Beruflich Dokumente
Kultur Dokumente
PIX Firewall
POWER ACT NETWORK
SERIES
The Cisco PIX 515E security appliance delivers enterprise-class security for small-to-medium businesses and enterprise networks in a modular, purpose-built security appliance. Ranging from compact, plug-and-play desktop appliances for small and home offices to carrier-class gigabit appliances for the most demanding enterprise and service-provider environments, Cisco PIX security appliances provide robust security, performance, and reliability for network environments of all sizes. Part of the market-leading Cisco PIX 500 series, the Cisco PIX 515E security appliance provides a wide range of integrated security services, hardware VPN acceleration, award-winning high-availability and powerful remote management capabilities in an easy-to-deploy, high-performance solution.
132235
FDX
FDX
FAILOVER
10/100 ETHERNET 1
10/100 ETHERNET 0
CONSOLE
PIX 515E
PIX-515E
4 spacers (69-0125-01)
d an e ty ns an ce rr Li a r W se re U a w nd ft E So
Rubber feet
Documentation
97955
S ce IX n P lia co pp D is A C C ity ct u ur od ec Pr
DMZ server
Switch DMZ
PIX 515E
Switch
Laptop computer
Router
To install the PIX 515E security appliance, complete these steps: Step 1 Mount the chassis in a rack by performing the following steps: a. Attach the brackets to the chassis with the supplied screws. The brackets attach to the holes near the front of the chassis. b. Attach the chassis to the equipment rack. Step 2 Step 3 Step 4 Step 5 Use one of the provided yellow Ethernet cables (72-1482-01) to connect the outside 10/100 Ethernet interface, Ethernet 0, to a DSL modem, cable modem, router, or switch. Use the other provided yellow Ethernet cable (72-1482-01) to connect the inside 10/100 Ethernet interface, Ethernet 1, to a switch or hub. Connect one end of the power cable to the rear of the PIX 515E security appliance and the other end to a power outlet. Power up the PIX 515E security appliance. The power switch is located at the rear of the chassis.
Note
To use the Startup Wizard to set up a simplified basic configuration on the security appliance, follow these steps: Step 1 If you have not already done so, connect the inside Ethernet 1 interface of the security appliance to a switch or hub by using the Ethernet cable. To this same switch, connect a PC for configuring the security appliance. Configure your PC to use DHCP (to receive an IP address automatically from the security appliance), or assign a static IP address to your PC by selecting an address out of the 192.168.1.0 network. (Valid addresses are 192.168.1.2 through 192.168.1.254, with a mask of 255.255.255.0 and default route of 192.168.1.1.) The inside interface of the security appliance is assigned 192.168.1.1 by default, so this address is unavailable.
Step 2
Note
Step 3
Check the LINK LED on the Ethernet 1 interface. When a connection is established, the LINK LED on the Ethernet 1 interface of the security appliance and the corresponding LINK LED on the switch or hub will become solid green. Launch the Startup Wizard. a. On the PC connected to the switch or hub, launch an Internet browser. b. In the address field of the browser, enter this URL: https://192.168.1.1/. The security appliance ships with a default IP address of 192.168.1.1. Remember to add the s in https or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser and the security appliance.
Step 4
Note
In the popup window that requires a username and password, leave both fields empty. Press Enter. Click Yes to accept certificates. Click Yes for any subsequent certificates or authentication requests. After ASDM starts, choose the Wizards menu, then choose Startup Wizard. Follow the instructions in the Startup Wizard to set up your security appliance. For information about any field in the Startup Wizard, click the Help button at the bottom of the window.
HTTP client
97999
Because the DMZ web server is located on a private DMZ network, it is necessary to translate its private IP address to a public (routable) IP address. This public address allows external clients to have HTTP access to the DMZ web server in the same way the clients would access any server on the Internet. This DMZ configuration scenario, shown in Figure 2, provides two routable IP addresses that are publicly available: one for the outside interface (209.165.156.10) and one for the translated DMZ web server (209.165.156.11). The following procedure describes how to use ASDM to configure the security appliance for secure communications between HTTP clients and the web server. In this DMZ scenario, the security appliance already has an outside interface configured, called dmz. Set up the security appliance interface for your DMZ by using the Startup Wizard. Ensure that the security level is set between 0 and 100. (A common choice is 50).
4. Click the Manage Pools button at the bottom of the ASDM window. The Manage Global Address Pools window appears, allowing you to add or edit global address pools.
Note
For most configurations, global pools are added to the less secure, or public, interfaces.
5. In the Manage Global Address Pools window: a. Choose the dmz interface. b. Click the Add button.
10
6. In the Add Global Pool Item window: a. Choose dmz from the Interface drop-down menu. b. Click the Range radio button to enter the IP address range. c. Enter the range of IP addresses for the DMZ interface. In this scenario, the range is 30.30.30.50 to 30.30.30.60. d. Enter a unique Pool ID. (For this scenario, the Pool ID is 200.) e. Click the OK button to go back to the Manage Global Address Pools window. You can also choose Port Address Translation (PAT) or Port Address Translation (PAT) using the IP address of the interface if there are limited IP addresses available for the DMZ interface.
Note
7. In the Manage Global Address Pools window: a. Choose the outside interface. b. Click the Add button. The Add Global Pool Item window appears.
11
8. When the Add Global Pool Item window appears: a. Choose outside from the Interface drop-down menu. b. Click the Port Address Translation (PAT) using the IP address of the interface radio button. c. Assign the same Pool ID for this pool as you did in Step 6d above. (For this scenario, the Pool ID is 200.) d. Click the OK button. The configuration should be similar to the following: 9. Confirm that the configuration values are correct, then: a. Click the OK button. b. Click the Apply button in the main window. Because there are only two public IP addresses available, with one reserved for the DMZ server, all traffic initiated by the inside HTTP client exits the security appliance using the outside interface IP address. This configuration allows traffic from the inside client to be routed to and from the Internet.
Note
12
13
5. Enter the IP address of the inside client. In this scenario, the IP address is 10.10.10.10. 6. Choose 255.255.255.255 from the Mask drop-down menu. 7. Choose the DMZ interface from the Translate Address on Interface drop-down menu. 8. Click the Dynamic radio button in the Translate Address To to section. 9. Choose 200 from the Address Pools drop-down menu for the appropriate Pool ID. 10. Click the OK button. 11. A pop-up window displays asking if you want to proceed. Click the Proceed button. 12. On the NAT Translation Rules page, verify that the displayed configuration is accurate. 13. Click the Apply button to complete the configuration changes. The configuration should display as follows:
14
15
Note
16
3. Specify the type of traffic that you want to permit: HTTP traffic is always directed from any TCP source port number toward a fixed destination TCP port number 80.
Note
a. Click the TCP radio button under Protocol and Service. b. Under Source Port, choose = (equal to) from the Service drop-down menu. c. Click the button labeled with ellipses (...), scroll through the options, and choose Any. d. Under Destination Port, choose = (equal to) from the Service drop-down menu. e. Click the button labeled with ellipses (...), scroll through the options, and select HTTP.
17
f. Click the OK button. For additional features, such as system log messages by ACL, click the More Options radio button at the top at the top of the screen. You can provide a name for the access rule in the window at the bottom.
Note
g. Verify that the information you entered is accurate, and click the OK button. Although the destination address specified above is the private address of the DMZ web server (30.30.30.30), HTTP traffic from any host on the Internet destined for 209.165.156.11 is permitted through the security appliance. The address translation (30.30.30.30 = 209.165.156.11) allows the traffic to be permitted.
Note
h. Click the Apply button in the main window. The configurations should display as follows:
The HTTP clients on the private and public networks can now securely access the DMZ web server.
18
Site A PIX security appliance 1 Inside 10.10.10.0 Outside 1.1.1.1 Internet PIX security appliance 2 Outside 2.2.2.2 Inside 20.20.20.0
Site B
Creating a VPN connection such as the one in the above illustration requires you to configure two security appliances, one on each side of the connection. ASDM provides an easy-to-use configuration wizard to guide you quickly through the process of configuring a site-to-site VPN in a few simple steps.
132067
19
In the first VPN Wizard page, do the following: a. Choose the Site-to-Site VPN option. The Site-to-Site VPN option connects two IPSec security gateways, which can include security appliances, VPN concentrators, or other devices that support site-to-site IPSec connectivity.
Note
b. From the drop-down menu, choose outside as the enabled interface for the current VPN tunnel. c. Click the Next button to continue.
20
radio button, and enter a pre-shared key, which is shared for IPSec negotiations between both security appliances. When you configure the PIX 2 at the remote site, the VPN peer is PIX 1. Be sure to enter the same Pre-shared Key (CisCo) that you use here.
Note
To use digital certificates for authentication, click the Certificate radio button, and then
choose a Trustpoint Name from the drop-down menu. 3. Click the Next button to continue.
21
Note
22
23
To specify a local host or network to be allowed access to the IPSec tunnel, complete the following steps: 1. Click IP Address. 2. Specify whether the interface is inside or outside by choosing one of the interfaces from the drop-down menu. 3. Enter the IP address and mask. 4. Click Add. 5. Repeat steps 1 through step 5 for each host or network that you want to have access to the tunnel. 6. Click the Next button to continue.
To specify a remote host or network to be allowed access to the IPSec tunnel, complete the following steps: 1. Click IP Address. 2. Specify whether the interface is inside or outside by choosing one location from the Interface drop-down menu. 3. Enter the IP address and mask. 4. Click Add. 5. Repeat step 1 through step 5 for each host or network that you want to have access to the tunnel. 6. Click the Next button to continue. When configuring PIX 2, ensure that the values are correctly entered. The remote network for PIX 1 is the local network for PIX 2, and the reverse.
Note
25
Note
When configuring PIX 2, enter the same values for each of the options that you selected for PIX 1. Encryption and algorithm mismatches are a common cause of VPN tunnel failures and can slow down the process.
26
What to Do Next
You have just configured the local security appliance. Now you need to configure the security appliance at the remote site. At the remote site, configure the second security appliance to serve as a VPN peer. Use the procedure you used to configure the local security appliance, starting at Step 1: Configure the PIX security appliance at the first site on page 19, and finishing with Step 7: View VPN Attributes and Complete Wizard on page 26. When configuring PIX 2, enter the exact same values for each of the options that you selected for PIX 1. Mismatches are a common cause of VPN configuration failures.
Note
Note
27
Command
Step 1 Step 2 Step 3
Purpose
Shows the software release, hardware configuration, license key, and related uptime data. Updates the encryption activation key by replacing the activation-4-tuple-key variable with the activation key obtained with your new license. The activation-5-tuple-key variable is a five-element hexadecimal string with one space between each element. An example is 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e. The 0x is optional; all values are assumed to be hexadecimal. Exits global configuration mode. Saves the configuration.
activation-key activation-5-tuple-key
Step 4 Step 5
pix(config)# exit
Step 6
Command
Step 1 Step 2 Step 3
Purpose
Accesses privileged EXEC mode. Enter password. Accesses global configuration mode.
28
Command
Step 4
Purpose
hostname(config)# configure Erases the running configuration and replaces it with factory-default [inside_ip_address the factory default configuration. Entering the [address_mask]]1 configure factory-default command erases the current running configuration. hostname(config)# write memory Writes the factory default configuration to Flash memory.
1. If the optional inside IP address and address mask are specified, the factory-default configuration reflects that.
Step 5
Note
Step 2
Connect the RJ-45 connector to the PIX 515E security appliance console port, and connect the other end to the serial port connector on your computer. (See Figure 4.)
29
Figure 4
FDX
FAILOVER
CONSOLE
Console port (RJ-45) RJ-45 to DB-9 serial cable (null-modem) PC terminal adapter DB-9
PIX-515
If your PIX 515E security appliance has a four-port Ethernet circuit board already installed, the Ethernet circuit boards are numbered as shown in Figure 5. The four-port Ethernet circuit board is required to access the PIX 515E security appliance unrestricted license.
Figure 5 Four-Port Ethernet Circuit Board
Ethernet 5 Ethernet 3
FDX
FDX
FAILOVER
CONSOLE
Ethernet 0
If your PIX 515E security appliance has one or two single-port Ethernet circuit boards installed in the auxiliary assembly on the left of the unit at the rear, the circuit boards are numbered top to bottom so that the top circuit board is Ethernet 2 and the bottom circuit board is Ethernet 3.
30
99544
Ethernet 2 Ethernet 4
Ethernet 1
PIX-515
99547
Figure 6
Ethernet 2
FDX
FDX
FAILOVER
CONSOLE
Ethernet 0
Note
If you need to install an optional circuit board, refer to the Installing a Circuit Board in the PIX 515E section in the Cisco PIX Security Appliance Hardware Installation Guide.
If you have a second PIX 515E security appliance to use as a failover unit, install the failover feature and cable as described in the Installing Failover section in the Cisco PIX Security Appliance Hardware Installation Guide. Step 3 Connect the inside, outside, or perimeter network cables to the interface ports. Starting from the top left, the connectors are Ethernet 2, Ethernet 3, Ethernet 4, and Ethernet 5. The maximum number of allowed interfaces is six with an unrestricted license. Do not add a single-port circuit board in the extra slot below the four-port circuit board because the maximum number of allowed interfaces is six.
Note
Step 4
Power on the unit from the switch at the rear to start the PIX 515E security appliance. Do not power on the failover units until the active unit is configured.
99545
Ethernet 3
Ethernet 1
PIX-515
31
POWER
ACT
NETWORK
97779
Table 1
LED
POWER ACT
Color
Green Green
State
On On Off
Description
On when the unit has power. On when the unit is the active failover unit. If failover is present, the light is on when the unit is the active unit. Off when the unit is in standby mode. If failover is not enabled, this light is off.
NETWORK Green
Figure 7
LINK
FAILOVER LINK
10/100 ETHERNET 0
USB
CONSOLE
32
97784
10/100 ETHERNET 1
PIX-515
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml
33
Documentation DVD
Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit. Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace. Cisco Ordering tool: http://www.cisco.com/en/US/partner/ordering/ Cisco Marketplace: http://www.cisco.com/go/marketplace/
Ordering Documentation
You can find instructions for ordering documentation at this URL: http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm You can order Cisco documentation in these ways: Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool: http://www.cisco.com/en/US/partner/ordering/ Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).
Documentation Feedback
You can send comments about technical documentation to bug-doc@cisco.com. You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address: Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments.
34
Tip
35
Note
36
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly. To open a service request by telephone, use one of the following numbers: Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553-2447 For a complete list of Cisco TAC contacts, go to this URL: http://www.cisco.com/techsupport/contacts
37
Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL: http://www.cisco.com/packet iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL: http://www.cisco.com/go/iqmagazine Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL: http://www.cisco.com/ipj World-class networking training is available from Cisco. You can view current offerings at this URL: http://www.cisco.com/en/US/learning/index.html
38
39
Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100
European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883
Asia Pacific Headquarters Cisco Systems, Inc. 168 Robinson Road #28-01 Capital Tower Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799
Cisco Systems has more than 200 offices in the following countries. Addresses, phone numbers, and fax numbers are listed on the
78-16824-01 DOC-7816824=
41
42