How it Works
Cisco
Loading...
PIX Device Manager 3.0
Installation Manual
58 pgs828.16 Kb0

Cisco PIX 520 - PIX Firewall 520, PIX Device Manager 3.0 Installation Manual

Download
Page 1
Corporate Headquarters
Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
Fax: 408 526-4100
Cisco PIX Device Manager Installation Guide
Version 3.0
Text Part Number: 78-15483-01
Page 2
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMEN TS , INF O RMA TION, AND RE C OM ME ND AT IO NS IN TH IS MA NU AL ARE B ELI EV ED TO BE ACCURAT E B U T ARE PRE S EN TED W ITH O UT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementatio n of TCP he ader co mpres sion is an adap tat ion of a pro gram developed by the Unive rsi ty of California , Berke ley (U CB) a s part of UC B’s publi c domain version of the UNIX oper ati ng system. All ri ghts rese rved . Copyri ght © 198 1, Rege nts of the Unive rsi ty of C alifornia .
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USA GE, OR TRADE P R AC T I CE .
IN NO EVENT SHALL CIS CO OR ITS SUPPLIERS BE LI ABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INC LUDING, WITHOU T LI MIT ATI ON, LO ST P ROF ITS O R L OSS OR DAM AG E TO DAT A AR ISI NG OU T OF T HE US E OR INA BIL ITY T O USE TH IS M ANU AL , EVE N I F CIS CO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES
This doc ument is to be used in conjunct ion with th e appropriate documentati on f or your Cisco PIX Firewall system. CCIP, CCSP, the Cisco Arrow l ogo, the Ci sco Powered Network m ark, Cis co Unity , Foll ow Me Browsi ng, Fo rmSha re, and Sta ckWise a re trade marks of Cisco Sys tems, In
Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CC CCNP, Cisco, the Cisco Cert ified Inter netw ork Exp ert logo, C isco IO S, the Cisco IO S logo, Ci sco Pres s, Cisco Syst em s, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Gene ration, En te rprise /Solver , EtherCh anne l, Eth erSwitc h, Fas t Step, G igaStack , Interne t Quotient, IOS, IP /TV, iQ E x pertis e, the i Q l o go , iQ Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Regi ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are regis
t
trademarks of Cisco Systems, Inc . and /or its aff iliates i n the U .S. and ce rtain ot her countri e s. All other trademarks mentio ned in this doc ume nt or Web site are the prope rty of their re spect ive ow ners. T he use of th e word pa rtner does not i mply a pa rtnersh ip relat ions
between Cisco and any other com pany . (0304R)
Cisco PIX Device Manager Inst allati on Guide
Copyright © 2003 Cisco Syst ems, Inc. All rights res er ved.
Page 3
iii
Cisco PIX Device Manager Installation Guide, Version 3.0
78-15483-01
CONTENTS
Preface vii
Document Objectives vii Audience vii Installation Warning viii Safety Warning Description ix Document Organization xiii Document Conventions xiii Terms and Acronym s xiv Related Documentation xv Obtaining Documentation xv
Cisco.com xv Document ation C D-R OM xv Ordering Documentation xv Document ation Fe edb ack xvi
Obtaining Technical Assistance xvi
Cisco TAC Website xvi Opening a TAC Case xvi TAC Case Priority Definitions xvii
Obtaining Additional Publications and Information xvii
Overview 1 - 1
Introduction 1 - 1 Data Encryption Overview 1 - 2 PIX Firewall System Requirements 1 - 4
PIX Firewall System Interoperability with PDM 1 - 4 Flash Memory Requirements 1 - 5 Maximum Configuration File Size 1 - 5 Software Requirements 1 - 6 Upgrading to a New Software Release 1 - 6
PC/Workstation Requirements 1 - 6
Supported Platforms 1 - 8
Windows 1 - 8 Sun Solaris 1 - 9 Red Hat Linux 1 - 9
Page 4
Contents
iv
Cisco PIX Device Manager Installation Guide, Version 3.0
78-15483-01
Preparing to Install PDM 2 - 1
Notes and Cautions 2 - 1
Caution 2 - 2 Installation Checklist 2 - 2 Preparing to Install PDM 2 - 3 Determining the IP Address of Your Server 2 - 4
Windows NT, Windows 2000, or Windows XP 2 - 4
Windows 98 or Wind ows ME 2 - 4
Sun Solaris 2 - 5
Linux 2 - 5
Installing PDM 3 - 1
Download ing the PDM S oftw are 3 - 1
Download ing PDM from Cisco .c om 3 - 1
Downloading PDM Using FTP 3 - 2 Installing PDM 3 - 2 Loading the PDM Ima ge 3 - 4
Configuring PDM 4 - 1
Starting PDM with Internet Explorer 4 - 1 Starting PDM with Netscape Navigator 4 - 2 PDM Home Page 4 - 3 Using the PDM Startup Wizard 4 - 4 VPN Wizard 4 - 5
Site-to-Site VPN 4 - 5
Remote Access VPN 4 - 5
Select Interface 4 - 6 Configuring VP N Tunne ls 4 - 6 Configurat ion Rec omm en datio ns 4 - 6
Tips and Troubleshooting 5 - 1
Checking Your Connection to the PIX Firewall 5 - 1 Tips on Using PDM 5 - 2 Troubleshooting 5 - 3
Using a TFTP Server A - 1
Obtaining a Windows TFTP Server A - 1 Enabling UNIX TFTP Support A - 2
Enabling TFTP Access on a Sun Solaris System A - 2
Page 5
Contents
v
Cisco PIX Device Manager Installation Guide, Version 3.0
78-15483-01
Enabling TFTP Access on a Linux System A - 2
TFTP Download Error Codes A - 3
I
NDEX
Page 6
Contents
vi
Cisco PIX Device Manager Installation Guide, Version 3.0
78-15483-01
Page 7
vii
Cisco PIX Device Manager Installation Guide
78-15483-01
Preface
This prefa ce in clu d e s t he f ol lowin g s ect io ns:
Document Objectives, page vii
Audience, pagevii
Installation Warning, page viii
Installation Warning, page viii
Document Organization, page xiii
Document Conventions, page xiii
Terms and Acro ny ms, pa ge x iv
Related Documentation, page xv
Obtaining Documentation, page xv
Obtaini ng Technical A ssistance, p ag e xvi
Obtaining Additional Publications and Information, page xvii
Document Objectives
This guide describes how to install and access the Cisco PIX Device Manager (PDM) software.
Audience
This guide is for network administrators who perform the following:
Manage network security
Install an d co nfigu re fi rewalls
Page 8
viii
Cisco PIX Device Manager Installation Guide
78-15483-01
Preface
Installation Warning
Installati on Warning
Warning
Only trained and qualified personnel should be allowed to install, replace, or service this equipment.
Waarschuwing
Deze apparatuur mag alleen worden geïnstalleerd, vervangen of hersteld door bevoegd geschoold personeel.
Varoitus
Tämän laitteen saa asentaa, vaihtaa tai huoltaa ainoastaan koulutettu ja laitteen tunteva henkilökunta.
Attention
Il est vivement recommandé de confier l'installation, le rem placement et la m aintenance de ces équipements à des personnels qualifiés et expérimentés.
Warnung
Das Installieren, Ersetzen oder Bedienen dieser Ausrüstung sollte nur geschultem, qualifiziertem Personal gestattet werden.
Figyelem!
A berendezést csak szakképzett személyek helyezhetik üzembe, cserélhetik és tart hatják karban.
Avvertenza
Questo apparato può essere installato, sostituito o mantenuto unicamente da un personale competente.
Advarsel
Bare opplært og kvalifisert personell skal foreta installasjoner, utskiftninger eller service på dette utstyret.
Aviso
Apenas pessoal treinado e qualificado deve ser autorizado a i nstalar, substituir ou fazer a revisão deste equipamento.
¡Advertencia!
Solamente el personal calificado debe instalar, reemplazar o utilizar este equipo.
Varning!
Endast utbildad och kvalificerad personal bör få ti llåtelse att i nstall era, byta ut eller reparera denna utrustning.
Page 9
ix
Cisco PIX Device Manager Installation Guide
78-15483-01
Preface
Safety Warning Descripti on
Safety Warning Descri ption
Warning
IMPORTANT SAFETY I NST RU CTIONS This warning symbol means danger. You are in a si tuation that could caus e bodily injury. Before you
work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. To see translations of the warnings that appear in this publication, refer to the translated saf ety warnings that accompanied t his devi ce.
Note: SAVE THESE INSTRUCTIONS Note: This documentation is to be used in conjunction with the specific product installation gui de
that shipped with the product. Please refer to the Installation Guide, Configuration Guide, or other enclosed additional documentation for further details.
Waarschuw ing
BELANGRIJKE VEILI GH EIDSINSTRUCTIE S Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan
veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico's en dient u op de hoogte te zijn van de standaard praktijken om ongelukken te voorkomen. Voor een vertaling van de waarschuwingen die in deze publicatie verschijnen, dient u de vertaalde veiligheidswaarschuwingen te raadplegen die bij dit apparaat worden geleverd.
Opmerking BEWAAR DEZE INSTRUCTIES. Opmerking Deze documentatie dient gebruikt te worden in combinatie met de
installatiehandleiding voor het specifieke product die bi j het product wordt geleverd. Raadpleeg de installatiehandleiding, configuratiehandleiding of andere verdere ingesloten documentatie voor meer informatie.
Varoitus
TÄRKEITÄ TURVALLISUUTEEN LIITTYVIÄ OHJEITA Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen
kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. Tässä asiakirjassa esitettyjen varoitusten käännökset löydät laitteen mukana toimitetuista ohjeista.
Huomautus SÄILYTÄ NÄMÄ OHJEET Huomautus Tämä asiakirja on tarkoitettu käytettäväksi yhdessä tuotteen mukana tulleen
asennusoppaan kanssa. Katso lisätietoja asennusoppaasta, kokoonpano-oppaasta ja muista mukana toimitetuista asiakirjoista.
Page 10
x
Cisco PIX Device Manager Installation Guide
78-15483-01
Preface
Safety Warning Description
Attention
IMPORTANTES INFOR MATIONS DE SÉCURITÉ Ce symbole d'avertissement indique un danger. Vous vous trouvez dans une situation pouvant caus er
des blessures ou des dommages corporels. Avant de travailler sur un équipement, soyez conscient des dangers posés par les circuits électriques et familiarisez-vous avec les procédures couramment utilisées pour éviter les accidents. Pour prendre connaissance des traductions d'avertissements figurant dans cette publication, consultez les consignes de sécurité traduites qui accompagnent cet appareil.
Remarque CO NSERV EZ CES INFO RMATIONS Remarque Cette documentation doit être utilisée avec le guide spécifique d'installation du produit
qui accompagne ce dernier. Veuillez vous reporter au Guide d'installation, au Guide de configuration, ou à toute autre documentation jointe pour de pl us amples renseignements.
Warnung
WICHTIGE SI CHERHEI TSAN WEISUNG EN Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situat ion, die zu einer
Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur Vermeidung von Unfällen bewusst. Übersetzungen der in dieser Veröffentlichung enthaltenen Warnhinweise sind im Lieferumfang des Geräts enthalten.
Hinweis BEWAHREN SIE DIESE SICHERHEITSANWEISUNGEN AUF Hinweis Dieses Handbuch ist zum Gebrauch in Verbindung mit dem Installationshandbuch für Ihr
Gerät bestimmt, das dem Gerät beiliegt. Entnehmen Sie bi tte alle weiteren Informationen dem Handbuch (Installations- oder Konfigurationshandbuch o. Ä.) für Ihr spezif isches Gerät.
Figyelem!
FONTOS BIZTONSÁGI ELÕÍRÁSOK Ez a figyelmezetõ jel veszélyre utal. Sérülésveszélyt rejtõ helyzetben van. Mielõtt bármely
berendezésen munkát végezte, legyen figyelemmel az elektromos áramkörök okozta kockázatokra, és ismerkedjen meg a szokásos balesetvédelmi eljárásokkal. A kiadványban szereplõ figyelmeztetések fordítása a készülékhez mellékelt biztonsági figyelmeztetések között tal álható.
Megjegyzés ÕRIZZE MEG EZEKET AZ UTAS ÍTÁSOKAT! Megjegyzés Ezt a dokumentációt a készülékhez mellékelt üzembe helyezési útmutatóval együtt kell
használni. További tudnivalók a mellékelt Üzembe helyezési útmutatóban (Installation Guide), Konfigurációs útmutatóban (Configuration Guide) vagy más dokumentumban találhatók.
Avvertenza
IMPORTANTI ISTRUZIONI SULLA SICUREZZA Questo simbolo di avvertenza indica un pericolo. La situazione potrebbe causare infortuni alle
persone. Prima di intervenire su qualsiasi apparecchi atura, occorre essere al corrente dei pericoli relativi ai circuiti elettrici e conoscere le procedure standard per la prevenzione di incidenti. Per le traduzioni delle avvertenze riportate in questo documento, vedere le avvertenze di sicurezza che accompagnano questo dispositivo.
Nota CONSERVARE QUESTE ISTRUZIONI Nota La presente documentazione va usata congiuntamente alla guida di installazione specifica
spedita con il prodotto. Per maggiori informazioni, consultare la Guida all'installazione, la Guida alla configurazione o altra documentazione acclus a.
Page 11
xi
Cisco PIX Device Manager Installation Guide
78-15483-01
Preface
Safety Warning Descripti on
Advarsel
VIKTIGE SIKKERHETSINSTRUKSJONER Dette varselssymbolet betyr fare. Du befinner deg i en situasjon som kan forårsake personskade.
Før du utfører arbeid med utstyret, bør du være oppmerksom på farene som er f orbundet med elektriske kretssystemer, og du bør være kjent med vanlig praksis for å unngå ul ykker. For å se oversettelser av advarslene i denne publikasjonen, se de oversatte s ikkerhetsvarslene som følger med denne enheten.
Merk TA VARE PÅ DISSE I NST RU KS JON EN E Merk Denne dokumentasjonen skal brukes i forbindelse med den spesifikke
installasjonsveiledningen som fulgte med produktet. Vennligst se ins tallasjonsveiledningen, konfigureringsveiledningen eller annen vedlagt tilleggsdokumentasjon for detaljer.
Aviso
INSTRUÇÕE S IMPORTANTES DE SEGURAN ÇA Este símbolo de aviso significa perigo. O uti lizador encontra-se numa sit uação que poderá s er
causadora de lesões corporais. Antes de iniciar a ut ilização de qualquer equipamento, tenha em atenção os perigos envolvidos no manuseamento de circuitos eléctricos e familiarize-se com as práticas habituais de prevenção de acidentes. Para ver traduções dos avisos incl uídos nesta publicação, consulte os avisos de segurança traduzidos que acompanham este dispositivo.
Nota GU AR DE E STAS INSTR UÇÕ ES Nota Esta documentação destina-se a ser utilizada em conjunto com o manual de instalação
incluído com o produto específico. Consulte o manual de instalação, o manual de configuração ou outra documentação adicional inclusa, para obter mais informações.
¡Advertencia!
INSTRUCC ION ES I M PO RTANTES DE SEGURIDAD Este símbolo de aviso indica peligro. Existe ries go para su i ntegridad fí sica. Antes de m anipular
cualquier equipo, considere los riesgos de la corriente eléctrica y f amiliarícese con los procedimientos estándar de prevención de accidentes. Vea las traducciones de las advertencias que acompañan a este dispositivo.
Nota G U ARDE ESTAS IN STRU CCI O N ES Nota Esta documentación está pensada para ser uti lizada con l a guí a de ins talación del producto
que lo acompaña. Si necesita más detalles, consulte l a Guí a de i nstalación, la G uía de configuración o cualquier documentación adicional adjunta.
Varning!
VIKTIGA SÄKERHETSANVISNINGAR Denna varningssignal signalerar fara. Du befinner dig i en situation som kan leda till personskada.
Innan du utför arbete på någon utrustning måste du vara medveten om f arorna med elkretsar och känna till vanliga förfaranden för att förebygga olyckor. Se översättningarna av de varningsmeddelanden som finns i denna publikation, och se de översatta säkerhetsvarningarna som medföljer denna anordning.
OBS! SPARA DESSA ANV ISN IN GAR OBS! Denna dokumentation ska användas i samband med den specifika
produktinstallationshandbok som medföljde produkten. Se installationshandboken, konfigurationshandboken eller annan bifogad ytterligare dokumentation för närmare detaljer.
Page 12
xii
Cisco PIX Device Manager Installation Guide
78-15483-01
Preface
Safety Warning Description
Page 13
xiii
Cisco PIX Device Manager Installation Guide
78-15483-01
Preface
Document Organization
Document Organization
The major sections of this guide are as follows:
Document Conventions
Command descriptions use the se conventions:
Braces ({ }) indicate a required choice.
Square brackets ([ ]) indicate optiona l elements.
Verti ca l b ar s ( | ) se pa ra te altern ative, mut u ally exclusive e lements.
Boldface in di cat es comman ds an d keyw ord s th at ar e en ter ed l it er all y as sh own.
Italics indicate arguments for which you supply values.
Examples use these conventions:
Examples depict screen displays and the command line in screen font .
Information you need to enter in examples is shown in boldface screen font.
Variables for which you must supply a value are shown in italic screen font.
Graphic u ser in te rf ace ac ces s uses th ese conventions:
Boldface in di cat es buttons and m e nu i tems.
Selectin g a m e nu i tem (or scr e en) i s i nd ic a te d by t h e fol low in g co nvention :
Click Start >Settings>Control Panel.
Notes, cau tionary s ta tements, an d s af ety w ar ni ngs u se these co nvention s:
Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in
this man ual.
Caution Means reader be c a reful . You are capable of doing something that might result in equipment da m age or
loss of data.
Chapter Title Description
1 Overview Physical propertie s and functional overview of the Cisco PIX Device Manager
(PDM) Version 3.0 2 Preparing to Install PDM Preparations and other requirements before installing the PIX Firewall 3 Insta ll in g PD M Installing the hardware and connecting the external network interface cables 4 Configuring PDM Configuring PDM, using the PDM Wizard, including VPN Wizard and
configuration recommendations 5 Tips and Troubleshooting Basic troubleshooting procedures for th e hardware insta llation A Using a TFTP Server How to u s e a TF TP server to a ccess PI X Fir ewall o r P DM im a ge s
Page 14
xiv
Cisco PIX Device Manager Installation Guide
78-15483-01
Preface
Terms and Acronyms
Terms and Acronyms
To fully understand the content of this user guide, you should be familiar with the following terms and acronyms:
AAA—authentication, authorization, and accounting
AES— Advanced Enc ryption Standard
CA—cer t ific ati on author ity
CEP—Certificate Enrollment Protocol
CLI—Command-Line Interface
CSPM—Cisco Secure Policy Manager
DES—D a ta En cryp tion Sta nda rd
3DES —Trip le DE S
Explic it IV—E x pl ici t I n itializ ati on Vector
Gb—Gigabit
Gbps—Gigabits per second
ICMP —I ntern et Cont r o l M e s sage P r ot ocol
IKE—Inter net Key Exchang e
ISAKMP—Inte rnet Security Association and Key Management Protocol
IDS—Intrusion Detection System
JVM—Java Virtual Machine
MB—Megabyte
Mbps—Megabits per second
MD5—Message Digest 5 ( MD 5)
PCI—Peripheral Component Interconnect
PDM—PIX Device Manager
PIX—PIX Firewall
SCEP—Simple Certificate Enrollment Protocol
SDRAM—Synchronous Dynamic Random-Access Memory
SHA—Secure Hash Algorithm
SNMP—Simple Network Management Protocol
SSL—Se cu re S o ck et s Lay e r
TFTP—Trivial File Transfer Protocol
VAM—Virtual Private Network (VPN) Acceleration Module (VAM)
Page 15
xv
Cisco PIX Device Manager Installation Guide
78-15483-01
Preface
Related Documentation
Related Documentat ion
Use this d oc ument wi th th e PIX F irewall and PDM documen tation se ts, w h ich ar e availab le on th e P IX Firewall produc t CD and online at the following website:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_technical _documentation.html
Obtaining D ocumentation
Cisco provides several ways to obtain documentation, technical assistance, and other technic al resources . Th es e s ec tio n s expla in h ow t o obtain tech ni ca l information from Cisco S y stems.
Cisco.com
You can a ccess the most cur re nt C isco d o cu m en ta tio n o n t h e World Wide Web at this URL:
http:/ /w w w.cisco.com/u nivercd/home/hom e.htm
You can access th e C isco web s ite at th is URL :
http:/ /w w w.cisco.com
International Cisco websites can be accessed from this URL:
http://w w w.cisco.c om/publi c/ cou n tr ie s _l an gu ag es.shtml
Documen t at i on CD-ROM
Cisco docum en tatio n and addi tional li terat ure ar e available in a Cisco Do cume ntati on CD- ROM package, which may ha ve shi pped with yo ur produc t. The Docum entati on CD-R OM is upda ted re gularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.
Registered Cisco.co m use rs can order a sing le Doc ument atio n CD-ROM (prod uct num ber DOC-CONDOCCD=) through the Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.htm l
All users can order an nu a l or q uarter l y s ub s criptions thr o ugh the on line Subscri ption St o r e:
http:/ /w w w.cisco.com/g o/subscr i ption
Orderi ng D ocum entation
You can find in structions for ordering documentation at this URL:
http:/ /www.cisco.com/u nive r c d /c c/td/ do c /es_in pck/pd i . htm
You can o r de r Cisco docu mentation in these way s:
Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from
the Networking Products MarketPlace:
http://www.cisco.com/en/US /partne r/ ordering/index.s h tml
Page 16
xvi
Cisco PIX Device Manager Installation Guide
78-15483-01
Preface
Obtaining Technical Assistance
Nonregist er ed C isco.com us er s can orde r do cu m e nt ati on t hr o ugh a local ac co unt r epresent ative by
callin g Cisc o Syst ems Co rpo ra te Headqu ar ters (Cal if orn ia, USA.) at 408 526-7208 or, else wh er e in North America , by calling 800 553-NETS (6387).
Documentat i on Feedback
You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of th e page.
You can send your comments in e -mail to bug-doc@cisco.com. You can submit comments by using the response card (if pre sent) behind the front cover of your
docum e nt or by writing to the fo l l owi n g addr es s : Cisco Systems
Attn: Cu s t om er Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assist ance
For all customers, partners, resellers, and di stributors who hold valid Cisco service contracts, the Cisco T echnical Assistance Center (T A C ) provides 24-hour, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance.
Cisco TAC Website
The Cisco TAC website (htt p://www.cisco.com/t ac ) provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year.
Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a vali d s ervice c o nt r a ct but do not h ave a logi n I D or passw or d , r egi s ter at t h is U RL:
http:/ /t ools.cis co.com /RPF/re gi s ter /r egister.do
Opening a T AC Case
The online T AC Case Open Tool (http://ww w.cisco.com/ta c/caseop e n ) is the fastest way to open P3 and P4 cases. (Your network is minimally impaired or you re quire product information). After you describe your situ ation, the TAC Case Open T ool auto matica lly reco mmends reso urce s for an immedi ate sol ution . If your issue is not resolved using these recommendations, your case will be assigned to a Cisco TAC engineer.
For P1 o r P2 c ases ( you r prod uc tion ne tw or k is do wn or se ve re ly d e grade d) or i f y ou do not h a ve In tern et access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.
Page 17
xvii
Cisco PIX Device Manager Installation Guide
78-15483-01
Preface
Obtaining Additional Publications and Inform ati on
To open a case by telephone, use one of the following numbers: Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: + 32 2 70 4 55 55 USA: 1 800 553-2447
For a complete listing of Cisco TAC contacts, go to this URL:
http:/ /w w w.cisco .com/wa rp /public/687/D irect or y /D irTAC.shtml
TAC Case Priority Definitions
T o ensure that all cases are reported in a standard format, Cisco has established case priority definitions. Priority 1 (P1)—Your network is “down” or there is a critic al impact to your business operations. You
and Cis co w il l commit all nec ess ar y r es o ur ce s around th e clock to r es o lve th e situat io n . Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your
business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will com mit full - time reso u rc es d ur i ng n or m a l bu s in es s hours to resolve the si tu ati on .
Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain funct io nal. You and Cis co wi ll com mit reso urce s dur ing nor mal bus i ness hour s to rest or e se rvic e to satisf act or y levels.
Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effe ct on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and prin ted s our ces.
The Cisco Product Catalo g describes the netwo r king products offered by Cisc o Systems, as well as
ordering and customer support services. Access the Cisco Product Catalog at this U RL :
http://www.cisco.com/en/US/products/products_catalog_links_launch.html
Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new
and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:
http://www.ciscopre s s.com
Packet magazine is the Cisco quarterly publication that provides the latest networking trends,
technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and link s to n u m er o us in -d ep th o n lin e re sou r ces. You can acces s Pa cket magazine a t t hi s U RL:
http:/ /w w w.cisco .com/g o/ packet
iQ Ma gaz in e is the Ci s co bi m o nt hly pub li cation th at delivers th e latest in fo r m at io n about In ternet
business str at egi es f o r executives. You can acces s i Q M aga zin e at this U R L:
http:/ /w w w.cisco.com/g o/iqmag azine
Page 18
xviii
Cisco PIX Device Manager Installation Guide
78-15483-01
Preface
Obtaining Ad di tio n al Pub lic a tio ns an d Infor ma tio n
Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
profe ss io nals involved in d es i g ning, d eveloping, and ope r ating public an d private i nt e r n ets a n d intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html
Training—Cisco offers world-class networking training. Current offerings in network training are
listed at this URL:
http:/ /w w w.cisco.com/en /U S /learning/ind ex.html
Page 19
CHAPTER
1-1
Cisco PIX Device Manager Installati on Guide
78-15483-01
1
Overview
This chapter describes the Cisco PIX Device Manager (PDM) Version 3.0 and the system requirements for this version.
Note In this guide, the term “PIX Firewall” refers to all m odels running PIX Firewall software Version 6.3
unless specifically noted. PIX Firewall software Version 6.3 is required for PDM Version 3.0.
This chapter in cl ud es the fo llowing sections:
Introduc tion, page 1
Data En cry ptio n Ove rvi ew, page 2
PIX Firewall System Requirements, page 4
PC/Workstat io n Require ments, page 6
Introduction
Cisco PIX Device Manager (PDM) is a graphical user interface (GUI) that manages Cisco PIX Firewalls. PDM, a signed Java applet, uses certificates and HTTPS (HTTP over SSL) to securely transmit informat ion between P DM and th e PIX Firewal l. (Enter “https” in your browser to use HTTPS.)
PDM pr ovides t he fol low in g :
GUI—Lets you configure, manage, and monitor security policies ac ross a network.
PDM St artu p Wizard—Cr eat es a basic co n figuration th at all ows pa cket s to flow secu re ly th r ou g h
the PI X F i rewal l fr o m th e insid e t o th e o utside ne tw or k .
VPN Wizard—Creates a ba sic co nfi gur ati on t ha t l ets you easily s e t u p a re m ote a cce s s V P N o r
site-to-site VPN.
Monitoring and Reporting Tools—Provides real - time an d h is t or ical data, summarizing network
acti vity , resou rce uti liza tion and e vent l ogs, a llo wing pe rforma nce an d trend a nalys is. You can detect and inter r upt unu s ua l activity w i th P D M ’s logg in g and no tification .
Graphi ca l Tools—Creates graphical summary reports showing real-time usage, security events, and
network activity. Data from each graph can be displayed in increments you select (10 second snapshot, last 10 minutes, last 60 minutes, last 12 hours, last 5 days) and refreshed at user-defined intervals. You can view multiple graphs simultaneously to do side-by-side a nalysis.
System graphs: Provides detailed status information on the PIX Firewall, including blocks used and free , c ur ren t m e m o ry u ti li zat io n, and CPU u t ilization .
Page 20
1-2
Cisco PIX Device Manager Installation Guide
78-15483-01
Chapter1 Overview
Data Encrypti on Overview
Connect io n gr aphs : Tracks real-time session and performance monitoring data for connections, address translations, authentication, authorization, and accounting (AAA) transactions, URL filtering requests, and more on a per-second basis.
Intrusio n Dete cti on Sys tem (IDS ) : Provides 16 different graphs to display potentially malicious activity. IDS-based signature information displays activity such as IP attacks, Internet Control Message Protocol (ICMP) requests, and Portmap requests.
Interface graphs: Provides re al- ti me m o ni to ri ng o f y ou r b an dw i dt h us ag e fo r ea ch in terface. Bandwidt h u sage i s di spl aye d f or inc omin g and o utgoi ng c ommuni cat ions , s uch a s p ack et ra tes, counts , an d er r or s, as wel l a s bit, byte, and co llision co unts.
Syslog Viewer—Lets you view speci fic syslog message types by selecting the desired logging level.
Embedded Architecture—Lets you manage th e Cisco P IX Firewall f rom almost any comput er,
regardless o f th e op er at in g s yst em , an d wo rks with mos t br ows er s, i ncl u di ng M ic ro so f t I n ter n et Explorer and Netscape Navigator. There is no application to install and no plug-in required.
Secure Communication—Supports the Secure Soc kets Layer (SSL) protocol to provide high-grade
encrypt io n f r o m th e P IX F i r ewall to a br owser. PDM to P I X F irewa ll co m munication is securely encrypte d accor ding to th ese en cr ypti on st an dards: 56- bit Data Encry pt ion Sta nd ard (DE S), 168-bi t Triple DES (3DES), or 128-bit Advanced Encryption Standard (AES). You can protect access with a valid username and password, either on the PIX Firewall or through an authentication server.
Data Encryption Overvi ew
This section describes data encryption, including the IPSec, IKE, and certification authority (CA) interop er a b ili ty f eat u re s .
Note For additi on al in f or mation o n th ese f eatures, r ef e r t o th e “IP Secu r ity a nd Encryp tio n ” c hapter in t he
appropri ate Se curity Configurat ion Guide and Security Comman d Ref erence publications for your specific PIX Firewall.
IPSec i s a netwo r k leve l o pen standar d s f ramework , d eve lo ped by t he Inte r ne t E ngineering Task Fo rc e (IETF) that provides secure transmission of sensitive information over unprotected networks such as the Interne t. IP Se c in cl ud es data au th en tication, an ti re pl ay ser v ices and data confidentialit y ser vi ces.
Cisco follows these data encryption standards:
IPSec —IPSec is an I P layer open standards f r a mew o rk that p r ovides d ata con fidentiality, data
integrity, and data authentication between participating peers. IKE handles negotiation of protocols and algorithms based on local policy, and generates the encryption and authentication keys to be used by IP S e c . I P S ec pro te c ts one or m o r e d ata flow s betw ee n a pair of hos ts , betwe en a p air of security systems, or between a security system and a h ost.
IKE—Inte rnet K ey Exc hange ( IKE) is a hybrid securi ty pr otocol t hat impl ement s Oakle y and Sk eme
key exch an ges i nside th e Inte rn e t S ecurit y Assoc ia t io n and Key Manag e ment P r ot ocol ( I S AK MP) framework. IK E can be u sed w it h IP Sec and o ther p ro toco ls. IKE au th en ti cat es t h e I P Sec pe er s , negotiates IPSec security associations, and establi shes IPSec keys. IP S ec can be c onfigured with or without IKE.
Page 21
1-3
Cisco PIX Device Manager Installati on Guide
78-15483-01
Chapter1 Overview
Data Encryption Overview
CA—Ce rt ifi cat io n author it y (CA) in te ro p er a b ili ty s u p po r ts the IP Sec s t an dard, us i ng S i m p le
Certifi c ate Enr ol l ment P r ot o c o l ( S CEP) a n d Ce r t ificate E n r ollment Prot ocol ( CEP). CEP permits PIX Fire w all de v ices a nd CAs to comm unic ate to permi t yo ur PIX Fi re wa ll de vi c e to obt ain and use digital c er tifi cat es fr om the CA . IP Sec can be co n figu red w it h or w i th ou t CA . Th e CA must b e properly co nfi gu red to issue ce rt ific ate s .
The compo ne nt technol ogie s imp l em en t ed fo r I P Sec includ e:
DES and Triple DES—The Data Encryption Standard (DES) and Triple DES (3DES) encryption
packet da ta. Cisco IOS s oftw a re imp lements the 3-key Triple DES an d D E S- CBC with Ex plicit IV. Cipher Block Chaining (CBC) requires an initialization vector (IV) to start encryption. The IV is explicitly given in the IPSec packet.
AES—The Advanced Encryption Standard, a next-generation symmetric encryption algorithm, used
by the U.S. Government and organizations outside the U.S.
MD5 (HMAC variant)—Message Digest 5 (MD5) is a hash algorithm. HMAC is a keyed hash
variant used t o au th en ti cat e d ata.
SHA (HMAC varia nt)—Secure Ha s h Algorithm (SHA) is a has h algorit hm . HMAC is a keyed hash
variant used t o au th en ti cat e d ata.
IPSec with the P IX Firewall sof tw ar e s up p or ts the fo llow in g ad d itional s ta nd ar d s :
AH—Au thentication Header is a secu ri ty p ro to co l that prov id es d at a a ut he nticati on a nd o pt io nal
antirepl ay ser v ices. The AH p rot oc ol u s es var iou s au th en ti cat io n al go r ith ms ; P IX F ir ewall s o ftwa re h as i mpl em e nt ed
the mandatory MD5 and SHA (HMAC variants) authentication algorithms. The AH protocol provides a nt irep lay servi ces.
Explicit IV—Explicit Initialization V ector is a sequence of random bytes appended to the front of a
plaint ex t m es s a ge bef or e encry p tion by a bl ock cip her, whic h e li m in a t es t he poss i bility o f having the initial ciphertext block the same for any two messages. For example, if messages always start with a co m mo n h ead er ( a l et ter h ead o r “F ro m ” l in e) th ei r in it ial ciphertext wo ul d alwa ys be th e same, assuming that the same cryptographic algorithm and symmetric key was used. Adding a random initialization vector eliminates this from happening.
ESP—Encapsulating Security Payload, a security protocol, provides data privacy services, optional
data auth en ti cation, an d an ti re pl ay ser v ices. ESP en cap su lat es t he d ata to be p r ot ec ted . The ESP protocol uses various cipher algorithms and (optionally) various authentication algorithms. PIX Firewall software implements the mandatory 56-bit DES-CBC with Explicit IV, Triple DES, or AES as the en cry pt io n alg o ri th m, and MD5 or SH A ( HMAC var ia nt s) as the auth en ti cation al go rith m s. The updated ESP protocol provides antireplay servic es.
For more in f or m a tio n on PIX F i rewa ll IPSe c t er m s, s e e IPSec terms in t he on line Hel p at
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdm30olh.pdf
Page 22
1-4
Cisco PIX Device Manager Installation Guide
78-15483-01
Chapter1 Overview
PIX Firewall System Requirements
PIX Firewall System Requir ements
PDM Version 3.0 requires PIX Firewall software Version 6.3. PDM has the following system requirements:
PDM V er sio n 3.0 is available on all PI X 501, PIX 506/506E, PIX 515/515 E, PI X 520 , P IX 52 5, an d
PIX 535 platforms running PIX Firewall software Version 6.3.
PDM works with any configuration, whether created with the PIX Firewall command-line interface
(CLI), Cisco Secure Policy Manager (CSPM) or Management Center for PIX Firewa ll (PIXMC). However, subs equent configur a t io n chan ges us in g C S P M or P IX M C overwrites the PD M configurati o n.
Caution If you are us ing CSPM or PIXMC, use PD M for monitoring only. All change s made using PDM will be
overwritten th e nex t t im e CS PM or PIX M C sy n c h ron izes with th e P I X Fi rewall.
For more information on earlier versions of PDM, see the a ppropriate installation guide at:
http://www.cisco.com/en/US/products/sw/ne tmgtsw/ps2032/products_installation_guides_books_list.h tml
This section includes the following topics:
PIX Firewall System Interoperability with PDM, page 4
Flash Memory Requirements, page 5
Maximum Configuration File Size, page 5
Software Requirements, page 6
Upgrad ing to a New Software Re lea se, page 6
PIX Firewall System Interoperability with PDM
Table 1-1 lists the PIX Firewall System requirements for PDM Version 3.0.
The PIX Firewall system ships with PIX Firewall software Version 6.3, which includes a pre-installed DES activation key. If your PIX Firewall is not enabled for DES, 3DES, or AES, and you are a registered Cisco user, you can receive a DES, 3DES, or AES activation key by completing the form at the following URL: http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324. To become a regi s tered Cisco user, go to http ://tools .cisco.com/RPF/re gi s ter/register.do
Table 1-1 PIX Firewall System Requirements for PDM Version 3.0
Type Description Hardwa re
Platform PIX 501, 506/506(E), 515/515(E), 520, 525, or 53 5 Random access memory 16MB Flash Memory See Table 1-2
Software
PIX Firewall operating syste m Version 6.3 Encryption DES, 3DES, or AES-enabled
Page 23
1-5
Cisco PIX Device Manager Installati on Guide
78-15483-01
Chapter1 Overview
PIX Firewall System Requirements
Flash Memory Requ i r em ents
Table 1-2 lists Flash memory requirements for PIX Firewall software Version 6.3 in conjunct ion with
PDM Version 3.0 by platform.
Maximum Configuration File Size
For optimum performance, we recommend a configuration file of no more than 100 KB (approximately 1500 lines) when using PDM.
PIX Firewall configuration files over 100 K B m a y interf er e w i th the pe rfo rmance of P D M o n your workstation in the following situations:
While execu ti ng c ommands suc h as wri t e t erm and show conf
Failover (t he con figur atio n syn ch ron iza tion time )
During a system reload
To determine the size of your configuration file, enter the show flashfs command at the PIX Firewall CLI prompt. View the output which be gins with “file 1.” The number labeled “length” on the same line is the co n fig ur at io n file size i n bytes.
For example:
pixfirewall# show flashfs flash file system: version:3 magic:0x12345679 file 0:origin: 0 length:1925176 file 1:origin:2883584 length:2944 file 2:origin:3014656 length:32 file 3:origin: 0 length:0 file 4:origin:3145728 length:131072 file 5:origin:8257536 length:308
Table 1-2 Flash Memory Requirements for PDM Ver sion 3.0
PIX Firewall Model Flash Memory Required
PIX 501 8 MB PIX 506/506E 8 MB PIX 515/515E 16 MB PIX 520 16 MB (Some PIX 520 units may need a memory upgrade because older units
had 2 MB, though newer units have 16 MB) PIX 525 16 MB PIX 535 16 MB
Page 24
1-6
Cisco PIX Device Manager Installation Guide
78-15483-01
Chapter1 Overview
PC/Workstation Requir em ents
PIX Firewall platforms have different configuration file size limitations than PDM. See Table 1-3 for the maxim um rec o m m e nded co n figurat io n file siz e by platf or m .
Software Requirements
PIX Firewa ll software Version 6.3 has the followi ng software requirements:
The PIX F i rewall i m ag e no l on ge r fits on a d iske tte. If you ar e us i ng a PIX F ir ewall u ni t w i th a
diskette drive, d ow nload the B oo th el p er file f rom cis c o. co m
http:/ /w w w.cisco.com/cg i-bin/t ablebuild.pl/pix) to g et th e P I X Fir ewal l i m ag e.
Before upgrading from a previous PIX Firewall version, save your configuration and write down
your activation key and serial number. Refer to “Upgrading to a New Software Release” in this chapter f o r new in stallation requi r emen t s .
Before upg rading fro m Version 4 or ear lier , usi ng Auto Upd ate, IPSe c, SSH, PDM, or VPN, you wil l
need a new 56 - bi t D ES activation key, whic h can be s en t to yo u by co m p leting the fo r m at :
http://www.cisco.c om/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324
Use the show version command to verify the software version of your PIX Firewall unit.
Upgrading to a New Software Release
If yo u regis tere d C i s c o user, refer to th e Upgrading Software for the Cisco Secure PIX Firewall document at the foll owing U R L:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.sht ml
PC/Workstat ion Requir ements
PDM require ments vary depending on the platform.
Note PDM is not supported on Macintosh, Windows 3.1, or Windows 95 operating systems.
This section includes the following topic:
Supported Platforms, pa ge 8
Note the fol low ing when u s in g P D M to access th e P IX Fi r ewa ll un it :
Minimum Disk Space Requirement —PDM requires a minim um of at least 4 MB of temporary disk
space to lo ad i nt o th e b r owse r.
Table 1-3 Maximum Recommended Configuration File Size by Platform
PIX Firewall Version Maximum Configuratio n
PIX 501 256 KB PIX 506/506E , 515/515E, 520 1 MB PIX 525, PIX 535
1
1. This applies to PIX Firewall software Version 5.3(2) and later versions. The maximum recommended configura tion f il e siz e for PI X F irew all s o f twa re Versio ns 5.3( 1) a nd e arl ier i s 1 MB.
2 MB
Page 25
1-7
Cisco PIX Device Manager Installati on Guide
78-15483-01
Chapter1 Overview
PC/Workstati on Requirements
Java V irtual Machine (JVM)—PDM supports th e nat i v e Inte rn et E xplor er JVM fr om Micro soft , and
the native Java Development Kit (JDK), a Java Plug-in. PD M Version 3.0 supports the Java Plug-in
1.3.1, 1.4.0 and 1.4.1 (recommended).
Note Java Plug-in 1.4.0 includes some JVM bugs that cause it to display some error messa ges in the
Java Console.
To check which Java Virtual Machine (JVM) version you have, launch PDM. In the main PDM menu, cli c k Help>A bou t Cis co P IX De vic e Manage r. When the About PDM information wi nd ow appears, it dis pl ays you r br o wse r spe cif i c ati ons i n a ta bl e. You can d o wnl oad t he lat est JVM v e rsi on for Intern et Expl or e r f r om Micro sof t, an d you can download th e l atest Java P l ug -in fro m S u n Microsystems (www.java.sun.com).
Disabling the Java Plug-in—If you are using Microsoft Internet Explorer, and it is necessary to
disable th e Java Plug-in for your configuration, perform the following steps:
Note This is only ava ilable if you are using the Java Plug-in 1.3.1, 1.4.0, and 1.4.1 and not a beta
versi o n.
a. Clic k Tools>Internet Options. b. Clic k t h e A dva nced tab. c. In the J ava (Su n ) s ect io n, cl ear t he U s e Java 2 chec k bo x .
HTTP 1.1—Settings for Inter net Opti ons>Adv anced>HT TP 1.1 set tings should use HTTP 1.1 for
both proxy and non-proxy connections.
Secure Sockets Layer (SSL)—Browser support for SS L must be enabled. The supported ve rsions of
Internet Explorer and Netscape Navigator support SSL without requiring additional configuration.
Load Time Improvement—If you are using the Java Plug-in and accessing your PIX Firewall using
an IP address instead of a host name, the performance of PDM is dramatically slower. This occurs if the PIX F ir ewa ll h os t n a me is no t i n DN S or in th e local ho s ts file.
The worka round is to assure tha t the PIX Fi rewa ll host na me is in DNS. If you are runn ing W indo ws, and there is no DNS in your network or your DNS does not have the PIX Firewall entry, modify the “hosts” file.
On Windows NT, 2000, and XP, the hosts file is located at C:\WINNT\system32\drivers\etc\hosts.
On Windows 98 and ME, it is at C:\Windows\hosts.
Each line in the ho sts file is in the fo rm at “<i p> <hostn am e >”. For exam pl e:
192.168.1.1 pixfirewall.example.com
Page 26
1-8
Cisco PIX Device Manager Installation Guide
78-15483-01
Chapter1 Overview
PC/Workstation Requir em ents
Supported P l atf orms
This section includes the following topics:
Windows, p age 8
PDM Version 3.0 does not support Wi ndows 3.1 or Windows 95., page 8
Red Hat Li nux , page 9
Windows
Table 1-4 and Table 1-5 list the requirements for Windows platforms using PDM 3.0.
Note PDM Version 3 . 0 d oe s not s upport Windows 3.1 or Windows 9 5.
Table 1-4 Hardware Requirements and Network Connectivity for Windows Platforms for PDM 3.0
Type Requirements
Hardware
Processor Pentium III or equivalent running at 450 Mhz or higher Random Access Memory 256 MB Display Resolution and Colors 1024 x 768 pixels and 256 colors
Network Connection
Connect io n spe ed 56 Kbps ; 38 4 K bps ( DS L o r ca bl e) r eco mm e nd ed
Table 1-5 Support ed and Recommended Windows Platforms for PDM 3.0
Operating System Browser JVM
Supported Windows Platforms
Windows 98 Windows NT 4.0 (Service Pack 4 and higher) Windows 2 000 (S e r vi c e Pack 3) Windows ME Windows X P
Internet Explorer 5.5 or 6.0 Native
1
JVM (VM 3167 or higher)
1. Native refers to the built-in JVM that ships with the browser.
Internet E xplorer 5.5 or 6.0 Java 1.3.1, 1.4.0, or 1.4.1 Netscape 4 .7 x Na tive
1
JVM 1.1.5
Netscape 7.0x Java Plug-in 1.4.0 or 1.4.1
Recommended Windows Platforms
Microsof t Wi ndo ws 2000 (Se rvice Pack 3), or Microsoft Windows XP
Internet Explorer 6.0 Native1 JVM (VM 3809)
or Java Plu g -i n 1.4. 1_ 02
Nets cape 7.0 x Ja va P lu g-in 1.4.1_ 02
Page 27
1-9
Cisco PIX Device Manager Installati on Guide
78-15483-01
Chapter1 Overview
PC/Workstati on Requirements
Sun Solar is
Table 1-5 and Table 1-6 list the requirements for Sun Solaris platforms using PDM 3.0.
Red Hat Linu x
Table 1-8 and Table 1-9 list the requirements for Red Hat Linux platforms using PDM 3.0.
Table 1-6 Hardware and Network Connectivity Requirements for Sun Solaris Platforms for PDM 3.0
Type Requirements
Hardware
Processor SPAR C Random Access Memory At least 128 MB Display Resolution and Colors At least 1024 x 768 pixels and 256 colors
Network Connection
Connect io n spe ed 56 Kbps ; 38 4 K bps ( DS L o r ca bl e) r eco mm e nd ed
Table 1-7 Support ed and Recommended Sun Solaris Platforms for PDM 3.0
Operating System Browser JVM
Supported Sun Solaris Platforms
Sun Sola ris 2.8 or 2. 9 ru nni ng CDE window manager
Netscape 4.78
1
1. Netsca pe C om mun ica t or 4.79 is not suppo rted.
Native2 JVM
2. Native refers to the built-in JVM that ships with the browser.
Recommended Sun Solaris Platforms
Sun Solaris 2.8 running CDE window manager
Netscape 4.78
1
Native2 JVM
Table 1-8 Hardware and Network Connectivity Requirements for Linux Platforms for PDM 3.0
Type Requirements
Hardware
Processor Pentium III or equivalent running at 450 Mhz or higher Random Access Memory At least 128 MB Display Resolution and Colors At least 1024 x 768 pixels and 256 colors
Network Connection
Connect io n spe ed 56 Kbps ; 38 4 K bps ( DS L o r ca bl e) r eco mm e nd ed
Page 28
1-10
Cisco PIX Device Manager Installation Guide
78-15483-01
Chapter1 Overview
PC/Workstation Requir em ents
Table 1-9 Support ed and Recommended Red Hat Linux Platf orms for PDM 3.0
Operating System Browser JVM
Supported Red Hat Linux Platforms
Red H a t L i nux 7. 0, 7.1, 7. 2, 7.3 or
8.0 running GNOME or KDE
Netscape 4.7x on Red Hat 7.x Native1 JVM
1. Native refers to the built-in JVM that ships with the browser.
Mozilla 1.0.1 on Red Hat 8.0 Java Plug-in 1.4.1
Recommended Red Hat Linux Platforms
Red Hat Linux 8.0 Mozilla 1.0.1 Java Plug-in 1.4.1_02
Page 29
CHAPTER
2-1
Cisco PIX Device Manager Installati on Guide
78-15483-01
2
Preparing to Install PDM
If your firewall unit is new and shipped with minimum firewall software version, the PDM software is already l oa de d in th e firewall Flas h memory f o r yo u .
If you are upgrading from a previous version, you need to use TFTP from the firewall to copy the PDM image to you r firewall. For instructions on how to do this, refe r to Appendix A, “Using a TFTP Server”.
For information about new features in the latest version of PDM, see About PDM Software in the online Help at
http://www.cisco.com/application/pdf/en/us/guest/products/ps2032/c1626/ccmigration_09186a008018
9166.pdf
This section includes the following topics:
Notes and Cautions, page 2-1
Installation Ch eck li st, page 2 -2
Preparing to Install PDM, page 2-3
Determ in in g the IP A d dr e s s of Your Server, p ag e 2 -4
Notes and Cautions
CLI Command Support—PDM Version 3.0 uses the PIX Firewall CLI command syntax, which is
very s im ilar t o Cis co IOS s oftwa re, but not i dentic a l . Most P IX Firewall CLI co m m a n d s a r e fu l l y supported by PDM. If you are using PDM with an existing firewall configuration, refer to PDM Support for PIX Firewall CLI Commands for more information.
Multip le P D M Sess io n s —P D M al low s mu ltiple P Cs or w or k stat ions to each have on e br ow s er
session open with the same firewall. However, only one session per browser per PC or workstation is supporte d for a particular firewall.
Minimum Version for PIX— PDM 3.0 does not run with PIX Firew all software versions earlier than
Version 6.3. PDM Version 3.0 is a s ingle image which supports only PIX Firewall Version 6.3.
Java Plug -i n Suppo r ted—PDM V ersion 3.0 supports the Java plug-in for browsers. See PDM online
Help (Browser Requirements>JDK) for more information.
JVM Bug wit h S olar is, Net sc ape 4. 7—Som e ac tion s , s uch a s cl icki ng a bu tt on to go to a di alog , ma y
be delayed un less th e mouse is moved af ter th e action . This J V M bug a ffe c ts all versio ns of P D M on Solaris. Workaround: Move mouse after clicking buttons, window controls, or other a ctions.
Caveat s—P l ease use Bug N avi ga to r II o n ci sco .co m to view cur re nt cavea t i nf o rm ati on . B u g
Navigator II may be accessed at the following website: http://ww w.cisco.com /s upport / bu gtools
Page 30
2-2
Cisco PIX Device Manager Installation Guide
78-15483-01
Chapter2 Prepari ng to Install PDM
Installation Checkl ist
Caution
When you have a corrupted certificate database and run PDM with Netscape version 4.73, the Netscape browser may crash after you click Grant in the grant privileges dialog box. (The certi f i cat e databa se is a file called c er t7 .d b, lo cat ed i n t he y ou r N et s cap e d i re cto r y.)
Netscape version 4.73 can corrupt the certificate database if you do the following before you click Grant:
1. Run an applet that uses a digital certifica te.
2. Renew the certificate.
3. Run the new ap pl et w ith t he updated certificate .
This occ urs o n Window s, S u n Sol ar is, an d Lin u x p l atf o rm s w it h t h e N et scap e Java Virtual Machine (JVM ).
A workaround is to remove the corrupted cert7.db file from your Netscape directory. A new cert7.db file is creat ed w he n yo u run N et s cap e aga in . H owever, this re m oves a ll of the cert ificates that y o u h ave previously ac cep ted as tru st e d . (T h is i nc lu de s ce rt ific at es that you accepted f ro m ot he r sites as we ll as certificates that you entered manually.)
Installati on Checkli st
Confirm the following before you install PDM:
Verif y th at al l s yst em r eq u ir em e nt s h ave b een m e t. See the re q uire m en ts listed i n Ch ap ter 1 ,
“Overview.” For e xample, the PIX Firewall unit m ust be running PIX Firewall software Versio n 6.3
and have a DES, 3D E S, o r AES activati o n ke y to use PD M Version 3.0.
Confi rm that you a re running PIX Firewall software Version 6.3. (If you have command line access
to your PIX Firewall, you can use the CLI show version command to di s p lay th e ver sion curr en tly running on your PIX Firewall.)
If you are not running PIX Firewall software Version 6.3, see the instructions for installing
PIX Firewall s of tw ar e in th e Cisco PIX Firewall and VPN Configuration Guide. (After inst al lin g a PIX Firewal l i mage, reb oot your PI X Firew all t o be gin run ni ng t he ne w ima ge on th e PIX Firewall. )
If your PIX Firewall is new, it shipped with PIX Firewall software Version 6.3, and PDM Version 3.0.
Verify that you have a TFTP or FTP server installed. See Appendix A, “Using a TFTP Server.” to
install a TFTP ser ver.
Confirm that you are a registered Cisco user. If you are not a registered user, go to
http:/ /t ools.cis co.com /RPF/re gi s ter /registe r.do, a nd co mp lete the f o rm to regi s ter.
Page 31
2-3
Cisco PIX Device Manager Installati on Guide
78-15483-01
Chapter 2 Preparing to Install PDM
Preparing to Install PDM
Preparing to Instal l PDM
Before i nst al lin g P D M , b e aw ar e o f th e f o ll owing :
Sav e or print your PIX Firewall configurati on. (You can save a copy of your configuration by usi ng
the PIX Firewall CLI write terminal command to di spla y your c on f igur at io n. You c an cut and pa ste the displayed configuration into a text file.)
Write down your activation key. (View your activation key by using the PIX Firewa ll CLI show
versio n comma nd.)
If you a re u pgr adin g fr om a pr ev io us v e rsi on of t he PI X Firewal l soft ware , ob ta in t he P DM soft ware
from Cisco in the same way that you do PIX Firewal l software (see
http:/ /w w w.cisco.com/cg i-bin/t ablebuild.pl/pix), and d ow n lo ad th e im age onto y o ur PIX F i rewal l
unit, using HTTP protocol or a TFTP serve r. For instructions on how to use a TFTP server, refer to
Appendix A, “Using a TFTP Server.”
Note For addit iona l informat i on on upgra ding softw a re for th e PIX Fir e w all , see Upg ra di ng So ftware
for the Cisco Secure PIX Firewall at the following URL: http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a 0080094a5d.shtml
If you plan to upgrade a PIX Firewall fa ilover pair to use PIX Firewa ll software Version 6.3 and
PDM Ver s i on 3.0 , b ot h th e PIX F i rewall imag e and th e PD M image m ust b e i ns t all ed o n yo u r failove r unit s.
If you are using PDM with an existing PIX Firewa ll configuration, refer to the appropriate version
of the Cisc o PIX De vi ce Ma na ger R ele ase Not es for infor matio n on whic h comm ands are s uppor te d and which ar e n o t.
PDM works with any configuration, whether created with the PIX Firewall command-line interface
(CLI) or Cisco Secure Policy Manager (CSPM). Subsequent changes to the PIX Firewall configuration are not communicated automatically to PDM. If you are using PDM, and make changes to your PIX Firewall c onfiguration outside PDM, click Refresh in PDM to up d ate PDM with the current P IX F ir ewall config ur at io n .
A DES (free), or 3DES/AES license is required. PDM only supports encrypted communication.
Registered Ci sco .co m use rs can reque s t a D ES ( fr ee) , 3 D ES/AES activation key fro m t he following URL:
http://www.cisco.c om/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324
New Cisco.c om users can complete th e form at t hi s U RL b ef or e requestin g a D ES (fr ee) , 3DES/A E S a c tivati on key :
http://w w w.cisco.c om/pcgi- bi n/ So ft war e/ For m M an ag er /f orm g en er at or.pl
3DES/AES a c tivation key s ar e availab le as p art of a feature lic en se u p gr ad e an d a re n ot f re e.
Caution If you are usi ng C SPM, use PDM f or moni t oring onl y. All changes ma de us in g PDM wil l be o v erwr it ten
the next time CSPM synchronize s with the PIX Firewall.
Page 32
2-4
Cisco PIX Device Manager Installation Guide
78-15483-01
Chapter2 Prepari ng to Install PDM
Determinin g th e IP Addr ess of You r Serv e r
Determining the IP Address of Your Server
Loading a PI X Fir ewall o r PD M image requi r es y ou t o use TF TP server or F TP.
Note The Microsoft Windows-based TFTP server previously provided by Cisco Systems has been
discont inue d and i s no lo nge r su pport ed b y Cis co Syste ms . Per s ons sti ll us ing th e ser ver shou ld co nsi der replacing it with any high quality freeware and sharewa re TFTP server. TFTP servers can be found by searching for “tftp server” on the Web. We do not specifically recommend any particular TFTP implem en tation .
Note that recent versions of Cisco IOS software support the use of FTP instead of TFTP for loading of images o r confi gura tion f iles. Use of FT P ov ercomes a number of inher ent lim itati ons of T FTP, includi ng a lack of security an d a 1 6 M B fi le size limitatio n.
Before using TFTP, determine the IP address of your server. This se ction provides t he information required to determin e your IP address, and includes the following
topics:
Windows NT, Windows 2000, or Windows XP, page 2-4
Windows 98 or Window s ME, page 2- 4
Sun Solaris, page 2-5
Linux, page 2-5
Windows NT, Windows 2000, or Windows XP
On a Windows wor k stat io n , cl ick Sta rt>Accessories>Command Prompt to launc h th e Win dow s command - lin e in ter fa ce an d t h en en ter t he ip config c om m an d as s h own i n th e f o ll owing exa m p le:
C:\> ipconfig
Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 209.165.200.225
Subnet Mask . . . . . . . . . . . : 255.255.255.224
Default Gateway . . . . . . . . . : 10.21.196.33
C:\>
In this example, the server’s IP address is 209.165.200.225 with a network mask of 255.255.255.224.
Windows 98 or Win dow s ME
From a Wi ndows 98 or Windo ws ME compu te r , you c an vie w the IP ad dres s by clic ki ng Start>Ru n and entering th e winipcfg com mand. Windows then displ ay s a g r ap hi cal user interfa ce ( G U I ) listing th e I P address inf ormat ion .
Page 33
2-5
Cisco PIX Device Manager Installati on Guide
78-15483-01
Chapter 2 Preparing to Install PDM
Determining the IP Address of Your Server
Sun Solaris
Enter the /sbin/ifconfig -a command to vi ew your I P a d d ress, as s how n in t he followi n g e x a mple:
% /sbin/ifconfig -a lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232 inet 127.0.0.1 netmask ff000000 hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500 inet 209.165.200.225 netmask ffffffe0 broadcast 209.165.200.255
In this example, the IP address of the host is 209.165.200.225 with a netmask of 255.255.255. 224. (ffffffe0 is t he hexa d e cima l equival ent to 25 5.255 . 2 55.22 4. )
Linux
Enter the /sbin/ifconfig command to view your IP address, as shown in the following example:
% /sbin/ifconfig eth0 Link encap:Ethernet HWaddr 00:D0:B7:5D:C0:56 inet addr:209.165.200.225 Bcast:209.165.200.255 Mask:255.255.255.224 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:189576 errors:0 dropped:0 overruns:0 frame:0 TX packets:414837371 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:10 Base address:0x3000
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:75397725 errors:0 dropped:0 overruns:0 frame:0 TX packets:75397725 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0
In this example, the IP address of the comput er is 209.165.200.225 with a netmask of 255.255.255.224. The remai nder of the display pro vides information on the status of data trans m ission through the server.
Page 34
2-6
Cisco PIX Device Manager Installation Guide
78-15483-01
Chapter2 Prepari ng to Install PDM
Determinin g th e IP Addr ess of You r Serv e r
Page 35
CHAPTER
3-1
Cisco PIX Device Manager Installati on Guide
78-15483-01
3
Installing PDM
This chapter describes how to install Cisco PIX Device Mana ger (PDM) Version 3.0 on your PIX Firewall unit.
This chapter in cl ud es the fo llowing sections:
Download ing the PDM Software, page 1
Installing PDM, page 2
Loading the PD M I mage, p ag e 4
Downloading the PDM Software
You can download PDM using either of the following options:
Downloading PDM from Cisco.com, page 1
Downloading PDM Using FTP, page 2
Downloadi ng P DM f rom Ci sco.com
Perform the following steps to install PDM from Cisco.com (the Web):
Step 1 Go to http://www.cisco.c om using a web browser. Step 2 On the menu bar, click L OGIN. Step 3 Enter your Cisco.com username and password and click OK.
Note To register as a Cisco.com user, and obtain a username and password, go to this URL:
http:/ /t ools.cis co.com /RPF/re gi s ter /r egister.do
Step 4 Enter http://www.cisco.com/cgi-bin/tablebuild.pl/pix in the web address area of your web browser and
press th e Return or Enter key on your keyboard. (If you are prompted again for a username and passwo rd, en ter yo ur Cisc o. c o m us er name and password . )
Step 5 On the C isco Secure P I X Fir ewall Software p ag e, fi nd t he section ti tl ed “S el ect a File t o Dow nl o ad ”,
click pdm-nnn.bin (wh er e nnn re pres ent s th e PDM sof tw ar e im age v ers ion t ha t you wa nt to ins ta ll ) and follow the instructions presented.
Page 36
3-2
Cisco PIX Device Manager Installation Guide
78-15483-01
Chapter3 Installing PDM
Installing PDM
Downloadi ng P DM Using FTP
Perform the following steps to install PDM using FTP:
Step 1 Set your FTP client to passive mode by selecting the Properties button on the Connect to FTP Site screen,
selectin g th e C on n ect io n tab, check in g Use Passive Mo de, and c lic king Apply.
Step 2 Start y our FTP c lie nt and c onn ect to ftp.cisco.com . Enter your Cis co. com u ser name a nd p assw ord when
prompted.
Step 3 Enter cd cisco. Step 4 Enter cd ciscosecure and then enter cd pix to acc es s t he PIX F irewall so f twa re d irectory. Step 5 Copy the pdm -nnn.bin file (where nnn represents the PDM version) to a folder where it can be accessed
from your TFTP server. (You can use the ls command t o view t he dire ctory conten ts . )
Step 6 To download PIX Fi rewall and PD M do cum ent ati on, e nter cd documentation, locat e t he .p df files fo r
the documents you want, and copy the files to your workstation. (Files with the .pdf file extension are viewed with A do b e A crobat Rea de r, which is fr ee a nd avail ab le at
http://www.adobe.c om/products/acrobat/readstep2.html.)
Step 7 Enter quit to exit.
Installing PDM
Perform the following steps to install PDM:
Step 1 Follow these steps to set up a console connection from a Microsoft Windows workstation to your PIX
Firewall unit, unless you already have a console connection:
a. Power off your PIX Firewall unit. b. Connect the serial port of a Microsoft Windows workst ation to the console p ort of the PIX Firewa ll
with the serial cable supplied in the PIX Firewall accessory kit.
c. Power on the PI X Firewall unit. If a fa ilo v e r PIX Fire w al l unit is pre se nt, c onf ig ure the pri mar y uni t
first.
Step 2 Locate the Windows Hy perTerminal accessory by looking for it on the Windows Start menu. It is
usual ly located un de r Programs >Accessor ies >Communications>HyperTerminal.
Step 3 Click Hype rTerminal to o pe n t h e New Connection window; the Connection Description dialog box
appears.
Step 4 Enter a name for the connection and click OK . Step 5 In the Con nect To dialog box, leave the area code and phone number blank. Step 6 In the Connect using drop-down menu, select Com 1 (unless you are using another serial port to
connect, in w hi ch ca s e select tha t p o rt ) an d cli ck OK .
Page 37
3-3
Cisco PIX Device Manager Installati on Guide
78-15483-01
Chapter 3 Installing PDM
Installing PDM
Step 7 Set the values in t he f ollowing tab le:
Step 8 Click OK to continue.
The HyperTerminal win dow is now ready to receive informat ion fro m the PIX F irewall conso le. Wait 30 seconds for the PIX Firewall startup messages to display. These messages should appear simi lar to the foll owing exa m p le:
Rebooting....
Cisco Secure PIX Firewall BIOS (4.0) #0: Thu Mar 2 22:59:20 PST 2000 Platform PIX-515 Flash=i28F640J5 @ 0x300
Use BREAK or ESC to interrupt flash boot. Use SPACE to begin flash boot immediately. Reading 1507840 bytes of image from flash. ############################################################################# 64MB RAM Flash=i28F640J5 @ 0x300 BIOS Flash=AT29C257 @ 0xfffd8000 mcwa i82559 Ethernet at irq 10 MAC: 0050.54ff.3772 mcwa i82559 Ethernet at irq 7 MAC: 0050.54ff.3773 mcwa i82559 Ethernet at irq 11 MAC: 00d0.b792.409d
----------------------------------------------------------------------­ || || || || |||| |||| ..:||||||:..:||||||:.. c i s c o S y s t e m s Private Internet eXchange
----------------------------------------------------------------------­ Cisco PIX Firewall
Cisco PIX Firewall Version 6.3 Licensed Features: Failover: Enabled VPN-DES: Enabled VPN-3DES: Enabled Maximum Interfaces: 6 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: Unlimited Throughput: Unlimited IKE peers: Unlimited
Step 9 Press the Enter key if it takes more than a minute for the PIX Firewall command prompt to appear.
If irrelevant c ha r act er s ap pe ar, re set the B it s p e r second to 9600 and try to connect again.
Field Name Value to Set
Bits per second 9600 Data b its 8 Parity None Stop bits 1 Flow control Hardware
Page 38
3-4
Cisco PIX Device Manager Installation Guide
78-15483-01
Chapter3 Installing PDM
Loading the PDM Image
Note If it still does not appear, power off the PIX Firewall and ensure that the serial cable is attached to COM1
and not to C OM 2 , i f your comp ut er is s o eq ui pped . P ow er t he PIX F irewall b ack o n an d t r y t o co nn ec t again.
Step 10 En ter t he en a b le co m m a nd if yo u r P IX F i rewall unit is be ing run f or t he first t ime. Step 11 When prompted, enter your PIX Firewall password. (After starting a new PIX Firewall, you should
change th e pa s sword t o secu r e administr at ive acc ess t o th e u n it .) If n o p as swo rd ha s b een set , y o u can choose on e an d enter it at t hi s ti m e.
Step 12 S tart y our TFTP ser ver. See Appendix A, “Using a TFTP Server.” for more information on the TFTP
server.
Step 13 Check the IP address of the computer running the TFTP server, as described in “Determining the IP
Address of Your Server” in Chapter 2, “Preparing to Install PDM.”
Loading the PDM Image
Perform t he f ol low in g steps t o lo ad the PDM image file o nt o the PIX F ir ewal l:
Step 1 Enter the f ol lowin g at th e comman d pro m p t t o l o ad th e P DM image file:
pixfirewall# copy tftp://Your_TFTP_Server_IP_Address/Your_pdmfile_name flash:pdm
Or you can enter the generic comman d an d follow the prom p ts:
pixfirewall# copy tftp flash:pdm
Step 2 Enter the following command at the prompt to enter configuration mode:
pixfirewall# configure terminal
Caution If your PIX Firewall is running a pre-existing configuration, refer to the Cisco PIX Device Ma n ager
Release Notes Version 3.0 fo r information on the c onfiguration commands supported for use with PDM.
Note If you ha v e a PIX 501 or PIX 506/50 6E, you can use the fa c tory de f ault co nf igur at ion l oa ded on t he unit
and skip to “Starting PDM with Internet Explorer” in Chapter 4, “Configuring PDM,” instead of ente ring setup.
Step 3 To enter s e tu p, us e the setup co m mand a s shown in the followin g exa mple:
pixfirewall (config)# setup
Step 4 Load the PDM ima ge by followi ng the ste ps in Table 3-1:
Note Press Enter to acc ep t t he de fau lt valu es .
Page 39
3-5
Cisco PIX Device Manager Installati on Guide
78-15483-01
Chapter 3 Installing PDM
Loading the PDM Image
After you enter the IP address of the workstation running PDM, PIX Firewall displays the information you just entered.
The following is a sample display:
The following configuration will be used: Enable Password: ciscopix Clock (UTC): 14:22:00 Aug 28 2001 Inside IP address: 192.168.1.1 Inside network mask: 255.255.255.0 Host name: accounting_pix Domain name: example.com IP address of host running PIX Device Manager: 192.168.1.2
Step 5 Enter n to edit the val ue s, o r en ter y to save th e infor mat ion to th e PIX Fi rewa ll Flash m e m o ry.
Use this configuration and write to flash? y
Or, enter y at the pro mp t t o s ave th e i nformation t o th e P I X F i rewal l Fl as h memory.
Step 6 Click Save to save your settings.
Table 3-1 Setup Command Prompts
Step Command Purpose
Step1
Enable Password [<use current password>]:
Enter an al phanu meri c passw or d, up to 16 c hara cte rs in lengt h, to prote ct th e P I X Firewall privileged ( access) m od e. Record the password in accordance with your security policy. If you assign a password here, then it is used for authentication every time y ou la un ch PDM un le ss y ou conf i gu red you r PI X Fi re wa l l to use anoth er AAA ser ver for auth enti cat ion, in whi ch ca se th e AAA ser ver p rov i des th e authent ic ati on .
Step2
Clock (UTC) Year [2001]: Month [Aug]: Day [27]: Time [22:47:37]:
Set the PIX Firewall clock to Universal Coor dinate d Time (UTC, also known as Greenwich Mean Time, or GMT). For example, if y o u a re in th e P aci fic Daylight S avin g s time zone, set the clock 7 hours ahead of your local time to set the clock to UTC. E nt er th e year, month , day, and time. Enter t he U T C time in 24-hour time as hour:minutes:seconds.
Step3
Inside IP address:
Specify the IP addr ess of the PI X Firewall unit’s inside interface. Ensure that this IP address is unique on the network and not used by any other computer or network devic e, such as a router.
Step4
Inside network mask:
Specif y the network mask for the inside interface. An example mask is 255 .255 .2 55.0. You can als o sp eci fy a subnett e d mask, for example: 255.255.255.224. Do not use all 255s, such as
255.255.255.255. This prevents traffic from passing on the interface .
Step5
Host name:
Speci fy up to 16 ch arac ters as a nam e for th e PIX Firewa ll uni t.
Step6
Domain name:
Specify the dom a in name fo r th e PIX Fi r ewa ll.
Step7
IP address of host running PIX Device Manager:
Specify th e IP ad dr ess of t he wo rkstation d esi g nated to ru n PDM.
Page 40
3-6
Cisco PIX Device Manager Installation Guide
78-15483-01
Chapter3 Installing PDM
Loading the PDM Image
Step 7 Click Exit. Step 8 Click Yes to exit HyperTerminal.
Page 41
CHAPTER
4-1
Cisco PIX Device Manager Installati on Guide
78-15483-01
4
Configuring PDM
This section describes how to configure your PDM. It includes the following topics:
Start ing P DM wi th In tern et Ex pl orer, page 4-1
Start ing P DM wi th Net sca pe N avig ator, pa ge 4-2
Using the PDM Startup Wizard, page 4-4
VPN Wizard, page 4-5
Configuring VPN Tunnels, page 4-6
Configuration Recommendations, page 4-6
Starting PDM wit h Intern et Explor er
Perform the following steps to start PDM with Internet Explorer:
Step 1 On an Intern et Ex p lo re r br ow ser ru nn in g on a works t ati on con n ect ed to the P IX Fir ewall un it, ente r the
following:
https://pix_inside_interface_ip_address
where pix_inside_interface _ip_address is the IP address of the inside interfac e of your PIX Firewall, entered in standard (number) format.
For the PIX 501 and PIX 506/506E, the factory default inside interface address is as follows:
inside IP address to 192.168.1.1
Enter https://192.168.1.1 for the PIX 501 and PIX 506/506E platforms. This launches PDM.
Note Ensure that you add the “s” to “https” o r th e w eb b r owse r canno t co nnect. HTTP S ( H TTP over SSL)
provides a secure connection between your browser and the PIX Firewall that you are using PDM to configure o r mo ni to r.
Step 2 Accept th e s ecu rity certificate. (You must acc ep t t he certificate t o u se PDM.)
To av oid the certificate from appearing in Windows Internet Explorer when the certificate dialog (titled “Security Alert”) is shown , p er form t he follow ing step s :
a. Clic k View Certificat e.
Page 42
4-2
Cisco PIX Device Manager Installation Guide
78-15483-01
Chapter4 Configuring PDM
Starting PD M w it h N etscape Navigator
b. Clic k Install Certificate. c. Clic k next>next>Finish>Yes. d. Clic k OK in the certificat e d ialog box. e. In the S ecurity A ler t di al og b ox , cli ck Yes.
Note Subsequent PDM loads will not show the certificate dialog box.
Step 3 Enter your password. If no password has been set, choose and enter one at this time. Click OK to
continue.
Step 4 Answer ‘Yes’ to the Se curity Warning asking “Do you want to install and run ‘Cisco PIX Device
Manager’”? If you do not want this question to be asked next time you load PDM, check the box with the label
‘A lw ays trus t content f ro m C isco Sys t em s.’
Step 5 Follow the in structio ns on sc re en .
PDM sta rt s af ter the c er tifi cat es are accep ted.
Step 6 For more in f orm ation o n how to u s e PD M , see the on lin e Help at
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdm30olh.pdf
Starting PDM with Netscape Navigat or
Perform t he follow in g s tep s t o s tar t P D M w ith N etscape Navigat or :
Step 1 On a Netsca pe Na vi gat or bro wse r runn in g on a works tat i on conn ect ed to the PIX Fi re wa ll un it , ent er th e
following:
https://172.23.59.230/
This launches PDM.
Step 2 Accept th e s ecu r ity c er ti ficate. (You must acc ep t t he certificat e t o us e P D M. )
To avoid the cer ti fica te fr o m ap p ear i ng in N e ts ca pe Navigat or w h en th e cer ti fica te dialog ( ti tle d “Security Alert”) is shown , p er form t he follow ing step s :
a. Clic k Next at the New Site Certificate screen. b. Clic k Next at the next New Site Certificate screen. c. Select Accept thi s ce rt ificat e fo rever (u n til it ex p ires) , and click Next at the next New Site
Certificat e scr e en.
d. Clic k Next at the next New Site Certificate. e. Clic k Finish at the next N ew Si te Certific at e.
f. Click Continue at the Certifica te Name Ch eck.
Page 43
4-3
Cisco PIX Device Manager Installati on Guide
78-15483-01
Chapter4 Configuring PDM
PDM Home Page
Step 3 Enter your user name and password. Click OK. Step 4 Select ‘R em em b er t hi s d eci s ion,’ and cli ck Gran t at th e nex t fo ur Java Security s cr een s.
PDM sta rt s af ter the c er tifi cat es are accep ted.
Step 5 For more in f orm ation o n how to u s e PD M , see the on lin e Help at
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdm30olh.pdf
PDM Home Page
The PDM home page lets you vi ew, at a glance, important information about your PIX Firewall such as the stat us of you r in terf a ces , th e v ersi on you are ru nn ing , li cens ing in for mat ion, and pe rf orma nce. Man y of the deta il s available o n t he PDM h ome page are available elsewhere in P D M , but t hi s is a u sef ul and quick way to see how your PIX Firewall is running. All information on the Home page is updated every ten seconds, except for the Device Information.
You can a ccess the H o me page any t ime by cl ick in g H om e o n th e m ain toolbar.
Note If the interfa ce is configured to use DHCP or PPPoE to obtain an IP add ress, and running PIX Firewall
Version 6.3 or higher, your IP address will be displayed in the Interface Status table. If you are running an earlier versio n o f t he P IX F ir ewall s o ft war e, the IP a dd r es s w i ll not be disp la yed.
On a PIX 5 01 , t he in s i de in terface li nk w il l alwa ys be di sp lay e d a s up , because this inter fac e a c ts as a built-in switch. Be su re to ch eck for p hy s ic al connect ivit y on the in s id e interfa ce of a PIX 50 1.
The PDM home page displays the following fields:
Area Description
Device Informa tion This area displays the following information:
Host Name, PIX Version, Device Type, License, PDM Version, Total Memory, and Total Flash.
Licensed Fea tures—This area displays the
features your PIX Firewall is licensed to use.
Encryption Failover Max Interfaces Inside Hosts IKE P e ers Max Phy sical Inte rf ace s
Page 44
4-4
Cisco PIX Device Manager Installation Guide
78-15483-01
Chapter4 Configuring PDM
Using the PDM Startup Wiz a r d
Using the PDM Startup Wizard
By comp l eti ng t hi s w iz ar d, yo u r PIX F ir ewall is im mediately en ab led.
Note You can configure PDM manually using the online Help at
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdm30olh.pdf
After PD M la un ch es , y ou ca n access the P D M Startup Wizar d a t a ny time from th e main PD M c on tr o l panel as fol low s :
Step 1 On the PD M top me nu, click Wiza rds>Startup Wizard. Step 2 Read the Welcome to the S tar tup Wiza rd page and click Next when r ea dy t o co nt in ue . Step 3 Fill in the configuration prompts according to your network security policies. Click Next at the end o f
each wizard page to go to the next set of prompts, or click Back to go back to the previous prom pts. For assistan ce w it h d ec id in g w ha t t o en ter into the S t ar tu p Wizard d ial og b o xes, c li ck Help.
Interface S tatus Interface —Displays the interface name as configured in the Interfaces panel.
You can click any of the table headings to sort by that value.
IP Address/Mask—Dis plays the IP address of the associ ate d interfa ce. Link—Displays th e link status o f th e in t er face . A red ico n is disp layed if th e
physica l status of the li nk is do wn, and a gree n icon is displ ayed if the phys ical status o f th e link is up . N o te that o n a P I X 5 01 , t h e inside in terface li nk w i ll always be dis p la yed as up, beca us e thi s in ter fa ce ac ts as a buil t- in s w itc h. Be sure to check for physical connectivity on the inside interface of a PIX 501.
Current Kbps—Displays th e curr ent number of kilobi ts per se cond that cross the interface.
VPN Status This area di sp lay s t he s ta tu s o f you r V PN t u nn el s, i f t h ey are configured . Tr affi c Status Connection Per Second Usage—Displays the information about Connections
Per Second (TCP, UDP, and total) of traffic going through the device. outside Interface Traffic Usage (Kbps)—Displays the input and output
traffic going through ‘outside’ in terface in K i lobits p er second.
System Resources Status
CPU—Displays the percentage of CPU being utilized at the moment. CPU Usage (perce nt)—Display s t he re al time stat us of C P U usage and
history for the last five minutes.
Memory—Displays the total amount of memory being utilized at the moment. Memory Us ag e ( p er ce nt )— Dis play s th e rea l t ime memor y usa ge an d hi sto ry
for th e last five min ute s, in megabyt es. Memory (MB)—Display s inform at io n a bo u t f ree, used an d to ta l m e m o ry i n
megabytes. Note that one megabyte is equal to 1,048,576 bytes.
Area Description
Page 45
4-5
Cisco PIX Device Manager Installati on Guide
78-15483-01
Chapter4 Configuring PDM
VPN Wizard
Step 4 When you have completed all the wizard pages, the Startup Wizard Completed page dis plays . To send
the configuration to your PIX Firewall and exit the wizard, click Finish. Otherwise, click Back to make changes to p r ev io us pages.
VPN Wizar d
Use the V P N Wizard p an el to select the ty pe o f Virtual P rivate N et wo rk (V PN ) tu n ne l t ha t y o u ar e defini ng an d to id en tify th e int er fac e o n whic h t he tu nne l wil l b e ena ble d. A VPN tunn el pr ovi de s sec ure communication over an insecure network, such as the public Internet, by encrypting traffic between two IPSec pee rs, such as y o ur l oc al PIX Fir ewall an d a r emo te PIX F irewal l o r V PN co nc en tr at or.
To configure a s ecure tunnel, f irst decide if you are using your PIX Firewa ll to provide rem ote access to your local area network (LAN), or to provide connectivity to a LAN in another geogra phic location. Next, i dent ify the in te rfa ce to use to conn ect to t he remot e IPSec pe er. If your PIX Fire wa l l has onl y t wo interfaces, this will always be the lower security interface, which is named “outside” by default. If your PIX Firewall has multiple inte rfaces, you should plan your VPN configuration before running this wizard a nd i de nt if y th e i nt er fac e t o use f or e ach r em o te I P Sec peer w ith w h ic h yo u ne ed to establis h secure con n ect ivit y.
To set up your PIX Firewall as a remote access client in relation to another PIX Firewall or Cisco VPN Concentr at or, select the Star t up Wizard f r om th e Wiz ards menu.
You can c on fig ure the VPN Wiz ar d a s f ol lows :
Site-to-Site VPN, page 4-5
Remote Access VPN, page 4-5
Select I nt er face, p a g e 4-6
Site-to-Site VPN
This conf i gu rati on i s use d bet wee n two IPS ec se curi ty gateways, which can in clud e PIX Fire w al ls, VP N concent r ators, or other devices that s upport site-to-site IPSec connec tivity. When you select this option, a series of panels are displayed lets you enter the configuration required for this type of VPN. With a site-to- s ite VPN, yo ur loc al PIX F irewall provide s sec ure co nnec ti vi ty be twee n yo ur LAN a nd a LAN in a different geographic location.
Remote Ac cess VPN
This configuration is used to allow secure remote access for VPN clients, such as mobile users. A remote access VP N l et s r em o te users secu r ely a ccess cent ra li zed n etw o rk re so u rc es . When yo u select this option, the system displays a series of panels that let you enter the configuration required for this type of VPN. With a remote a cce s s V P N , y o ur local PIX F i rewall provides se cu re co nnectivity b etw e en individual remote users and the LAN resources protected by your local PIX Firewall.
Page 46
4-6
Cisco PIX Device Manager Installation Guide
78-15483-01
Chapter4 Configuring PDM
Configur ing VPN Tunnels
Select Interface
Use the sel ecti on list to select the inte rface on which th e curr ent VPN tunne l will be enable d. The out side interface is t h e l ower s e cu ri ty in t er face o n yo u r PIX F i rewall, while th e i nside int er fac e i s the high er security in terface.
Configuring VPN Tunnels
If you have never configured VPN tunnels before, use the VPN Wizard to begin:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdm30olh.pdf. By completing this
wizard, your PIX Firewall is immediately configured to enforce network security policy as specified by you during the wizard prompts.
For information on configuring VPN tunnels, see the online Help for VPN Wizard at
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdm30olh.pdf
Configurat ion Recommendatio ns
For best pe rform ance when run ni ng W in do ws, use Inter ne t Expl orer ve rsi ons 5.5 or 6. 0 wi thout th e Ja v a plug in or with the Java Plug in, but not as the default JVM. PDM Version 3.0 supports the Java plug in for browsers.
When using Windows 2000 or later, fastest loading of PDM can be achieved by editing the Windows configurati on file “
hosts”.
Step 1 Locate the hosts file. Under Windows 2000, the location of the hosts file is:
C:\WINNT\system32\drivers\etc\hosts
Step 2 Select th e fi le, right click, an d select O pen With > N otep a d. Step 3 Follow the Microsoft instructions in the hosts file to add your PIX Firewall IP addre ss and host name. Step 4 Save the hosts file to the orig i nal loc ati on .
Copyright (c) 1993-1999 Microsoft Corp. This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
This file contains the mappings of IP addresses to host names. Each entry should be kept on an individual line. The IP address should be placed in the first column followed by the corresponding host name. The IP address and the host name should be separated by at least one space.
Additionally, comments (such as these) may be inserted on individual lines or following the machine name denoted by a '#' symbol.
For example:
102.54.94.97 rhino.example.com # source server
38.25.63.10 x.example.com # x client host
Page 47
CHAPTER
5-1
Cisco PIX Device Manager Installati on Guide
78-15483-01
5
Tips and Troubleshooting
This chapter provide s tips on using PDM and instructions on basic PDM troubleshooting symptoms and workarou nd s. U se this in for m at io n prior to c ontacting t h e Technica l A ssistance Center ( see th e
“Preface”).
This chapter in cl ud es the fo ll owin g to p ics:
Checking Your Connection to the PIX Firewall, page 5-1
Tips on Using PDM, page 5-2
Troubles hoo ting , pa ge 5-3
Checking Your Connecti on to the PIX Firewall
To communicate wi th the PIX Firewall, your com puter should have an IP address and, if it is located on different LAN, your computer should be configured with a route to the PIX Firewall.
To set th e d ef au lt gateway IP address , r ef e r to the Cisco PIX Firewall and VPN Configuration Guide. If you can n ot ac ces s the PIX F irewal l t hro ug h P D M , f ollow th ese steps:
Step 1 Enter show ip interface inside at the con s ole c omman d pro mpt t o che ck tha t the IP a ddr ess y ou t yped
into your web browser is the same IP address that you assigned to the inside inte rface of your PIX Firewall; these IP addresses must be the same to make a connection.
Step 2 Check the networking setup of your console workstation to see how it is connected to the PIX Firewall. Step 3 Check th at yo ur ne twor k cab ling is con nec ted.
If you ar e c on n ect in g a w or k stat io n di r ect ly to the PIX F irewall u ni t’s Ether n et in te rf ace, u s e a cross -ove r cable or a dd a hub or sw itc h betw een your com puter an d the P I X F ir ewall.
Step 4 If the LEDs in d ica te the sys te m i s no t wo r ki ng , p ing the P IX F irewa ll u n it’s interface IP address . Fo r
example, if th e inside interface’s IP ad dr ess is 1 0 .1 .1. 1, en te r t h e f ol lowin g co m mand to pin g th e PIX Firewall:
ping 10.1.1.1
If the ping is unsuccessful, there is a power or network connectivity problem.
Note If your console operating system supports a traceroute, tracert, o r s imi lar comman d, use it to
troubleshoot the route between your computer and the PIX Firewall unit.
Page 48
5-2
Cisco PIX Device Manager Installation Guide
78-15483-01
Chapter5 Tips and Troubleshooting
Tips on Using PDM
Step 5 You can connect to PDM from a browser by entering the following command:
https://pix_inside_interface_ip_address
Note Remember to add the “s” to “https” or the connection fails. HTTPS (HTTP over SSL) provides
a secure connection between your browser and the PIX Firewall that you are using PDM to configure or monitor.
Step 6 If you are still unable to access PDM from your browser, verify that the following conditions exist:
a. You are running PIX Firewall software Version 6.3. To determine your software version, enter the
show ve r s i on c ommand an d ch eck the first lin e o f th e co m man d o ut pu t.
b. You have PDM Version 3.0 installed. To determine if PDM Version 3.0 is installed on your
PIX Firewall unit, enter the show version comman d an d ch eck t he seco n d lin e of t he co m ma nd output.
c. You h ave an H T T P ser ver en ab le d. To determine if you have H TT P ser ver en ab le d, en ter t he show
http command an d ch eck t he first line of th e comman d o ut put.
d. Your PIX F i rewall unit is all owi ng y ou r P C /w or k s tat io n to acces s P DM. To determine if your PI X
Firewall unit is allowing your PC/workstation to access PDM, enter the show http command and check the co mm a nd o u tp ut .
Step 7 If you still cannot access PDM from your browser, refer to the “Preface”.
Tips on Using PDM
For ease when usin g PDM, fo llow these tip s:
You can v iew th e si ze of your co n figur at io n fro m t he P IX F ir ewall consol e. Either co nnect a
computer to t he P I X Fir ewall u ni t o r u se Telnet to a ccess the co nso le. After entering the enable mode password, use the show flashfs command to vie w the configurat ion
size, as shown in the following example:
pixdoc515(config)# show flashfs flash file system: version:2 magic:0x12345679 file 0: origin: 0 length:1511480 file 1: origin: 2883584 length:1639 file 2: origin: 0 length:0 file 3: origin: 3014656 length:4311804 file 4: origin: 8257536 length:280
The “file 1” line lists the number of characters in your configuration after the “length” parameter. In this example, the configuration consists of 1639 characters. Divide this number by 1024 to view the num b er o f k i lo byt es . T he co n fig ur at io n in this exampl e i s sli gh tly mo re th an 1 .6 K B.
The first tim e yo u use P D M wit h a P I X F ir ewall, P DM asks pe rm iss i on t o save PDM-sp eci fic
command s t o y o ur PIX F i rewall config u rati on . These com m an ds are nece ss ar y to u pd at e P D M ’s network topology informat ion and do not change your network security policy on the PIX Fi rewall. When pro mp ted , yo u can c ho o se n o t t o accept thes e co mmands, but w it hou t t he ne tw ork to p ol og y information, PDM can only monitor your PIX Firewall. Consequently, not accepting these command s l imi ts y o ur access in P D M t o t he M o ni to ri ng t ab.
Page 49
5-3
Cisco PIX Device Manager Installati on Guide
78-15483-01
Chapter5 Tips and Troubl eshooting
Troubleshooting
For Micro sof t In te r ne t Ex p lo r er w eb b row ser s, w h en p ro mp ted to ac cep t certifica tes s ele ct th e
Alwa ys trust con te nt from Cisc o S ys t e ms che c k bo x so th at the cer ti fica te is a ut omatically accepted the next time you run PDM.
For Netscape Communicator or Navigator, select the Remember this decision check box so that the
certificate is automa t ica lly accepted w he n yo u r un PD M .
The following conditions can affect the performance of PDM on your workstation:
You can run several PDM sessions on a singl e workstation. The m ax imum nu mber o f PDM sessions you can run varies depending on your workstation's resources such as memory, CPU speed, and browser type.
The time required to download the PDM applet can be greatly affected by the speed of the link between your workstation and the PIX Firewall unit. A minimum of 56 Kbps link speed is required; h owever, 3.84 M bp s o r hi gh er i s r eco mm e nd ed . On ce th e PDM ap pl et is l oa de d on your workstation, the link speed impact on PDM operation is negligible.
If your workstation’s resources are running low, you should close and reopen your browser before launching PDM.
For inform at io n on P D M c aveats, refer to th e “C aveats ” s ect io n o f t h e Cisco PIX Device Manager Release Notes Version 3.0.
Troubleshooting
For information on PDM caveats, refer to the caveats section of the Cisco PIX Device Manager Release Notes Version 3.0.
Table 5-1 contains basic PDM troubleshooting scenarios.
Table 5-1 Common Troubleshooting Symptoms, Conditi ons, and Workarounds
Symptom Conditions Workaround
Browser a sks for accep tan ce of th e securi ty certificate ag ain .
The host name or domain nam e has changed.
This is normal. Accept the security certificates again. (If you change the host name o r do m ain of th e P I X Fir ewal l u nit, the brows er a s ks y o u to ac cep t the new security certificat e.)
Browser a sks for the password again. If you change the password on the PIX
Firewall unit, the browser might ask you to reenter the password for authentication.
If you use the J ava Plug-in, the browser will prompt you for your username and password twice.
Keep track of new and changed passwords.
Page 50
5-4
Cisco PIX Device Manager Installation Guide
78-15483-01
Chapter5 Tips and Troubleshooting
Troubleshooting
Certificat e d i spl ay s a message th at its timestamp is in the future when connecting to the PIX Firewall.
The browser displays a message with the cert ific at e’s times ta m p each tim e a user c onn ects to the PIX F ir ewall.
T o re set the PIX Fir e w all cl oc k se ttin g, go to the Configuration>System Properti es> A d mi n ist ra tio n >C lo ck screen on PDM. Using PD M, look at th e VPN screen under IKE>Certificate>Enrollment to check the tim estamp on th e certifica te. Altern at ively, you can al s o use th e sho w ca certificate comma nd t o ch eck t he timestamp on the certificate.
Browser c an no t a cce s s P D M . When y o u att emp t to acces s PDM, th e
message “ the pa ge cann ot be di spl ay ed” appears in Internet Explorer or the messag e “n etw or k co n ne cti on w as refused by the server” appears in Netsc a pe Communic a to r.
1. Check that you are using “https” in
your connection to “
https://pix_inside_interface_
ip_address
” and no t “h tt p.” Th e
connection cannot be made using “http,” it must be “https.”
2. If you cannot connect, enter the show
version command to check that you
have the proper activation key to use DES or 3DES. If you do n ot, obt ain an activation key that supports this requirement before co ntinuing. If, after confirming that your activation key supp orts usi ng DES or 3DES , you still c annot co nn ect, refer t o
“Checking Your Connection to the PIX Firewall”.
Clicking Grant causes PDM to cr ash . If y ou a re us in g P D M w i th N et scap e
Version 4.73 and you have a corrupted certificate d atabase, th e brows er m ay crash if you do the following:
1. Run an ap pl et th at uses a di gi ta l
certificate.
2. Renew t he certificat e.
3. Run the new a pp let with th e
updated c er tifi cat e.
4. Start PDM.
5. Click Grant to launch PDM.
This can happen on Windows, Sun Solaris, or Linu x a nd is a pr oble m i n t he Netsc a pe Java Virtua l M a c hine (J V M) .
T o work aroun d this, remo ve th e cor rupted cert7.db file (the certificate database file), located in the your Netscape directory. A new cert7.db file is created when you run Netsca pe ag ain .
However, this removes all of the certificat es that yo u have previou sly accept ed as tr ust e d . (T h is in clu d e s certificates th at you acc ep ted f rom other sites as w e ll as c er ti ficat es t h at y o u entered manually.)
Table 5-1 Common Troubleshooting Symptoms, Conditions, and Workarounds ( continued)
Symptom Conditions Workaround
Page 51
5-5
Cisco PIX Device Manager Installati on Guide
78-15483-01
Chapter5 Tips and Troubl eshooting
Troubleshooting
Help file s ap p ear co r rup te d. This ca n oc cur w h en y o u a re u sin g
Microsoft Internet Explorer 5.0 and do not have HTTP 1.1 enabled.
This ca n oc cur b ec au s e PD M compresses the online H elp files and Internet Expl orer requires HTTP 1.1 to be enabled to handle compressed files properly.
In Internet Explor er , cli ck Tools>Internet
Options>Advanced. Scroll d own t o HTTP 1.1 settings. Select the Use HTTP
1.1 check box. Click Apply. Clos e an d
restart your browser. If you are using a proxy server, select the
Use HTTP 1.1 through proxy connections check box.
Some graphics or icons do not display properly.
PDM is being run with a Java Plug-in that is not supported (PDM supports Java Plug-ins 1.3.1, 1.4.0, and 1.4.1).
If you have the Java Plug-in installed, confi rm that it is your default Java Virtual Machin e ( J V M ).
Do the following to ensure that the Java Plug-in is your default JVM:
In Internet Explor er , cli ck Tools>Internet Options. Clic k th e Advanced tab. Scro ll down. Look for a Java (Sun) sectio n. If there is one, con firm th at U se Java 2 is checked.
In Net scap e, cl ick Edit>Preferences. Click A dva nced. Make sure the Enable Java Plu g in ch ec k bo x is ch ecked.
User can no t acc ess PD M . If more than five users t ry t o acc es s a
single PIX Firewall unit using PDM, this exceeds the maximum number of simult an eou s sessions al lowed. Th e maximum number is five users in the curr e n t version.
1. If more than five users need to access
a PIX Firewall, one or more can use a PIX Firewall c onsole session via Telnet.
2. If you know that a PDM
administrator’s session is idle and wish to disconnect it, access the PDM Users panel on the Monitoring tab.
3. If you know t he IP address of the idle
connect ion, select the row, and click Discon nect. Another administrator can now acce ss PDM.
Table 5-1 Common Troubleshooting Symptoms, Conditions, and Workarounds ( continued)
Symptom Conditions Workaround
Page 52
5-6
Cisco PIX Device Manager Installation Guide
78-15483-01
Chapter5 Tips and Troubleshooting
Troubleshooting
PDM launch es s low ly. The start up s p eed of PDM de p ends on
the amount of available RAM in your com pute r an d whe the r vi rus scan ni ng software is running on your computer.
1. You can increase your available RAM
by clos ing ot he r appl ica tion s.
2. The time requ ired to dow nloa d the
PDM applet can be greatly affected by the speed of the link between your workstat ion and the P IX Firewa ll unit. A minimum of 56 Kbps link speed is requ ir e d ; h owever, 3.84 Mbps or higher is re co m mended. On ce the PDM applet is loaded on your workstation, the link speed impact on PDM operation is negligible.
3. Se e Load Tim e I m provements in
“PC/Workstatio n Requ irem ents ” in
Chapter 1.
Performance of PDM is slow. When using the Java Plug-in and
accessing you r PI X Fi re wall u sing an I P address instead o f a ho st na m e, th e performance of PDM is dramatically slower. This occurs if the PIX Firewall host n ame is no t in D N S o r in th e lo cal hosts fi le.
Assur e th at th e P IX Fir ewall host na me is in DNS. If you are running Windows, and there is no DN S in yo ur ne twor k or yo ur DNS does not ha ve th e PIX Fire wal l entry, modify th e “h osts” file.
On Windows NT, 2000, and XP, the
hosts fi le is l ocated at C:\WINNT\system32\drivers\etc\host s.
On Win dow s 9 8 a n d ME, it is at
C:\Windows\hosts.
Each line in the hosts file is in the format “<ip> <hostname> ”. For ex am p le :
192.168.1.1 pixfirewall.example.com
There is access only to the Monitoring tab in PDM.
The u se o f cer ta in PI X F ir ewal l C LI comman ds, an d cer t ain comman d combi na tio n s , l imit acce ss in PD M to the M onito ri ng tab.
For more information on these commands and command combinations, see the Cisco
PIX Device Manager Release Notes Version 3.0.
Table 5-1 Common Troubleshooting Symptoms, Conditions, and Workarounds ( continued)
Symptom Conditions Workaround
Page 53
A-1
Cisco PIX Device Manager Installation Guide
78-15483-01
APPENDIX
A
Using a TFTP Server
This appendix describes how to use a TFTP server to access PIX Firewall or PDM images. You must have a TFTP o r F T P ser ver to instal l th e P I X Fir ewal l so f twa re.
Yo u must have an activation key t hat enables Data E n cr yptio n S t a n dard (DES), th e more s ecure 3DES , or AES which PDM requires for support of the Secure Sockets Layer (SSL) protocol. If your PIX Firewall is not enabled for DES, you can have a new activation key sent to you by completing the form at the fo ll owin g w eb site:
http://www.cisco.c om/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324
This section includes the following topics:
Obtaining a Windows TFTP Server, page A-1
Enabling UN I X TF TP S up po rt, pa ge A- 2
TFTP Download Error Codes, page A-3
Obtaining a Windows TFTP Server
The Microso ft Windows b a sed TF T P s erver pr eviously p rov ided by C is co Sys t e m s has been discontinued and is no longer supported by Cisco Systems. This software suffers from a security bug described in (http://online.securityfocus.com/bid/2886). Persons still using the server should consider replacin g i t wi th an y of th e high qu ality freewar e an d s h arewar e TF T P ser ver s.
As a his tori cal n ot e, th e C is c o TF TP server was released to c ustomers in 1 9 95 a nd at a time when n o other free ly availa bl e T F TP ser ve rs ex ist ed . Today, there are m any TFTP s erver s availa bl e t ha t c an b e easily fo un d by s earch in g f or “ tf tp ser ver” on your i nt er ne t se ar ch en g in e. We do no t sp ec ific all y recommend any particular TFTP implementation.
It is also useful to note that modern versions of Cisco IOS software also support the use of FTP instead of TFTP for loading of images or configuration file s. Use of FTP overcomes a number of inherent limitati ons o f TFTP incl udin g a lack of sec ur it y an d a 1 6 M B fi le size limitation.
Page 54
A-2
Cisco PIX Device Manager Installation Guide
78-15483-01
AppendixA Using a TFTP Server
Enabling UNIX TFTP Support
Enabling UNIX TFTP Suppor t
The procedure for enabling TFTP access on your workstation varies depending on your opera ting system.
This section contains the following topics:
Enabling TF T P A cce ss o n a Su n S olar is S y st em, page A -2
Enabling TF T P A cce ss on a Li nu x Sy s tem , p ag e A -2
Enablin g TFTP Access on a Sun Solari s System
Follow these steps to enable TFTP access on a Sun Solaris syste m:
Step 1 Log in as root. Step 2 Add or un co m ment the follow in g lin e in you r /etc/inetd .conf fil e:
tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd
Step 3 Specif y the TFTP dir ect ory. By defaul t i t is / tf tpboo t un le ss you app en d “-s <dire cto ry> ” in t he pre vi ous
step. View the in.tftpd man page for more information.
Step 4 Either reboot your system or use the following c ommands to find the “inetd” process and send it the
SIGHUP signal to force it to reread the inetd.conf file:
/bin/ps -ef | grep inetd kill -1 inetd_process_ID
Enablin g TFTP Access on a Linux Sy stem
Follow these steps to enable TFTP access on a Li nux system:
Note If you use Linux, these steps vary depend on whether or not you a re using “inetd” or “xinetd.” If you
have the file “/etc/inetd.conf,” you are using inetd. RedHat 7.0 uses “xinetd.”
Step 1 Log in as root. Step 2 If you are running Linux with “inetd,” add or uncomment the following line in your /e tc/inetd.conf file:
tftp dgram udp wait root /usr/sbin/tcpd in.tftpd
If you ar e r u nn in g Linux w ith “xinetd ,” Edit th e / etc/xinet d.d /tftp fil e a s f ol low s:
a. Change the line “disable = yes” to “disable = no.” b. Change the line “user = nobody” to “user = root.”
Page 55
A-3
Cisco PIX Device Manager Installation Guide
78-15483-01
AppendixA Using a TFTP Server
TFTP Download Er ror Codes
c. If you wan t to sp eci f y a d iffere nt TF T P di r ect ory, replace “/tftp boo t” in th e line “s erver _ arg s = - s
/tftpboot” with the name of your directory.
Step 3 Enter the following command:
/etc/init.d/xinetd restart
TFTP Download Error Codes
PDM cannot be downloaded via TFTP from the PIX Firewall unit’s monitor mode. You must use the copy tftp flash:pdm comma n d described in C hapter 3, “Insta ll in g P D M . ”
During a TFTP download, non-fatal errors may appear in the midst of dots that display as the software downloads. The error code appears inside angle brackets. Table A-1 lists the co de values.
For example, random bad blocks appear as follows:
....<11>..<11>.<11>......<11>...
Also, the display may show “A” and “T” for ARP and timeouts, respectively. Receipt of non-IP packets causes the protocol number to display inside parentheses.
Error codes 9 and 10 cause the download to stop.
Table A-1 TFTP Error Code Num eric Values
Error Code Description
-1 Timeout between the PIX Firewall and TFTP server. 2 The packet length as received from the Ethernet device was not big enough to be a valid
TFTP packet.
3 The received packet was not from the server specified in the server command. 4 The IP header l en gt h was not big en ou g h t o be a valid TFTP pack et. 5 The IP protocol type on th e received packet was not UDP, which is the underlying protoco l
used by TF TP.
6 The received IP packet's destination address did not match the address specified by the
address command.
7 The UDP p ort s o n e it he r s id e o f th e connect io n did no t match th e ex pe ct ed valu es. Th is
means ei ther the local port was not the previously selected po rt, or the foreign port was not
the TFTP port, or both. 8 The UDP checksum cal cu lat io n on t he p acke t f ail ed . 9 An unexpected TF T P co de o ccu rre d. 10 A TFTP transfer error occurred.
-10 The image filename you specified cannot be found. Check the spelling of the filename and
that pe rm is sio n s p er mit the TFTP s e rv er to ac ces s th e fi le. In UNI X , t he file nee ds to be
world read able. 11 A TFTP packet was received out of sequence.
Page 56
A-4
Cisco PIX Device Manager Installation Guide
78-15483-01
AppendixA Using a TFTP Server
TFTP Downl oad Error Codes
Page 57
IN-1
Cisco PIX Device Manager Installation Guide
78-15483-01
INDEX
A
acceleration module, VPN (see VAM) 1 - 2 acronyms
list of
xiv
activatio n key 2 - 3, A - 1
C
Cisco Secure Policy Manager (Cisco Secure PM) 1 - 4 configur ati on
file size
5 - 2
mode 3 - 4 configur e te r m in al co mm a nd 3 - 4 connecti on
checking
5 - 1
pinging 5 - 1 copy tftp flas h co mmand 3 - 4
D
Data 1 - 2 Data Encryption Standard (DES) A - 1
F
failover p r ep ar ati on 2 - 3
H
Home Page 4 - 3 https 4 - 1, 5 - 2, 5 - 4
I
IP address
administrator
5 - 5
TFTP serv er 2 - 4 workstation 2 - 4
J
JDK version 1 - 7
K
key
activation
A - 1
license 2 - 3
L
license k ey 2 - 3
M
maximum
number of PDM sessions
5 - 5
module, V P N ac cel er at io n (see VAM ) 1 - 2
N
network connection 5 - 4
Page 58
Index
IN-2
Cisco PIX Device Manager Installation Guide
78-15483-01
P
PDM 5 - 3
copying 3 - 2 down loadi ng 3 - 1 features 1 - 1 prepar ing to install 2 - 3 starting 4 - 1 startup w izard 4 - 4
tips 5 - 2 PDM Home Page 4 - 2 PDM-spec ific co mman ds 5 - 2
S
setup
command
3 - 4
prompts 3 - 5 show flashfs command 5 - 2 show ip in ter f ace in s id e co m man d 5 - 1 show version command 2 - 2 startup wi zar d 4 - 4
T
terms
list of
xiv
terms and acro nyms xiv TFTP
error codes
A - 3
Linux 2 - 5
server 2 - 2, A - 1
Sun Solaris A - 2
UNIX A - 2
using A - 1
Windows 2 - 4 troubleshooting
accessin g PDM
5 - 4, 5 - 5
common symptoms 5 - 3
launch in g P D M 5 - 6 matrix 5 - 3 starting PDM 5 - 3
V
VPN Ac cel er ati on M o d ul e (s ee V A M) 1 - 2
W
write t er min al comma nd 2 - 3
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use