● Exporting Graph Data●

Field Descriptions

Each graph in a Graph Window has a pane which displays the following fields:

Graph—The Graph tab at the top enables data to be displayed in graph form in the Graph Window.● Table—The Table tab at the top enables data to be displayed in table form in the Graph Window.●

View—The View drop-down menu allows selection of the time frame or horizon of the data displayed in

the Graph Window.

Real-time, starting when the graph is displayed, with a new data point every 10 seconds❍ Last 10 minutes, with a data point every 10 seconds❍ Last 60 minutes, with a data point every 1 minute❍ Last 12 hours, with a data point every 12 minutes❍ Last 5 days, with a data point every 2 hours

Note: Time horizons other than Real-time are available for viewing only when the History Metrics feature is enabled using the System Properties>History Metrics panel. When you enable History Metrics, data will be stored, even when a Graph Window is not being displayed.

The time values displayed on the graph X-axis and in the corresponding table are based on PIX Firewall time converted to your local time zone. The GMT timezone is recommended. Up to four graphs can be displayed within each Graph Window, however, there is no limit to the number of Graph Windows which can be concurrently displayed.

❍

●

Export—Allows Graph Window data to be exported for use by other applications.● Bookmark—Allows Graph Window to be bookmarked in your browser.●

Page 42

Print—Opens Print dialog for printing of the Graph or Table.● Help—Provides more information.●

Bookmarking Graph Windows

Note: Bookmarking is available with PIX Firewall version 6.1 or later.

While in the Graph Window, click the Bookmark button.1. Select the appropriate URLs for the graphs you want to bookmark in the Bookmark Graphs dialog box

that appears. There is one link for all Graphs in a Graph Window, and a separate link for each Graph in the Graph Window.

To add a bookmark to your web browser, click the right mouse button on the link and choose Add Bookmark. (Actual text for the bookmark menu item may vary, depending on the browser.)

Recalling Previously Bookmarked Graph Windows

To recall a previously bookmarked Graph Window, select the bookmark in your browser. If the Graph Window already exists, it will be brought to the front. PDM does not have to be running when you select the bookmark you previously created for a Graph Window. If PDM is not running, the browser will launch PDM from the PIX Firewall from which the bookmark was created and then display the Graph Window.

The graph data starts as if you made the selection manually, unless the Graph Window is already created. The graph data is not persistent and does not continue where it left off the last time.

Printing Graphs

In the Graph Window, click the Print button1. If there is more than one Graph in the Graph Window, the Print Graph dialog box appears.2.

Select the Graph that you want to print from the drop-down list if there is more than one Graph.3.

Page 43

Click on the Print button to proceed to the operating system Print dialog. Data will be printed in the format, Graph or Table, currently being displayed.

Note: If PDM is running in Netscape Navigator and the browser has not yet given print privileges to the applet, then this brings up a security dialog requesting print privileges be granted. Click the Grant button to give the applet printing privileges. When using Internet Explorer, permission to print is already granted when you originally accepted the signed applet.

Exporting Graph Data

To export Graph or Table data in a comma-separated value format, use the following steps:

From the Graph Window, select Export.1. Similar to printing, if there is more than one Graph in the Graph window, the Export Graph Data dialog

will appear. Select one or more of the graphs listed by checking the box next to the Graph name. (More than one selection will be stored in a single file.)

Click Export at the bottom of the dialog box.3. When the operating system standard File dialog box appears, enter a filename for the data.4.

Note: Similar to printing, if PDM is running in Netscape Navigator, it may bring up a security dialog requesting additional privileges be granted. Click the Grant button to continue.

Page 44

Printing

To begin printing, select File>Print..., the Print icon on the button bar or Print from a dialog.

Note: Java Print Permissions

PDM is running in Netscape Communicator and the user has not yet granted "Print" privileges to the Java applet, a security dialog will appear requesting the granting of Print privileges. Click Grant to grant the applet printing privileges. When using Internet Explorer, permission to print is already granted when you originally accepted the signed applet.

Print Dialog will then appear, which varies depending on your operating system.2.

In the Print Dialog select the appropriate settings, including:3. Destination printer● Quality, layout, or other printer-specific settings● Page orientation.

Note: Landscape page orientation is recommended for printing rules.

●

Click OK to print.●

Page 45

Page 46

System Properties>Intrusion Detection> IDS Policy

The IDS Policy panel allows you to define Intrusion Detection System (IDS) policies. By defining IDS policies, you instruct the PIX Firewall to audit IP traffic going through the PIX Firewall, looking for pre-defined attack and informational signatures. For each IDS policy, you can instruct the PIX Firewall to send an alarm (syslog), drop the offending packet and/or reset the offending connection. You can also selectively enable your IDS policies on one or more of the PIX Firewall interfaces.

Auditing is performed by looking at the IP packets as they arrive at an input interface. If a packet triggers a signature and the configured action does not drop the packet, then the same packet can trigger other signatures. PIX Firewall supports both inbound and outbound auditing. For a complete list of supported Cisco Secure IDS signatures, their wording, and whether they are attack or informational messages, refer to System Log Messages

for the Cisco Secure PIX Firewall for the your PIX Firewall software version.

The following sections are included in this Help topic:

Field Descriptions● Add● Edit● Delete● Selecting IP Attack and IP Informational Actions● Resetting to Last Applied Settings●

Field Descriptions

The IDS Policy panel displays the following fields:

Intrusion Detection Policy table

Name—Displays the names of IDS rules you have defined.❍ Type—Describes the type of rule: Info or Attack.❍

Action—Defines the action taken when this rule is triggered. Alarm indicates that when a signature

match is detected, PIX Firewall reports the event to all configured syslog servers. Drop drops the offending packet. Reset drops the offending packet and closes the connection if it is part of an active connection.

❍

●

Add—Opens the Add dialog box.● Edit—Opens the Edit dialog box.●

Page 47

Delete—Deletes the selected item.●

Policy-to-Interface Mappings table

Interface—Lists the interfaces on which your IDS policy can be enabled.❍ Attack Policy—Displays the specific attack policy, if any, for that interface.❍ Info Policy—Displays the specific info policy, if any, for that interface.❍

●

Apply to PIX—Sends changes made in PDM to the PIX Firewall unit and applies them to the running configuration.

●

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

●

Adding IDS Policy Settings

Follow these steps to add a new IDS policy:

In the IDS Policy panel, click Add. The Add IDS Policy dialog box appears.1. Define the new policy's name, type, and action(s), and click OK.2. In the IDS Policy panel, click Apply to PIX.3.

Editing IDS Policy Settings

Follow these steps to modify an existing IDS policy:

In the IDS Policy panel, select the rule you want to change and click Edit. The Edit IDS Policy dialog box appears.

Change the policy settings as desired and click OK.2. In the IDS Policy pane, click Apply to PIX.3.

Deleting an IDS Policy Setting

Follow these steps to remove an IDS policy:

In the IDS Policy panel, select the IDS rule you want to delete.1. Click Delete.2. Click Apply to PIX.3.

Selecting IP Attack and IP Informational Actions

Follow these steps to change the attack or informational policy for a PIX Firewall interface:

For the desired interface, choose an attack or info policy from the list in the Policy-to-Interface Mappings table.

Click Apply to PIX.2.

Page 48

Resetting to Last Applied Settings

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time

Refresh was clicked while open.

Page 49

System Properties>Intrusion Detection >IDS Signatures

The IDS Signatures panel allows you to select which signatures the PIX Firewall's IDS system will search for. When a signature is enabled, the PIX Firewall will audit the appropriate traffic and log a message or take other action if that signature is found. Note that enabling or disabling IDS signatures is only meaningful when you have enabled one or more IDS policies using the IDS Policy panel.

The following sections are included in this Help topic:

Important Notes● Field Descriptions● Enabling or Disabling Signatures● Resetting to Last Applied Settings●

Important Notes

for the Cisco Secure PIX Firewall Version x.x.

Field Descriptions

The IDS Signatures panel displays the following fields:

IDS Signatures table

Enabled—Lists the IDS signatures that are currently enabled.❍ Disabled—Lists the IDS signatures that are currently disabled❍

●

Disable—Select an enabled signature and click this button to disable it.● Enable—Select a disabled signature and click this button to enable it.● Apply to PIX—Sends changes made in PDM to the PIX Firewall unit and applies them to the running

configuration.

●

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

●

Page 50

Enabling or Disabling Signatures

Follow these steps to enable or disable IDS signatures:

Select one or more IDS signatures in the Enabled or Disabled column, and click the appropriate button to move them to the other column.

Click Apply to PIX.2.

Resetting to Last Applied Settings

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time

Refresh was clicked while open.

Page 51

Monitoring>Connection Graphs

The Connection Graphs panel allows you to monitor a wide variety of performance statistics for features of the PIX Firewall, including statistics for xlates, connections, AAA, Fixups, URL filtering and TCP Intercept. These graphs may be bookmarked for quick opening by your brwoser, printed, and the data may also be exported to other applications.

The following sections are included in this Help topic:

Connection Graph Types●

Building a New Graph Window● Displaying a New Graph Window

Bookmarking Graphs❍ Printing Graphs❍ Exporting Data❍

●

Connection Graph Types

The following graph types and their associated graphs are available: Note: The Connection graphs use a default time interval (View) of 120 seconds over which the packets per

second, connections per second, and transactions per second are calculated. This interval may be changed using the 'perfmon interval' command via the Tools>Command Line Interface panel.

Xlates:

Xlate Utilization - Displays the number of xlates per second during the last interval. An xlate, also

referred to as a translation entry, represents a mapping of one IP address to another, or a mapping of one IP address/port pair to another.

❍

●

Perfmon:

AAA Perfmon—Displays the number of Authentication, Authorization and Accounting requests

sent to a AAA server per second during the last interval.

❍

Fixup Perfmon—Displays the number of packets per second for traffic that was processed by the HTTP, FTP or TCP Fixup routines during the last interval.

❍

Web Perfmon—Displays the number of URL requests per second processed by the PIX Firewall, and the number of Websense requests per second made by the PIX Firewall during the last interval. Note that the number of Websense requests does not include any URL filtering decisions made using the PIX Firewall's internal URL cache.

❍

Connections Perfmon—Displays the number of total connections, TCP connections, UDP❍

●

Page 52

connections and TCP Intercepts per second processed by the PIX Firewall during the last interval.

Page 53

Tools>Command Line Interface

This panel provides a text based tool for sending Command Line Interface (CLI) commands to the PIX Firewall and displaying responses.

The following help topic are available for this panel:

Field Descriptions● Entering a Command● Entering Multiple Commands● CLI and PDM Sessions● Getting Help—Individual Command Syntax● Getting Help—Command Summary●

PDM panels generate commands and arguments which are sent to the PIX Firewall and applied to the running configuration. PDM receives results, in the form of messages, which provide information about the acceptance and effect of the command. The CLI tool allows administrators to enter those commands directly, send them to the PIX Firewall where they are immediately applied, and view the resulting messages.

Commands are entered as a single line in Command. Send, or the keyboard Enter key, transmits the command(s) to the PIX Firewall unit and the response viewed in Response. The command and result text is retained in Response for a history of the session until erased by Clear. In Multiple Line Commands, multiple lines of commands may also be entered or pasted in from other sources, then sent as a list of commands using Send.

CLI Console Sessions and PDM

In addition to PDM, PIX Firewall administrators may use the PDM CLI tool, which is one type of CLI console

session. Changes from CLI console sessions take effect immediately in the running configuration. However, the

changes will not be reflected in your PDM until you exit the CLI tool and click Refresh. If any other PDM sessions are in operation when you make changes using your PDM CLI tool, your changes will

affect all the other PDM sessions when they click Refresh. The same is true for your PDM session. You will see any changes they make to the running configuration after you click Refresh.

Before configuring your PIX Firewall from the PDM CLI tool, we recommend that you review the Configuration Guide for the Cisco Secure PIX Firewall, "Command Reference" for your respective version. Refer to Multiple

PDM and CLI Console Sessions for more information.

Page 54

Field Descriptions

The Command Line Interface(CLI) panel provides the following fields:

Command—Allows you to enter commands.● Response—Allows you to view the results of the commands you enter in the Command box. If you would

like help on any command, enter the command "?" to display a brief description of Help for that command in the Response pane.

●

The CLI panel has these buttons:

Send—Sends commands to the PIX Firewall, then returns to the main CLI panel where Response displays the results.

●

Clear Screen—Clears all text displayed in Response.● Close—Closes Command Line Interface.● Help—Provides more information about using the CLI tool.● Multiple Line Command...—Opens the Multiple Line Command dialog box to enter, paste in from other

sources, and edit multiple line commands.

●

The Multiple Line Command dialog box has these fields:

Multiple Line Command box—Allows you to "Paste or enter multiple commands".● The Multiple Line Command dialog box has these buttons:

Send—Sends commands to the PIX Firewall, then returns to the main CLI panel where Response displays the results.

❍

Cancel—Returns to the CLI main panel without sending commands.❍ Help—Provides more information about using multiple line commands.❍

●

Entering Command Lines

Follow these steps to enter and view results of single line commands:

Type a command in the Command box.1. To transmit the command to the PIX Firewall, use the keyboard Enter key, or click Send.2. The results of the command are displayed in Response.3.

Note: Changes from the PDM CLI tool take effect immediately in the running configuration. However, the changes will not be reflected in PDM until you exit the CLI tool and click Refresh. Refer to Notes on Applying

Configuration Changes for more information.

Entering Multiple Command Lines

Follow these steps to enter and view results of multiple lines of commands:

This panel is used for sending multiple command lines, or a list of commands, to the PIX Firewall unit in two ways, typing or pasting.

Typing—Unlike the single line Command box, the keyboard Enter key on your keyboard does not❍

Page 55

send the command to the PIX Firewall, since it must be used to terminate the line and return to the left margin for the next line. Type the first command in the Multiple Line Command box and use the keyboard Enter key to return to the left margin. Type the next command, Enter. Repeat until all the commands are entered into the command list. Within the Multiple Line Command box, you may edit lines or cut, copy and paste.

Pasting—You may copy a list of commands from another application, such as Microsoft Word, and paste the list into the Multiple Line Command box.

❍

Click Send, to transmit the commands to the PIX Firewall and return to the main CLI tool panel, or Cancel to return without sending commands.

The results of the command are displayed in Response on the main panel.3.

Command Syntax

Help is available for individual command syntax and a command summary of all CLI commands. Follow these steps to get help on the syntax of a single command:

In Command or Multiple Line Command, enter the command name, followed by a question mark (?), or help followed by a command.

Click Send to view a description and the syntax of the command in Response.

Example: Result of PIX command: "help name"

USAGE: [no] name <ip_address> <name> DESCRIPTION: name Associate a name with an IP address SYNTAX: <ip_address> The IP address of the host/network being named <name> The name for the host/network. The name can be up to 4000 characters, a-z,0-9,- and _, but it must begin with a letter The <name> can then be used and displayed anywhere <ip_address> would otherwise have occurred see also: names,nameif

Command Summary

Help is available for individual command syntax and a summary of all CLI commands. Follow these steps for a summary of all CLI commands:

In Command or Multiple Line Command, enter only a question mark (?), or help.1. Click Send to view a general description of all CLI commands in Response.2.

Example: Result of PIX command: "?"

Page 56

aaa Enable, disable, or view TACACS+ or RADIUS user authentication, authorization and accounting

access-group Bind an access-list to an interface to filter inbound traffic access-list Add an access list age This command is deprecated. See ipsec, isakmp, map, ca commands alias Administer overlapping addresses with dual NAT. apply Apply outbound lists to source or destination IP addresses arp Change or view the arp table, and set the arp timeout value auth-prompt Customize authentication challenge, reject or acceptance prompt aaa-server Define AAA Server group ca CEP (Certificate Enrollment Protocol) Create and enroll RSA key pairs into a PKI (Public

Key Infrastructure).

clock Show and set the date and time of PIX conduit Add conduit access to higher security level network or ICMP crypto Configure IPsec, IKE, and CA configure Configure from terminal, floppy, or memory, clear configure copy Copy image or PDM file from TFTP server into flash. debug Debug packets or ICMP tracings through the PIX Firewall. dhcpd Configure DHCP Server disable Exit from privileged mode domain-name Change domain name dynamic-map Specify a dynamic crypto map template eeprom show or reprogram the 525 onboard i82559 devices enable Modify enable password established Allow inbound connections based on established connections failover Enable/disable PIX failover feature to a standby PIX filter Enable, disable, or view URL, Java, and ActiveX filtering fixup Add or delete PIX service and feature defaults flashfs Show, destroy, or preserve filesystem information icmp Configure access for ICMP traffic that terminates at an interface ipsec Configure IPSEC policy isakmp Configure ISAKMP policy fragment Configure the IP fragment database global Specify, delete or view global address pools, or designate a PAT (Port Address

Translated) address

hostname Change host name http Configure HTTP server vpdn Configure VPDN (PPTP, L2TP) Policy vpngroup Configure a policy group for VPN clients interface Identify network interface type, speed duplex, and if shutdown ip Set the ip address and mask for an interface

Define a local address pool Configure Unicast RPF on an interface Configure the Intrusion Detection System

kill Terminate a telnet session logging Enable logging facility map Configure IPsec crypto map mtu Specify MTU(Maximum Transmission Unit) for an interface name Associate a name with an IP address

Page 57

nameif Assign a name to an interface names Enable, disable or display IP address to name conversion nat Associate a network with a pool of global IP addresses outbound Create an outbound access list pager Control page length for pagination passwd Change Telnet console access password pdm Configure Pix Device Manager ping Test connectivity from specified interface to <ip> quit Disable, end configuration or logout reload Halt and reload system rip Broadcast default route or passive RIP route Enter a static route for an interface session Access an internal AccessPro router console setup Pre-configure PIX shun Manages the filtering of packets from undesired hosts snmp-server Provide SNMP and event information sysopt Set system functional option static Map a higher security level host address to global address telnet Add telnet access to PIX console and set idle timeout ssh Add SSH access to PIX console, set idle timeout, display list of active SSH sessions &

terminate a SSH session

terminal Set terminal line parameters tftp-server Specify default TFTP server address and directory timeout Set the maximum idle times url-cache Enable URL caching url-server Specify a URL filter server virtual Set address for authentication virtual servers who Show active administration sessions on PIX write Write config to net, flash, floppy, or terminal, or erase flash

Page 58

Monitoring>System Graphs

The System Graphs panel allows you to build New Graph window which monitor the system resources of the PIX Firewall, including Block utilization, CPU utilization, Failover statistics, and Memory utilization. These graphs may be bookmarked for quick opening by your brwoser, printed, and the data may also be exported to other applications.

The following sections are included in this Help topic:

System Graph Types●

Building a New Graph Window● Displaying a New Graph Window

Bookmarking Graphs❍ Printing Graphs❍ Exporting Data❍

●

System Graph Types

The following graph types and their associated graphs are available:

Blocks graphs:

Blocks Used—Displays the number of used blocks for each preallocated PIX Firewall block size.❍ Blocks Free—Displays the number of available blocks for each preallocated PIX Firewall block

size.

❍

●

CPU graph:

CPU Utilization—Displays the PIX Firewall CPU utilization (percent). Each data point represents

an instantaneous snapshot of the PIX Firewall CPU utilization at that moment in time.

❍

●

Failover graphs:

Translation Information—Displays the number of xlate state update packets sent by the PIX

Firewall to its failover partner, and received from its failover partner, since failover was enabled or the PIX Firewall rebooted.

❍

TCP Connection Information—Displays the number of TCP connection state update packets sent by the PIX Firewall to its failover partner, and received from its failover partner, since failover was

❍

●

Page 59

enabled or the PIX Firewall rebooted. UDP Connection Information—Displays the number of UDP connection state update packets sent

by the PIX Firewall to its failover partner, and received from its failover partner, since failover was enabled or the PIX Firewall rebooted.

❍

Xmit Queue—Displays the current depth, in packets, of the failover update queue used by the PIX Firewall to send state update packets to its failover partner. Also displays the maximum queue depth and total number of packets queued since failover was enabled or the PIX Firewall rebooted.

❍

Receive Queue—Displays the current depth, in packets, of the failover update queue used by the PIX Firewall to receive state update packets from its failover partner. Also displays the maximum queue depth and total number of packets queued since failover was enabled or the PIX Firewall rebooted.

❍

Note: If Failover is not enabled using the Failover panel under System Properties, no failover graphs will be available for viewing.

Memory graphs:

Memory Utilization—Displays the number of physical memory bytes free and bytes used❍

●

Page 60

Tools>Ping

This panel provides a ping tool which is useful for verifying the configuration and operation of a PIX Firewall unit and surrounding communications links, as well as basic testing of other network devices.

The following sections are included in this Help topic:

Field Descriptions● Using the PDM Ping tool● Troubleshooting operation of the PDM Ping tool●

A "ping" is the network equivalent of sonar for submarines. A ping is sent to an IP address and it returns an "echo". This simple process enables network devices to discover, identify and test each other.

The Ping tool uses the Internet Control Message Protocol (ICMP) protocol described in RFC777 and RFC792. ICMP defines an echo and echo reply transaction between two network devices, which has become known as a ping. The echo (request) packet is sent to the IP address of a network device. The receiving device reverses the source and destination address and sends the packet back as the echo reply.

Field Descriptions

The Ping tool panel has the following fields:

IP Address—The destination IP address for the ICMP echo request packets. Note: Hosts may be assigned a name by administrators in Hosts/Networks>Basic Information>Host Name and used here in place of the IP address.

●

Interface—(Optional). The PIX Firewall interface which will transmit the echo request packets may be specified. If it is not specified, the PIX Firewall checks the routing table to find the destination address and uses the required interface.

●

Ping Output—The result of the ping. When the Ping button is clicked, 3 attempts are made to ping the IP address and 3 results display the following fields:

Reply IP address/Device name—The IP address of the device pinged or a device name, if available. The name of the device, if assigned Hosts/Networks, may be displayed, even if NO response is the result.

❍

Response received/NO response received—

Response received—the result if an echo reply was returned from the destination IP address

specified.

■

NO response received—the result if no echo reply was returned before the specified timeout.■

❍

Response time/timeout (ms)—When the ping is transmitted, a millisecond timer starts with a specified maximum, or timeout value. This is useful for testing the relative response times of

❍

●

Page 61

different routes or activity levels, for example.

Response received—When an echo reply is received, the timer stops and its value is displayed.

■

NO response received—If an echo reply is not received before the timeout value is reached, the timeout value is displayed.

■

Example Ping Output

10.1.1.2 NO response received -- 1000ms

If a name is assigned in Hosts/Networks>Host Name:

Router_1600 response received -- 0ms Router_1600 response received -- 0ms Router_1600 response received -- 30ms

■

Buttons—This panel provides the following buttons:

Ping—When clicked, this button sends an ICMP echo request packet from the specified or default interface

to the specified IP address and starts the response timer.

●

Close—Closes the Ping tool panel.● Help—Provides more information about the Ping tool panel.●

Using the Ping Tool

The Ping tool uses the Internet Control Message Protocol (ICMP) protocol described in RFCs 777 and 792. Sending an ICMP echo request packet to an IP address is a "ping". An "echo" is an ICMP echo reply packet returned from the receiving device.

PIX Firewall administrators can use the PDM Ping tool as an interactive diagnostic aid in several ways, for example:

Loopback testing of two interfaces—A ping may be initiated from one interface to another on the same PIX Firewall unit, as an external loopback test to verify basic "up" status and operation of each interface.

●

Pinging to a PIX Firewall interface—An interface on another PIX Firewall unit may be pinged by the Ping tool or another source to verify that it is up and responding.

●

Pinging through a PIX Firewall—Ping packets originating from the Ping tool may pass through an intermediate PIX Firewall unit on their way to a device. The echo packets will also pass through two of its interfaces as they return. This procedure can be used to perform a basic test of the interfaces, operation, and response time of the intermediate unit.

●

Pinging to test questionable operation of a network device—A ping may be initiated from a PIX Firewall interface to a network device which is suspected to be functioning improperly. If the interface is configured properly and an echo is not received, there may be problems with the device.

●

Pinging to test intermediate communications—A ping may be initiated from a PIX Firewall interface to a network device which is known to be functioning properly and returning echo requests. If the echo is

●

Page 62

received, the proper operation of any intermediate devices and physical connectivity is confirmed.

Troubleshooting Operation of the Ping Tool

When pings fail to receive an echo, it may be the result of a configuration or operational error in a PIX Firewall unit, and not always due to "NO response" from the IP address being pinged. Before using the Ping tool to ping from, to or through a PIX Firewall interface, verify the following:

Basic interface checks

Verify that interfaces are configured properly in System Properties>Interfaces and/or using the CLI show interfaces command from PDM Tools>CLI.

❍

Check each interface physically for good mechanical and electrical connectivity—cables are connected, link indicators are green, and any passive devices, such as hubs are operational.

❍

Verify that devices in the intermediate communications path, such as switches or routers, are properly delivering other types of network traffic.

❍

Make sure that traffic of other types from "known good" sources is being passed. Use the show interface command from the PDM CLI tool or PDM Monitoring>Interface Graphs.

❍

●

Pinging from a PIX Firewall interface—For basic testing of an interface, a ping may be initiated from a PIX Firewall interface to a network device which, by other means, is known to be functioning properly and returning echoes via the intermediate communications path.

Verify receipt of the ping from the PIX Firewall interface by the "known good" device. If it is not received, there may be a problem with the transmit hardware or configuration of the interface.

❍

If the PIX Firewall interface is configured properly and it does not receive an echo from the "known good" device, there may be problems with the interface hardware receive function. If a different interface with "known good" receive capability can receive an echo after pinging the same "known good" device, the hardware receive problem of the first interface is confirmed.

❍

●

Pinging to a PIX Firewall interface—When attempting to ping to a PIX Firewall interface, verify that pinging response (ICMP echo reply), is enabled for that interface in the System Properties>PIX

Administration>ICMP panel. When pinging is disabled, the PIX Firewall cannot be detected by other

devices or software applications, and will not respond to the PDM Ping tool.

●

Pinging through the PIX Firewall

First, verify that other types of network traffic from "known good" sources is being passed through through the PIX Firewall unit. Use Monitoring>Interface Graphs, or an SNMP management station.

❍

To enable internal hosts to ping external hosts, ICMP access must be configured correctly for both the inside and outside interfaces in Access Rules.

❍

Refer to the Cisco Secure PIX Firewall Configuration Guide for more information on pinging through the PIX Firewall.

❍

●

Page 63

System Properties>PIX Administration>ICMP

The System Properties>PIX Administration>ICMP panel allows configuration of rules which permit only specific hosts or networks to communicate with the PIX Firewall unit using the Internet Control Message Protocol (ICMP) protocol.

The following sections are included in this Help topic:

Field Descriptions● Adding Rules● Editing Rules● Deleting Rules● Applying Changes to the PIX Firewall●

The ICMP protocol enables a network device to ping an IP address in order to discover the presence, identity, and function of other devices and to test intermediate communications links. When a device receives a ping (request), it can respond with an echo which includes its name, function, and other information. Routers can discover each other in this way. Administrators also use pinging directly in network management applications and diagnostic tools, such as the PDM Ping tool.

The ICMP panel can enable or disable the ping response or echo of an interface on the PIX Firewall. When pinging is disabled, the PIX Firewall cannot be detected by other devices or software applications. However, "friendly" hosts, such as a PC running PDM or neighboring router may need to ping the PIX Firewall. This feature is also referred to as configurable proxy pinging.

The rule table configures an access-list command statement that permits or denies ICMP traffic terminating at the PIX Firewall unit. A permit or deny action is specified for each interface which is added to the rule table. If no interfaces are added to the rule table, the default action for each interface is to permit ICMP traffic.

When an interface receives an ICMP packet, the PIX Firewall searches the access list. If the first matched entry is a permit entry, the ICMP packet continues to be processed. If the first matched entry is a deny entry or an entry is not matched, PIX Firewall discards the ICMP packet and generates the %PIX-3-313001 syslog message. An exception is when an ICMP access-list command statement is not configured; then, permit is assumed.

Cisco recommends that you grant permission for ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic. See RFC 1195 and RFC 1435 for details about Path MTU Discovery.

Page 64

Field Descriptions

The Internet Control Message Protocol (ICMP) panel displays the following fields in a rule table:

Interface—Displays an interface which has been added to the ICMP rule table (access list).● Action—Permit or deny ICMP traffic terminating at the PIX Firewall unit through this interface.● IP Address—Displays the IP address of each host or network added to the ICMP rule table (access list) for

this interface. Note: This is not the IP address of the PIX interface.

●

Netmask—Displays the netmask for the IP address of each host or network added to the ICMP rule table (access list) for this. Note: This is not a netmask for the IP address of the PIX interface.

●

ICMP Type—The type of ICMP packet to which the permit or deny action will be applied.

0 echo-reply❍ 3 unreachable❍ 4 source-quench❍ 5 redirect❍ 6 alternate-address❍ 8 echo❍ 9 router-advertisement❍ 10 router-solicitation❍ 11 time-exceeded❍ 12 parameter-problem❍ 13 timestamp-reply❍ 14 timestamp-request❍ 15 information-request❍ 16 information-reply❍ 17 mask-request❍ 18 mask-reply❍ 31 conversion-error❍ 32 mobile-redirect❍

●

Add—Opens the Add dialog box.● Edit—Opens the Edit dialog box.● Delete—Deletes the selected item.● Apply to PIX—Sends changes made in PDM to the PIX Firewall unit and applies them to the running

configuration.

●

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

●

Add and Edit provide these buttons:

OK—Accepts changes and returns to the previous panel.● Cancel—Discards changes and returns to the previous panel.● Help—Provides more information.●

Page 65

Adding to the table

Follow these steps to add to the rule table:

Click Add to open the Add dialog box.1. Select the ICMP Type.2. Select an Interface.3. Enter or edit the IP address which will be permitted or denied ICMP access through this interface.4. If the IP address is a host, not a network, then select Host.5. Select or enter a Mask for the IP address.6. Select permit or deny for the Action.7. To return to the previous panel click:

OK—Accepts changes and returns to the previous panel.❍ Cancel—Discards changes and returns to the previous panel.❍ Help—Provides more information.❍

Editing the table

Follow these steps to edit the rule table:

Click Edit the Edit dialog box.1. Select the ICMP Type.2. Select an Interface.3. Enter or edit the IP address which will be permitted or denied ICMP access through this interface.4. If the IP address is a host, not a network, then select Host.5. Select or enter a Mask for the IP address.6. Select permit or deny for the Action.7. To return to the previous panel click:

OK—Accepts changes and returns to the previous panel.❍ Cancel—Discards changes and returns to the previous panel.❍ Help—Provides more information.❍

Deleting from the table

Follow these steps to delete a rule from the table:

Select a line item in the rule table.1. Click the Delete button.2.

Page 66

Applying Changes to the PIX Firewall

Changes to the table made by Add, Edit, or Delete are not immediately applied to the running PIX configuration. You must click on one of the following buttons to apply or discard changes:

failover standby PIX Firewall unit. See Notes on Applying Configuration Changes.

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

Page 67

Monitoring>PDM Users

The PDM Users panel allows you to monitor connections made to the PIX Firewall using PIX Device Manager (PDM). A snapshot of the current PDM user sessions to the PIX Firewall is displayed. The display is not automatically updated as new PDM user sessions are created. To view new PDM user sessions, you must click Refresh.

The following sections are included in this Help topic:

Important Notes● Field Descriptions● Disconnecting PDM User Sessions●

Important Notes

Be careful not to accidentally disconnect your own PDM session by selecting your IP address and clicking Disconnect.

Field Descriptions

The PDM Users panel displays the following fields:

Session ID—Displays a unique number that identifies each PDM user session.● IP Address—Displays the IP address of the client connected to the PIX Firewall, via PDM. If PDM knows

the client host name associated with the IP address, the host name will appear in this field.

●

Refresh—Refreshes the current display by retrieving the PDM Users currently connected to the PIX.● Disconnect—Disconnects the PDM User session currently selected in the table. Note that by disconnecting

a PDM user session, the user that is disconnected will receive an error message on their PDM screen and, after the user acknowledges the error, their PDM applet will be terminated. Any unapplied configuration changes made by that user will be lost.

●

Disconnecting PDM User Sessions

Follow these steps to disconnect:

Select a PDM User session from the table.1. Click Disconnect.2. Click Refresh to verify that the PDM session has been disconnected.3.

Page 68

Page 69

System Properties>PIX Administration>Telnet

The Telnet panel allows configuration of rules which permit only specific hosts or networks running the PIX Firewall Device Manager (PDM) to connect to the PIX Firewall unit using the Telnet protocol.

The following sections are included in this Help topic:

Field Descriptions● Adding Rules● Editing Rules● Deleting Rules● Applying Changes to the PIX Firewall●

The rules restrict administrative Telnet access through a PIX Firewall interface to a specific IP address and netmask. Connection attempts which comply with the rules must then be authenticated by a preconfigured AAA

Server or the Telnet password. You can monitor Telnet sessions using Monitoring>Telnet Sessions.

Field Descriptions

The Telnet panel displays the following fields in a Telnet rule table:

Interface—Displays the name of a PIX Firewall interface which will permit Telnet connections, an

interface on which is located a PC or workstation running PDM.

●

IP Address—Displays the IP address of each host or network permitted to connect to this PIX Firewall through the specified interface. Note: This is not the IP address of the PIX Firewall interface.

●

Netmask—Displays the netmask for the IP address of each host or network permitted to connect to this PIX Firewall through the specified interface. Note: This is not the IP address of the PIX Firewall interface.

●

Max Idle Time—Displays the number of minutes, 1 to 60, the Telnet session can remain idle before the PIX Firewall unit closes it. The default is 5 minutes.

●

Add—Opens the Add dialog box.● Edit—Opens the Edit dialog box.● Delete—Deletes the selected item.●

Apply to PIX—Sends changes made in PDM to the PIX Firewall unit and applies them to the running

configuration.

●

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

●

Page 70

Adding Telnet Rules

Follow these steps to add a rule to the Telnet rule table:

Click on the Add button to open the Telnet>Add dialog box.1. Click on Interface to add a PIX Firewall interface to the rule table.2. In the IP Address box, enter the IP address of the host running PDM which will be permitted Telnet

access through this PIX Firewall interface. Note: This is not the IP address of the PIX Firewall interface.

In the Mask list, select or enter a netmask for the IP address to be permitted Telnet access. Note: This is not a mask for the IP address of the PIX Firewall interface.

To return to the previous panel click:5.

OK—Accepts changes and returns to the previous panel.❍ Cancel—Discards changes and returns to the previous panel.❍ Help—Provides more information.❍

Editing Telnet Rules

Follow these steps to edit a rule in the Telnet rule table:

Click on Edit to open the Telnet>Edit dialog box.1. Click on Interface to select a PIX Firewall interface from the rule table.2. In the IP Address box, enter the IP address of the host running PDM which will be permitted Telnet

access through this PIX Firewall interface. Note: This is not the IP address of the PIX Firewall interface.

In the Mask list, select or enter a netmask for the IP address to be permitted Telnet access. Note: This is not a mask for the IP address of the PIX Firewall interface.

To return to the previous panel click:5.

OK—Accepts changes and returns to the previous panel.❍ Cancel—Discards changes and returns to the previous panel.❍ Help—Provides more information.❍

Deleting Telnet Rules

Follow these steps to delete a rule from the Telnet table:

Select a rule from the Telnet rule table.1. Click the Delete button.2.

●

Page 71

Applying Changes to the PIX Firewall

Changes to the table made by Add, Edit, or Delete are not immediately applied to the running PIX configuration. You must click on one of the following buttons to apply or discard changes:

Apply to PIX—Sends changes made in PDM to the PIX Firewall unit and applies them to the running configuration. Use the File menu to write a copy the running configuration to Flash, a TFTP

server, or a failover standby PIX Firewall unit. See Notes on Applying Configuration Changes.

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

Page 72

System Properties>PIX Administration>Authentication

The Authentication panel allows you to enable or disable required authentication, authorizations, and accounting (AAA) verifications.

The following sections are included in this Help topic:

Field Descriptions● Enabling Forced AAA Authentication● Enabling AAA Authentication for Specific Connections● Applying Changes to the PIX Firewall●

The Authentication panel allows you to enable or disable AAA access to the PIX Firewall via the serial console or different types of network connections, and set other administrative access policies, such as specifying that AAA authentication must be from a specific server group. Refer to passwords, CLI console sessions, Tools>CLI.

Field Descriptions

The Authentication panel provides the following fields:

Require AAA Authentication to allow use of privileged mode commands.

Enable—Forces AAA authentication from a server group before you can access enable mode on the

PIX Firewall. This option allows up to three tries to access the PIX Firewall console. If this number is exceeded, an access denied message appears.

❍

Sever Group—Provides a drop-down menu from which you can choose a server group to force AAA authentication.

❍

●

Require AAA Authorization for console connections to the PIX for the following types of connections:

HTTPS/PDM—Requires AAA authentication when you start an HTTPS connection to the PIX

Firewall console. You can monitor PDM sessions using Monitoring>PDM Users.

❍

Serial—Requires AAA authentication when you connect to the PIX Firewall console via the serial

console cable. PIX Firewall prompts you for your username and password before you can enter commands. If the authentication server is offline, wait until the console login request times out. You can then access the console with the pix username and the enable password.

❍

SSH—Requires AAA authentication when you start a Secure Shell (SSH) connection to the PIX

Firewall console. This option allows up to three tries to access the PIX Firewall console. If this number is exceeded, an access denied message appears. This option requests a username and

❍

●

Page 73

password before the first command line prompt on the SSH console console. You can monitor SSH sessions using Monitoring>Secure Shell.

Telnet—Requires AAA authentication when you start a Telnet connection to the PIX Firewall

console. You are required to authenticate before you can enter a Telnet command. You can monitor telnet sessions using Monitoring>Telnet Sessions.

❍

Server Group—Provides a drop-down menu from which you can choose a server group to force AAA authentication. This applies to all Server Groups.

❍

Apply to PIX—Sends changes made in PDM to the PIX Firewall unit and applies them to the running configuration.

●

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

●

Enabling Forced AAA Authentication

Follow these steps to enable forced AAA authentication:

Select Enable.1. Select the server group for which you would like to enable AAA authentication. Select either Terminal

Access Controller Access Control System Plus (TACACS+), or Remote Authentication Dial-In User Service (RADIUS), or a different server group you have named and configured using the AAA Server Groups dialog box.

Click Apply to PIX.3.

Enabling AAA Authentication for Specific Connections

Follow these steps to enable administrative AAA authentication for specific connections:

Select one or more check boxes to require an authentication prompt whenever an HTTP, Serial, SSH, or

Telnet connection is made to the PIX Firewall.

Select the server group for which the authentication prompt applies. Use the AAA Server Groups panel to configure the server groups in this list.

To exit this panel, refer to Applying Changes to the PIX Firewall.3.

Applying Changes to the PIX Firewall

Changes to the table made by Add, Edit, or Delete are not immediately applied to the running PIX configuration. You must click on one of the following buttons to apply or discard changes:

failover standby PIX Firewall unit. See Notes on Applying Configuration Changes.

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

Page 74

Page 75

System Properties>PIX Administration>Password

The Password panel allows you to set the enable and telnet passwords. The following sections are included in this Help topic:

Important Notes About PIX Passwords● Field Descriptions● Changing Enable Passwords● Changing Telnet Passwords● Applying Changes to the PIX Firewall●

In addition to PDM, PIX Firewall administrators may use Command Line Interface (CLI) console sessions. One of the following types of preconfigured connections must be used for CLI console sessions:

Serial console port—PC with serial interface and terminal emulation software connected directly to the PIX

Firewall console port.

Telnet protocol—A network connection using the Telnet protocol.2. PDM/HTTPS protocol—A network connection using the HTTPS (Hypertext Transfer Protocol-Secure)

protocol for Tools>CLI. Note: PDM uses HTTPS for all communication with the PIX Firewall.

Secure Shell (SSH) protocol—A network connection using the Secure Shell (SSH) protocol.4.

RADIUS or TACACS+ servers may be defined to authenticate any of these connection types. See PIX

Administrative AAA Authentication for more information.

The enable password is set to authenticate administrators using the Command Line Interface for PIX management to enter the privilege mode required to view and modify the PIX configuration. The same password is also used by PDM to authenticate an administrator. When using Serial, Telnet, or SSH, the enable password is required to enter privilege mode after other authentication allows connection.

The Telnet password is set to authenticate administrators using the Telnet protocol for PIX management. The same password is also used to define authentication for administrators using SSH if PIX Administrative AAA

Authentication is not defined for the SSH protocol. The default password is cisco.

To gain access to the PIX Firewall console via SSH, at the SSH client, enter the username as pix and enter the Telnet password. Note: SSH permits up to 100 characters in a username and up to 50 characters in a password.

For more information, refer to the Cisco Secure PIX Firewall Configuration Guide.

Page 76

Important Notes About PIX Passwords

It is important to set the passwords on each PIX you deploy.1. PIX passwords may be a maximum of 16 characters in length. SSH permits up to 100 characters in a

username and up to 50 characters in a password.

PIX password characters can consist of alphanumeric or special characters except for the question mark or space.

PIX passwords are case-sensitive, for example, an uppercase "A" is recognized differently from a lowercase "a".

Make sure caps lock or num lock on your keyboard is not set when entering passwords.5. Passwords should not be any word or syllable that would be found in the dictionary of common languages,

the word "password", your date of birth, organization name, or anything very easy to guess about you or your organization.

Write down new passwords and store them in a manner consistent with the security policy of your organization. Once you change a PIX password, you cannot view it again.

PIX passwords may be entered in encrypted form. For more information, see the PIX Firewall Configuration Guide.

Field Descriptions

The Password panel provides the following fields: Enable (and PDM) Password region

Old Password—Enter previous 16 character, case-sensitive password.● New Password—Enter a new 16 character, case-sensitive password. See Important Notes About PIX

Passwords.

●

Confirm New Password—Reenter your new password.●

Apply to PIX—Sends changes made in PDM to the PIX Firewall unit and applies them to the running

configuration.

●

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

●

Note: Ensure that all users who access the PIX Firewall console are given this password.

Telnet (and non-AAA authenticated SSH) Password region

Old Password—Enter previous 16 character, case-sensitive password.● New Password—Enter a new 16 character, case-sensitive password. See Important Notes About PIX

Passwords.

●

Confirm New Password—Reenter your new password.●

Apply to PIX—Sends changes made in PDM to the PIX Firewall unit and applies them to the running

configuration.

●

Page 77

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

●

Note: Write down the new passwords and store it in a manner consistent with your site's security policy. Once you change the passwords, you cannot view them again.

Changing Enable (and PDM) Passwords

Follow these steps to change Enable (and PDM) passwords:

In the Old Password box, enter in a 16 character, case-sensitive password. See Important Notes About PIX

Passwords.

In the New Password box, enter in a 16 character, case-sensitive password.2. In the Confirm New Password box, reenter your new password.3.

Changing Telnet Passwords

Follow these steps to change Telnet (and non-AAA server authenticated SSH) passwords:

In the Old Password box, enter in a 16 character, case-sensitive password. See Important Notes About PIX

Passwords.

In the New Password box, enter in a 16 character, case-sensitive password.2. In the Confirm New Password box, reenter your new password.3.

Applying Changes to the PIX Firewall

If you do not wish to apply your recent change to the PIX Firewall configuration click:

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

Changes are not immediately applied to the running PIX configuration. I f you wish to apply your changes:

Apply to PIX—Sends changes made in PDM to the PIX Firewall unit and applies them to the running configuration.

Use the File menu to write a copy the running configuration to Flash, a TFTP server, or a

failover standby PIX Firewall unit. See Notes on Applying Configuration Changes.

Page 78

System Properties>PIX Administration>PDM/HTTPS

The System Properties>PIX Administration>PDM/HTTPS panel allows configuration of rules which permit only specific hosts or networks running the PIX Device Manager (PDM) to connect to the PIX Firewall unit using HTTPS (Hypertext Transfer Protocol, Secure).

The following sections are included in this Help topic:

Field Descriptions● Adding Rules● Editing Rules● Deleting Rules● Applying Changes to the PIX Firewall●

A secure connection is needed so that a PC or workstation client running PDM in a network browser window can communicate with the PIX Firewall unit. The rules restrict PDM/HTTPS access through a PIX interface to a specific IP address and netmask PDM/HTTPS connection attempts which comply with the rules must then be authenticated using a preconfigured AAA Server or the Enable password. Once established, data is encrypted

using the Secure Sockets Layer (SSL) protocol. You can monitor PDM/HTTPS sessions using Monitoring>PDM

Users. Refer to Multiple PDM and CLI Console Sessions.

Field Descriptions

The PDM/HTTPS panel displays the following fields in a rule table:

Interface—Displays the name of a PIX interface which will permit PDM/HTTPS connections, an interface

on which is located a PC or workstation running PDM.

●

IP Address—Displays the IP address of each host or network permitted to connect to this PIX through the specified interface. Note: This is not the IP address of the PIX interface.

●

Netmask—Displays the netmask for the IP address of each host or network permitted to connect to this PIX through the specified interface. Note: This is not a netmask for the IP address of the PIX interface.

●

configuration.

●

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last●

Page 79

time Refresh was clicked while open.

Add and Edit provide these buttons:

OK—Accepts changes and returns to the previous panel.● Cancel—Discards changes and returns to the previous panel.● Help—Provides more information.●

Adding PDM/HTTPS Rules

Follow these steps to add a rule to the PDM/HTTPS rule table:

Click on Add to open the PDM/HTTPS>Add dialog box.1. Click on interface to add a PIX interface to the rule table.2. Enter the IP address of the host running PDM which will be permitted HTTPS access through this PIX

interface. Note: This is not the IP address of the PIX interface.

Select or enter a netmask for the IP address to be permitted HTTPS access. Note: This is not a mask for the IP address of the PIX interface.

To return to the previous panel click:

OK—Accepts changes and returns to the previous panel.❍ Cancel—Discards changes and returns to the previous panel.❍ Help—Provides more information.❍

Editing PDM/HTTPS Rules

Follow these steps to edit a rule to the PDM/HTTPS rule table:

Click on Edit to open the PDM/HTTPS>Edit dialog box.1. Click on interface to add or change a PIX interface to the rule table.2. Enter the IP address of the host running PDM which will be permitted HTTPS access through this PIX

interface. Note: This is not the IP address of the PIX interface.

Select or enter a netmask for the IP address to be permitted HTTPS access. Note: This is not a mask for the IP address of the PIX interface.

To return to the previous panel click:

OK—Accepts changes and returns to the previous panel.❍ Cancel—Discards changes and returns to the previous panel.❍ Help—Provides more information.❍

Deleting PDM/HTTPS Rules

Follow these steps to delete a rule from the PDM/HTTPS table:

Select a rule from the PDM/HTTPS rule table.1. Click the Delete button.2.

Page 80

Applying Changes to the PIX Firewall

Changes to the table made by Add, Edit, or Delete are not immediately applied to the running PIX configuration. You must click on one of the following buttons to apply or discard changes:

failover standby PIX Firewall unit. See Notes on Applying Configuration Changes.

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

System Properties>PIX Administration >PDM/HTTPS

Page 81

System Properties>PIX Administration >Secure Shell

The System Properties>PIX Administration>Secure Shell panel allows configuration of rules which permit only specific hosts or networks to connect to the PIX Firewall unit for administrative access using the Secure Shell (SSH) protocol.

The following sections are included in this Help topic:

Field Descriptions● Adding Rules● Editing Rules● Deleting Rules● Applying Changes to the PIX●

The rules restrict SSH access through a PIX interface to a specific IP address and netmask. SSH connection attempts which comply with the rules must then be authenticated by a preconfigured AAA Server or the Telnet

password. You can monitor SSH sessions using Monitoring>Secure Shell Sessions.

Field Descriptions

The Secure Shell (SSH) panel displays the following fields in a rule table:

Interface—Displays the name of a PIX interface which will permit SSH connections, an interface on

which is located a PC or workstation running PDM.

●

IP Address—Displays the IP address of each host or network permitted to connect to this PIX through the specified interface. Note: This is not the IP address of the PIX interface.

●

SSH Timeout (minutes)—Displays the number of minutes, 1 to 60, the Secure Shell session can remain idle before the PIX Firewall unit closes it. The default is 5 minutes.

●

configuration.

●

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

●

Page 82

Add and Edit provide these buttons:

OK—Accepts changes and returns to the previous panel.● Cancel—Discards changes and returns to the previous panel.● Help—Provides more information.●

Adding Secure Shell Rules

Follow these steps to add a rule to the Secure Shell rule table:

Click on the Add button to open the Add dialog box.1. Add a PIX interface to the rule table.2. Enter the IP address of the host running PDM which will be permitted SSH access through this PIX

interface. Note: This is not the IP address of the PIX interface.

Select or enter a netmask for the IP address to be permitted SSH access. Note: This is not a mask for the IP address of the PIX interface.

To return to the previous panel click:

OK—Accepts changes and returns to the previous panel.❍ Cancel—Discards changes and returns to the previous panel.❍ Help—Provides more information.❍

Editing Secure Shell Rules

Follow these steps to edit a rule in the Secure Shell rule table:

Click on the Edit button to open the Edit dialog box.1. Select a PIX interface from the rule table.2. Enter the IP address of the host running PDM which will be permitted SSH access through this PIX

interface. Note: This is not the IP address of the PIX interface.

Select or enter a netmask for the IP address to be permitted Secure Shell access. Note: This is not a mask for the IP address of the PIX interface.

To return to the previous panel click:

OK—Accepts changes and returns to the previous panel.❍ Cancel—Discards changes and returns to the previous panel.❍ Help—Provides more information.❍

Deleting Secure Shell Rules

Follow these steps to delete a rule from the Secure Shell table:

Select a rule from the Secure Shell rule table.1. Click the Delete button.2.

Page 83

Applying Changes to the PIX Firewall

Changes to the table made by Add, Edit, or Delete are not immediately applied to the running PIX configuration. You must click on one of the following buttons to apply or discard changes:

failover standby PIX Firewall unit. See Notes on Applying Configuration Changes.

Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

Page 84

Monitoring>Secure Shell Sessions

The Secure Shell Sessions panel allows you to monitor connections made to the PIX Firewall using Secure Shell (SSH). When the Secure Shell panel is displayed, a snapshot of the current Secure Shell sessions to the PIX Firewall is available . The display is not automatically updated as new Secure Shell sessions are created. To view new Secure Shell sessions, you must click Refresh.

The following sections are included in this Help topic:

Field Descriptions● Disconnecting Secure Shell Sessions●

Field Descriptions

The Secure Shell Sessions panel displays the following fields:

IP Address—Displays the IP address of the client connected to the PIX Firewall via SSH. If PDM knows

the client hostname associated with the IP address, the host name will appear under IP Address in the table.

●

Ver—Displays the version of SSH being used by the client.● Type—Displays the type of encryption the SSH client is using (for example, DES, 3DES).● State—Displays the progress the client is making in its SSH connection to the PIX Firewall. State values

are as follows:

0 = SSH_CLOSED❍ 1 = SSH_OPEN❍ 2 = SSH_VERSION_OK❍ 3 = SSH_SESSION_KEY_RECEIVED❍ 4 = SSH_KEYS_EXCHANGED❍ 5 = SSH_AUTHENTICATED❍ 6 = SSH_SESSION_OPEN❍ 7 = SSH_TERMINATE❍ 8 = SSH_SESSION_DISCONNECTING❍ 9 = SSH_SESSION_DISCONNECTED❍ 10 = SSH_SESSION_CLOSED❍

●

User— Displays the username of the client is accessing the PIX Firewall. The "pix" username appears when an SSH client is accessing the PIX Firewall console.

●

ID—Displays a unique number that identifies each SSH session.● Disconnect—Disconnects the Secure Shell session currently selected in●

Page 85

the table. Refresh—Refreshes the information on the current panel.●

Disconnecting Secure Shell Sessions

Follow these steps to disconnect an existing SSH session:

Select an SSH session from the table.1. Click Disconnect.2. Click Refresh to verify that the SSH session has been disconnected.3.

Page 86

Monitoring>Telnet Console Sessions

The Telnet Console Sessions panel allows you to monitor connections made to the PIX Firewall using Telnet. A snapshot of current Telnet sessions to the PIX Firewall is displayed. The display is not automatically updated as new Telnet sessions are created. To view new Telnet sessions, you must click Refresh.

The following sections are included in this Help topic:

Field Descriptions● Showing Sessions by IP Address●

Field Descriptions

The Telnet Console Sessions panel displays the following fields:

Current Telnet Console Sessions Connected—Displays a unique session ID and the IP address of each

Telnet client connected to the PIX Firewall in the form: ID: IP Address. If PDM knows the client host name associated with the IP address, the host name will also appear in the display.

●

Show Sessions for this IP Address—Allows you to enter a client IP address of the connected Telnet session(s) you want to show.

●

Refresh—Refreshes the panel with current information from the PIX Firewall. If an IP address is specified, only the information about the Telnet session using that IP address is refreshed. If no IP address is specified, information is refreshed for all Telnet sessions.

●

Showing Telnet Sessions by IP Address

Follow these steps to display Telnet Console Sessions for a specific IP address:

Enter a client IP address in Show Sessions for this IP address, if you want to refresh only the information about the Telnet session using that IP address.

Click Refresh.2.

Showing All Telnet Sessions

Follow these steps to display all Telnet Console Sessions:

Do not enter a client IP address in Show Sessions for this IP address, if you want to refresh the information about all Telnet sessions.

Click Refresh.2.

Page 87

Page 88

Access Rules>Add, Edit, Insert or Paste Rule

The Add, Edit, Insert, or Paste Rule screen lets you create a new rule, or modify an existing rule. The following sections are included in this help topic:

Screen Element Descriptions● Creating a Rule● Resetting to Last Applied Settings●

Field Descriptions

The Add, Edit, Insert, or Paste Rule dialog boxes display the following fields:

Action—Determines the action type of the new rule. The choices are different for Access Rules, AAA Rules, and Filter Rules.

Access Rules

Permit■ Deny■

❍

AAA Rules

Authenticate■ Do not authenticate■ Authorize■ Do not authorize■ Account■ Do not account■

❍

Filter Rules

Filter ActiveX■ Filter Java Applet■ Filter URL■ Do not filter URL■

❍

●

Each dialog box has an associated configuration panel, which displays at the bottom of the dialog box after the option is selected. The associated configuration area lets you finish the configuration

Page 89

for the rule. Source Host/Network—Defines the source host or network of the rule by name, or by interface, IP

address and netmask.

Name—The name of the source host or network.❍ Interface—The interface on which the source host or network resides.❍ IP address—The IP address of source host or network.❍ Mask—The netmask of the source host or network.❍

Browse—Lets you select an existing host or network from the Select Host/Network panel to

populate the Name, Interface, IP address, and Mask boxes with the properties of the selected host or network.

❍

●

Destination Host/Network—Defines the destination of the rule interface or by name.

Name—Specifies the name of the destination host or network.❍ Interface—Specifies the interface on which the destination host or network resides by selecting an

interface name from the Interface list.

❍

IP address—Specifies the IP address of the destination host or network.❍ Mask—Specifies the netmask of the destination host or network.❍

Browse—Lets you select an existing host or network from the Select Host/Network panel to

populate the Name, Interface, IP address, and Mask boxes with the properties of the selected host or network.

❍

●

Associated Configuration Areas—The following are the associated configuration areas used to further configure a rule. The area that displays at the bottom of the dialog box depends on which rule type you selected from the Select an action list.

Protocol and Service—This area is associated with the action types of permit and deny. The Protocol and Service area lets you specify the protocol and service to use within the new or

modified rule, in addition to the source and destination ports, if applicable. The following are the protocol and service options. Each protocol and service option brings up associated options to configure.

TCP—Lets you select the TCP protocol. Source Port—Lets you specify the source port or a range of source ports. Destination Port—Lets you specify the destination port or a range of destination ports.

■

UDP—Lets you select the UDP protocol. Source Port—Lets you specify the source port or a range of source ports. Destination Port—Lets you specify the destination port or a range of destination ports.

■

ICMP—Lets you select the ICMP protocol. ICMP Type—Lets you specify the ICMP message type by either entering this information in the ICMP type box or selecting it from the service list.

■

IP—Lets you select the IP protocol. IP Protocol—Lets you specify the IP protocol type by either entering this information in the IP protocol box or selecting it from the IP Protocols list.

■

❍

AAA Option—This area is associated with the action types of authenticate/do not authenticate, authorize/do not authorize, and account/do not account. The AAA Option area lets you specify

the service and AAA server group. Each AAA option provides associated options to configure. The authenticate and do not authenticate action rule types display the following:

❍

●

Page 90

TCP—Lets you select the TCP service/protocol.■ Authentication Service—Lets you specify the TCP service that the PIX Firewall will use to

authenticate a user.

Select Application—Lets you select a TCP protocol, such as ftp, http, or telnet from the Select Application list.

■

AAA Server Group—Lets you specify the server group on which to run the selected AAA service. Group Tag—Lets you select a server group from the Group Tag list.

■

The authorize, do not authorize, account and do not account action rule types display the following:

TCP—Lets you select the TCP service/protocol. Application Port—Lets you specify the application port by either typing this information in

the Application Port box or selecting it from the service list. Click on the options button (denoted by three dots) to select the application port.

■

UDP—Lets you select the UDP service/protocol. Application Port—Lets you specify the application port by either entering it or selecting it

from a list of application ports. Click on the options button (denoted by three dots) to select the application port.

■

ICMP—Lets you select the ICMP service. ICMP Type—Lets you specify the ICMP message type by either typing this information in

the ICMP Type box or selecting it from the service list. Click on the options button (denoted by three dots) to select the ICMP message type.

■

IP—Lets you select the IP service. IP Protocol—Lets you specify the IP protocol type by either typing this information in the IP protocol box or selecting it from the Protocols list. Click the options button (denoted by three

dots) to select the IP protocol type.

■

AAA Server Group—Lets you specify the server group on which to run the selected AAA

service.

■

Group Tag—Lets you select a server group from the Group Tag list.■

The ActiveX filter option area displays the following:

Filter Java ActiveX on the following port—Lets you enter a port number on which to filter ActiveX.

■

The Java Filtering Option area displays the following:

Java Filtering Option Filter Java applet on following port(s)—Allows you enter a range of port numbers on

which to filter Java.

❍

The URL Filtering Option displays the following:

Filter URLs on the following port—Lets you indicate whether to allow outbound http

connections to pass through your PIX Firewall without being filtered when your Websense server is down. Click either Yes or No.

❍

Page 91

Creating a Rule

Follow these steps to add a new rule or to modify and existing rule:

Under Action, select an action from the Select an action list.1. Define the source host or network.2.

Click Name, and type the name of the source host or network in the Name box. or

❍

Click Interface.❍ In the Interface list, select an interface name.❍ In the IP address box, enter the IP address of the source host or network.❍ In the Mask box, enter the netmask of the source host or network, or select a netmask from the list.❍

Browse lets you select an existing host or network from the Select Host/Network panel to populate the Name, Interface, IP address, and Mask boxes with the selected host or network properties.

Define the rule's destination host or network by name or interface, IP address, and netmask. Under Destination Host/Network, perform the following:

Click Name.❍ In the Name box, enter the name of the destination host or network.

❍

Click Interface.❍ From the Interface list, select an interface name.❍ In the IP address box, type the IP address of the destination host or network.❍ In the Mask box, type the netmask of the destination host or network, or select a netmask from the

list.

❍

Browse lets you select an existing host or network from the Select Host/Network screen to populate the Name, Interface, IP address, and Mask boxes with the selected host or network's properties.

Define the additional parameters associated with the action type you selected in Step 1. The area that displays at the bottom of the dialog box depends on the type of action selected. Each of the action types has an associated area in which you can configure the additional rule parameters.

Click OK.5. The new rule is added to your PIX Firewall security policy and displays in the Access Rules tab.

Resetting to Last Applied Settings

Cancel—Discards any changes without applying them.

Page 92

Page 93

Search>Search by Field

The Search by Field panel lets you find the rules that are displayed on the Access Rules or Translation Rules tab based on a selected criteria.

The following sections are included in this Help topic:

Important Notes● Field Descriptions

Access Rules❍ Translation Rules❍

●

Searching for Access Rules Containing a Pattern● Searching for a Translation by Field●

Important Notes

The Search by Field menu option uses a simple text compare.● The matching rules will be highlighted in yellow.● Selecting Search>Clear Search Selections will clear the yellow highlights and the search results text from

the panel.

●

Hits—When a search is complete a line of text will appear on the panel showing how many rules were matched for each type.

For example: "Search Results: Access rules:999 AAA:888 Filter:777" would be displayed in the upper right corner of the Access Rules tab.

●

If you perform a new search, the previous search selections will be cleared. They will not further filter the results.

●

Field Descriptions

The Search by Field>Search dialog box displays the following fields when started from the Access Rules tab:

Match all of the following—Specifies to perform your search matching all of the selected criteria.●

The three search criteria boxes on the left let you select specific search criteria. The following are the options:

None❍ Source Address❍

●

Page 94

Source Name❍ Destination Address❍ Destination Name❍ Action❍ Service❍

These let you select a data type on which the search will be performed. On the right side are list boxes in which the actual pattern to be matched can be entered. For each field Browse (...) will display a list of items that are appropriate for the selected data type.

Search—Clicking this button initiates the search function. Results will be highlighted in yellow on PDM.● Reset—Clicking this button clears the search panel so the choices can be reentered.● Help—Provides more information.● Close—Clears any changes you may have made and closes this panel.●

The Search by Field>Search dialog box opened from the Translation Rules tab lets you search for translation rules by the following methods:

Type—The type of translation. In this case the options are Static and Dynamic.

Original Interface—The interface where the translation originates.❍ Original Address—The original address that is to be translated.❍ Translated Interface—The address where the translation occurs.❍ Translated Address—The address to which the original address is translated.❍ Name—The name of the host or network.❍

●

Search—Clicking this button initiates the search function. Results will be highlighted in yellow on PDM.● Close—Clicking this button clears any changes you may have made and closes this panel.● Help—Provides more information.● Reset—Clicking this button clears the search panel so choices can be reentered.●

Searching for Access Rules Containing a Pattern

Follow these steps to search for an access rule containing a pattern:

Click Search>Search by Field.1. Click Match any of the following or Match all of the following.2. From the search criteria option lists on the left, select the type of data to be searched.3. In the boxes on the right either enter or select the pattern to be matched. To select a pattern, click Browse

and select the desired item from the list of items displayed. To enter a pattern, type the pattern in the box. Partial patterns are allowed on the following search criteria options:

Source Address❍ Source Name❍ Destination Address❍ Destination Name❍

Page 95

Service

A partial pattern must have a trailing asterisk (*). For example, "139.1*" would match any IP address starting with "139.1", "web*" would match any host or network name starting with "web". Patterns such as "*" or 139.1*.22" or "*11" are not allowed.

❍

The search results display in the Access Rules tab. The rules that match the search criteria will be highlighted in yellow on PDM.

Follow these steps to search for access rules containing a pattern:

Click Browse. The associated dialog box opens, displaying options to search.1. Click Search to initiate the search.2. Click OK.3.

Search for a Translation by Field

Complete the following steps to search for a translation:

Select the method by which you wish to search, such as Type or Original Interface.1. Click the Browse to browse for selectable options.2. Click Search.3.

Page 96

Understanding Static NAT

Static NAT refers to persistent one-to-one address mapping translation. In contrast to dynamic NAT, the static address translation does not vary over time. For inbound access to the internal local hosts, you should use static NAT rules. A static NAT rule maps an external IP address to a specific internal host's internal IP address. An internal IP address may be assigned to different external addresses on different interfaces.

Warning: If you expose your internal DNS servers using a static NAT rule, you do not benefit from the address hiding feature provided by translation rules. External users can simply request information about your trusted networks from the DNS servers that you expose.

Example Use Scenario

Scenario: We can define a static NAT rule that maps from the external IP address 192.168.7.130 (translated address) to the internal file server 192.168.1.3 (real address).

For this scenario, PIX Device Manager generates a rule similar to the following:

static (inside, outside) 192.168.7.130 192.168.1.3 netmask 255.255.255.255 0 0 Description: When the PIX Firewall unit receives a session request where the source address matches the IP

address of the internal file server, it changes the source address to the external IP address before placing the packet onto the network of which the external address is a member. Likewise, when the PIX Firewall unit receives a network packet destined for the translated address, it changes the destination address to the address of the internal file server and places the new packet onto the network to which the internal file server belongs. Thus, the internal file server processes the packet as though it were originally destined for the file server. In both cases, all packets that are part of a valid session are remapped according to the translation rule (assuming that the active security policy permits the communication). If the active security policy does not permit a specific communication, the session request is rejected and the translation never occurs.

Page 97

Understanding Dynamic NAT

Dynamic NAT, commonly referred to as Network Address Translation (NAT), is the process of converting between IP addresses used within an intranet or other private network (called a subdomain) and Internet IP addresses (or external IP addresses on a PIX Firewall unit). This approach makes it possible to use a large number of addresses within the subdomain without depleting the limited number of available numeric Internet IP addresses.

In addition to conserving IP addresses, dynamic NAT provides additional security features for your network by hiding its internal structure and allowing logical mappings to users who compose the different groups and departments within your company. While some users may not need to use dynamic NAT, you should keep this feature in mind as your network continues to grow.

The following sections describe what problems address hiding solves and how it works to solve these problems.

Why You Should Use Dynamic NAT● How Dynamic NAT Works● How Session Awareness and Port Mapping Affect Dynamic NAT●

Why You Should Use Dynamic NAT

An address hiding translator, such as the software module that provides this feature for a PIX Firewall unit, provides several benefits for your network:

Enhances network security by hiding your network's internal structure from external users and enables you to logically group your users according to security domains.

●

Permits an almost unlimited number of users for one Class C network address because valid external addresses are required only when a user is connected to the Internet.

●

When you attach your existing IP networks to the Internet, you do not need to replace the IP address of each computer on your internal subnets with a valid, registered IP address from the Internet Network Information Center (the American Registry for Internet Numbers [ARIN]).

●

As these benefits indicate, NAT overcomes several limitations associated with the current IP addressing scheme. A discussion of these limitations follows.

●

Conceals Internal IP Addresses from Internet Users. As the network administrator, you may wish to conceal internal network addresses from the Internet, which prevents them from being disclosed to possibly malicious users. An address hiding translator dynamically assigns a valid external IP address to an internal IP address by mapping the internal address to an external address. Because this mapping between the external and internal IP addresses is temporary (it lasts only for the duration of a session or until the user-configured idle time-out value is exceeded), your internal IP addresses are concealed from the Internet. Only the external addresses appear in the packets that are distributed across the Internet.

Page 98

Requires Fewer Registered IP Addresses. To connect to the Internet, a company must purchase IP addresses from the American Registry for Internet Numbers (ARIN), which is the organization responsible for registering and assigning IP addresses to those who wish to connect to the Internet. Currently, IP addresses are allocated based on the size of the company that is requesting IP addresses. To prevent depletion of IP addresses on the Internet, small and medium organizations receive fewer IP addresses, regardless of plans for future expansion. An address hiding translator bypasses this limitation and ensures that you can continue to grow your network without acquiring additional addresses. Because an address hiding translator distributes the control and allocation of valid external IP addresses, it provides full connectivity and access to the Internet regardless of the size of your network or the number of users that you support.

Use of Invalid Internal Addresses. Because many companies use invalid IP addresses within their intranets, computers using those addresses cannot legally access the Internet. From the perspective of the routers, these addresses appear to belong to a network that is different from the Internet. If you have used such addresses, you may find that it is impractical to change them to valid internal addresses. The address hiding translator maintains the integrity of your internal addressing schemes by mapping registered IP addresses to all internal addresses, including invalid addresses.

Note: Invalid IP addresses are also referred to as reserved addresses, which are IP addresses restricted to

special purposes, such as internal domain or Internet service provider network usage.

How Dynamic NAT Works

For information to be routed correctly, each connected computer must have a globally unique transport address that is identifiable by the routers that exist within the network of your Internet service provider, as well as those routers that compose the Internet backbone. If the IP addresses are not unique, these routers cannot route network packets. Those users who have duplicate IP addresses cannot be reached and cannot establish application sessions.

Network Address Translation solves these problems by temporarily reassigning a registered IP address to an internal computer that requests services across the Internet (or another external network). When residing on a PIX Firewall unit, the address hiding translator acts as a buffer between the global Internet and the local IP networks called subnets. The internal subnets only require IP addresses that are unique to that subnet level. When a computer on one of these subnets sends traffic out over the Internet (thus traversing the PIX Firewall), the address hiding translator strips the internal IP address (unique for that subnet) from the network packets and replaces that address with a unique external address that is registered and assigned to that subnet or site.

Often, the address hiding translator contains a pool of external IP addresses, which enables more than one internal computer to connect to the Internet at the same time. The pool contains those IP addresses that are registered with the American Registry for Internet Numbers (ARIN), http://www.arin.net. When you allocate IP addresses for

your subnets, you must verify that those addresses do not conflict with the external IP addresses. Doing so ensures that the external IP addresses remain unique, enabling the address hiding translator to distinguish among computers. When a network packet is routed across the PIX Firewall, the address hiding translator replaces the internal corporate address with a temporary external address. As soon as the application session is over (or the idle time-out value is exceeded), the external address is returned to the pool, where it can be reassigned during a new session request.

Page 99

How Session Awareness and Port Mapping Affect Dynamic NAT

In addition, to the one-to-one address translation, the PIX Firewall also provides many-to-one address translation. The many-to-one mapping is called Port Address Translation (PAT). With PAT, the translation uses the port in addition to the IP address. By using the port, up to 65,535 local hosts can concurrently share a single IP address. Because PAT automatically maps multiple sessions to the same registered IP address, you do not need as many registered IP addresses. This feature also ensures that you can dynamically grow your network.

Note: Because PAT requires port information, only TCP, UDP, and ICMP echo/echo-reply operate with PAT.

Page 100

Informational Message>Unsupported

The Cisco PIX Device Manager (PDM) does not support the complete command set of the Command Line Interface (CLI). PDM cannot function normally when unsupported commands are in the running configuration. This has important implications when using PDM.

The following sections are included in this Help topic:

Effects of Unsupported Commands● Monitor Only Mode● Exiting Monitor Only Mode●

Unsupported Parsed Commands Causing Monitor Only Mode● Unsupported Command Combinations Causing Monitor Only Mode● Unsupported Unparsed Commands, Ignored●

Supported Partially Commands, NO PDM Changes● Supported Invisible and CLI-Only Commands●

Fully Supported Commands●

Effects of Unsupported Commands

As PDM opens, it loads the running configuration from the PIX Firewall unit. If it encounters no unsupported commands, access to all PDM functions is granted for normal operation mode.

●

If PDM loads an existing running configuration and finds unsupported commands, it will enter the Monitor Only mode.●

Multiple PDM and CLI sessions may be in operation at the same time as your PDM session. During normal operation, if unsupported

commands are entered via other CLI console sessions or your CLI tool, PDM will enter Monitor Only mode when you Refresh.

●

Monitor Only Mode

Only these functions are available in Monitor Only mode:

The Monitoring tab● The CLI tool (Tools>CLI)●

Exiting Monitor Only Mode

Follow these steps to regain access to the all the functions of PDM in normal operation mode:

Use Tools>CLI to repair or remove the unsupported command statement(s)●

Refresh will reload the repaired configuration●

Unsupported Parsed Commands Causing Monitor Only Mode

These commands can be parsed, but PDM does not support them in a configuration. If the commands are present in your configuration, PDM will enter Monitor Only mode.

COMMAND DESCRIPTION