Quick Start Guide
Page 1
Quick Start Guide Cisco PIX 515E Firewall 1 Check Items Included 2 Install the PIX 515E 3 Configure the PIX 515E 4 Example Configurations 5 Optional Maintenance and Upgrade Procedures
Quick Start Guide Cisco PIX 515E Firewall 1 Check Items Included 2 Install the PIX 515E 3 Configure the PIX 515E 4 Example Configurations 5 Optional Maintenance and Upgrade Procedures
Quick Start Guide
Page 2
... to handle over 130,000 simultaneous sessions. Hardware Features Software Features • 433-MHz Intel Celeron processor • 32-MB RAM with the restricted (R) license; 64-MB RAM with additional host capacity and failover capability • Internal DHCP server supports up to 256 address leases per interface... (DMZ) support. It delivers up to -medium business and enterprise networks, in a modular, purpose-built appliance. 99550 About the Cisco PIX 515E Firewall The Cisco PIX 515E delivers enterprise-class security for small-to 130 Mbps of 3DES and 256-bit AES VPN throughput.
... to handle over 130,000 simultaneous sessions. Hardware Features Software Features • 433-MHz Intel Celeron processor • 32-MB RAM with the restricted (R) license; 64-MB RAM with additional host capacity and failover capability • Internal DHCP server supports up to 256 address leases per interface... (DMZ) support. It delivers up to -medium business and enterprise networks, in a modular, purpose-built appliance. 99550 About the Cisco PIX 515E Firewall The Cisco PIX 515E delivers enterprise-class security for small-to 130 Mbps of 3DES and 256-bit AES VPN throughput.
Quick Start Guide
Page 3
... NOT INSTALL INTERFACE CARDS WITH POWER APPLIED 100 Mbps Link FDX 100 Mbps Link FDX 10/100 ETHERNET 1 10/100 ETHERNET 0 PIX 515E FAILOVER CONSOLE Blue console cable (72-1259-01) Yellow Ethernet cable (72-1482-01) Failover serial cable (74-1213-01) Power cable Rubber feet Mounting ...
... NOT INSTALL INTERFACE CARDS WITH POWER APPLIED 100 Mbps Link FDX 100 Mbps Link FDX 10/100 ETHERNET 1 10/100 ETHERNET 0 PIX 515E FAILOVER CONSOLE Blue console cable (72-1259-01) Yellow Ethernet cable (72-1482-01) Failover serial cable (74-1213-01) Power cable Rubber feet Mounting ...
Quick Start Guide
Page 4
For rack-mounting and failover instructions, refer to the Cisco PIX Firewall Hardware Installation Guide. 4 Note For additional hardware installation procedures, refer to the Cisco PIX Firewall Hardware Installation Guide. Power up the PIX 515E. Use the other yellow Ethernet cable (72-1482-01)...hub. The power switch is also rack-mountable. 2 Install the PIX 515E DMZ server Switch DMZ PIX 515E Switch Inside Outside Laptop computer Printer Personal computer Follow these steps to install the PIX 515E: Router Internet Power cable 97998 Step 1 Install the rubber feet ...
For rack-mounting and failover instructions, refer to the Cisco PIX Firewall Hardware Installation Guide. 4 Note For additional hardware installation procedures, refer to the Cisco PIX Firewall Hardware Installation Guide. Power up the PIX 515E. Use the other yellow Ethernet cable (72-1482-01)...hub. The power switch is also rack-mountable. 2 Install the PIX 515E DMZ server Switch DMZ PIX 515E Switch Inside Outside Laptop computer Printer Personal computer Follow these steps to install the PIX 515E: Router Internet Power cable 97998 Step 1 Install the rubber feet ...
Quick Start Guide
Page 5
...address out of the 192.168.1.0 network. (Valid addresses are enabled in your web browser. The PIX 515E contains an integrated web-based configuration tool called the Cisco PIX Device Manager (PDM), that allows packets to flow through 192.168.1.254 with a factory-default ...configuration that JavaScript and Java are 192.168.1.2 through the PIX Firewall from the PIX 515E) or assign a static IP address to the outside interface. Refer to the Cisco PIX Device Manager Installation Guide for simplified initial configuration of your inside Ethernet 1 interface...
...address out of the 192.168.1.0 network. (Valid addresses are enabled in your web browser. The PIX 515E contains an integrated web-based configuration tool called the Cisco PIX Device Manager (PDM), that allows packets to flow through 192.168.1.254 with a factory-default ...configuration that JavaScript and Java are 192.168.1.2 through the PIX Firewall from the PIX 515E) or assign a static IP address to the outside interface. Refer to the Cisco PIX Device Manager Installation Guide for simplified initial configuration of your inside Ethernet 1 interface...
Quick Start Guide
Page 6
... below shows a sample network topology that are accessed by users on the DMZ interface. Because the DMZ server is provided for two common PIX 515E configuration scenarios: hosting a web server on a private DMZ network, it was located on the DMZ interface are denied. Step 4 To access... the Internet. Substitute network addresses and apply additional policies as though it is on the public Internet; Use PDM to set up your PIX 515E. Step 5 Step 6 Leave both the username and password boxes empty. all clients on the inside network initiates HTTP communications with other...
... below shows a sample network topology that are accessed by users on the DMZ interface. Because the DMZ server is provided for two common PIX 515E configuration scenarios: hosting a web server on a private DMZ network, it was located on the DMZ interface are denied. Step 4 To access... the Internet. Substitute network addresses and apply additional policies as though it is on the public Internet; Use PDM to set up your PIX 515E. Step 5 Step 6 Leave both the username and password boxes empty. all clients on the inside network initiates HTTP communications with other...
Quick Start Guide
Page 7
... IP pool (30.30.30.50-30.30.30.60) for the inside HTTP client to communicate with any device on the Internet. HTTP client PIX 515E Inside 10.10.10.0 Outside 209.165.156.10 10.10.10.10 DMZ 30.30.30.0 Internet HTTP client HTTP client 97999 Web server...
... IP pool (30.30.30.50-30.30.30.60) for the inside HTTP client to communicate with any device on the Internet. HTTP client PIX 515E Inside 10.10.10.0 Outside 209.165.156.10 10.10.10.10 DMZ 30.30.30.0 Internet HTTP client HTTP client 97999 Web server...
Quick Start Guide
Page 9
... one reserved for the DMZ server, all traffic initiated by the inside client to be routed to and from the inside HTTP client exits the PIX 515E using the IP address of IP addresses for the DMZ interface. Note You can also select PAT or PAT using the outside interface. Select the...
... one reserved for the DMZ server, all traffic initiated by the inside client to be routed to and from the inside HTTP client exits the PIX 515E using the IP address of IP addresses for the DMZ interface. Note You can also select PAT or PAT using the outside interface. Select the...
Quick Start Guide
Page 10
Click the Port Address Translation (PAT) using the IP address of the interface radio button. c. Assign the same Pool ID for this pool as in the main window. 10 b. b. Confirm the configurations: a. Click the OK button. d. Click the Apply button in Step d above (200). Select outside from the Interface drop-down menu. Click the OK button. Once the pools are configured, confirm their values before applying the rules to the PIX 515E. When the new window comes up: a.
Click the Port Address Translation (PAT) using the IP address of the interface radio button. c. Assign the same Pool ID for this pool as in the main window. 10 b. b. Confirm the configurations: a. Click the OK button. d. Click the Apply button in Step d above (200). Select outside from the Interface drop-down menu. Click the OK button. Once the pools are configured, confirm their values before applying the rules to the PIX 515E. When the new window comes up: a.
Quick Start Guide
Page 11
... public IP addresses available to map into a single IP address on public networks and permits routing through the public networks. To configure NAT between two PIX interfaces. Port Address Translation (PAT) is selected. 11 This translation prevents the private address spaces from the main PDM page: a. Select the Translation Rules tab...
... public IP addresses available to map into a single IP address on public networks and permits routing through the public networks. To configure NAT between two PIX interfaces. Port Address Translation (PAT) is selected. 11 This translation prevents the private address spaces from the main PDM page: a. Select the Translation Rules tab...
Quick Start Guide
Page 14
Check the displayed configuration for accuracy. Click the Apply button to configure interface PAT between the inside and outside interface and the Dynamic address pool should display as shown below: 14 The procedure remains the same, except the interface on which the translation is required is now the outside interfaces. Click the Proceed button. Click the OK button. l. k. Repeat the steps to configure the PIX Firewall. The configurations should now indicate the interface PAT keywords. j.
Check the displayed configuration for accuracy. Click the Apply button to configure interface PAT between the inside and outside interface and the Dynamic address pool should display as shown below: 14 The procedure remains the same, except the interface on which the translation is required is now the outside interfaces. Click the Proceed button. Click the OK button. l. k. Repeat the steps to configure the PIX Firewall. The configurations should now indicate the interface PAT keywords. j.
Quick Start Guide
Page 17
To configure access lists for HTTP traffic originating from the public networks. Select the Access rules tab. In the table, right click and select Add. 17 Click the Configuration button at the top of the PDM window. c. b. Step 4 Provide HTTP Access to the DMZ Web Server In addition to configuring address translations, you must configure the PIX 515E to allow the specific traffic types from any client on the Internet to the DMZ web server, complete the following: a.
To configure access lists for HTTP traffic originating from the public networks. Select the Access rules tab. In the table, right click and select Add. 17 Click the Configuration button at the top of the PDM window. c. b. Step 4 Provide HTTP Access to the DMZ Web Server In addition to configuring address translations, you must configure the PIX 515E to allow the specific traffic types from any client on the Internet to the DMZ web server, complete the following: a.
Quick Start Guide
Page 19
.... Note For additional features, such as system log messages by the translation (30.30.30.30 = 209.165.156.11). This is permitted through the PIX 515E. f. l. Click the Apply button in the window at the top and click the More options button. Select 255.255.255.255 from any host or...
.... Note For additional features, such as system log messages by the translation (30.30.30.30 = 209.165.156.11). This is permitted through the PIX 515E. f. l. Click the Apply button in the window at the top and click the More options button. Select 255.255.255.255 from any host or...
Quick Start Guide
Page 20
... VAC+ as shown below: The HTTP clients on for other PIX 515E models. 20 A VPN connection allows you to send data from one location to another over a secure connection, or "tunnel," by the PIX 515E enable businesses to securely extend their networks across low-cost public Internet... connections to -site VPN (Virtual Private Networking) features provided by first strongly authenticating both ends of the PIX 515E include a VPN Accelerator Card+ (VAC+), which provides significantly improved VPN throughput. The configurations should display as an add-on the...
... VAC+ as shown below: The HTTP clients on for other PIX 515E models. 20 A VPN connection allows you to send data from one location to another over a secure connection, or "tunnel," by the PIX 515E enable businesses to securely extend their networks across low-cost public Internet... connections to -site VPN (Virtual Private Networking) features provided by first strongly authenticating both ends of the PIX 515E include a VPN Accelerator Card+ (VAC+), which provides significantly improved VPN throughput. The configurations should display as an add-on the...
Quick Start Guide
Page 21
...In the main PDM page, select the VPN Wizard option from the drop-down menu. Site A Site B 98000 Inside 10.10.10.0 PIX 1 Outside 1.1.1.1 Internet Outside 2.2.2.2 PIX 2 Inside 20.20.20.0 Step 1 Start the VPN Wizard Use PDM to continue. 21 Note The Site to Site VPN option connects...quickly guide you through the process of configuring a site-to Site VPN option. Click the Next button to configure PIX 1. The illustration below shows an example VPN tunnel between two PIX 515E, and will be referenced in five simple steps. At the first VPN Wizard page, do the following steps. ...
...In the main PDM page, select the VPN Wizard option from the drop-down menu. Site A Site B 98000 Inside 10.10.10.0 PIX 1 Outside 1.1.1.1 Internet Outside 2.2.2.2 PIX 2 Inside 20.20.20.0 Step 1 Start the VPN Wizard Use PDM to continue. 21 Note The Site to Site VPN option connects...quickly guide you through the process of configuring a site-to Site VPN option. Click the Next button to configure PIX 1. The illustration below shows an example VPN tunnel between two PIX 515E, and will be referenced in five simple steps. At the first VPN Wizard page, do the following steps. ...
Quick Start Guide
Page 22
... certificates for authentication, check the Certificate radio button and the applicable option for PIX 1 (1.1.1.1) and the same Pre-shared Key (CisCo). c. Enter the Peer IP Address (PIX 2) and select an authentication key (for IPSec negotiations between both PIX 515E units. Note To configure PIX 2, enter the IP address for the peer identity, FQDN (Fully Qualified Domain...
... certificates for authentication, check the Certificate radio button and the applicable option for PIX 1 (1.1.1.1) and the same Pre-shared Key (CisCo). c. Enter the Peer IP Address (PIX 2) and select an authentication key (for IPSec negotiations between both PIX 515E units. Note To configure PIX 2, enter the IP address for the peer identity, FQDN (Fully Qualified Domain...
Quick Start Guide
Page 24
... failures and can slow down the process. Select the Encryption (DES/3DES/AES), Authentication algorithms (MD5/SHA), and the Diffie-Hellman group (1/2/5) used by the PIX 515E during an IKE security association. Confirm all values before moving to the next window. a. Note When configuring...
... failures and can slow down the process. Select the Encryption (DES/3DES/AES), Authentication algorithms (MD5/SHA), and the Diffie-Hellman group (1/2/5) used by the PIX 515E during an IKE security association. Confirm all values before moving to the next window. a. Note When configuring...
Quick Start Guide
Page 25
Configure the IPSec parameters. a. Confirm all values before continuing to continue. 25 Click the Next button to the next window. Encryption and algorithm mismatches are a common cause of the options that you selected for each of VPN tunnel failures and can slow down the process. b. In the second window, select the Encryption algorithm (DES/3DES/AES) and Authentication algorithm (MD5/SHA). 2. Note When configuring PIX 2, enter the exact same values for PIX 1.
Configure the IPSec parameters. a. Confirm all values before continuing to continue. 25 Click the Next button to the next window. Encryption and algorithm mismatches are a common cause of the options that you selected for each of VPN tunnel failures and can slow down the process. b. In the second window, select the Encryption algorithm (DES/3DES/AES) and Authentication algorithm (MD5/SHA). 2. Note When configuring PIX 2, enter the exact same values for PIX 1.
Quick Start Guide
Page 26
a. Select the Local Host/Network based on the local PIX 515E encrypted through the VPN tunnel. Select network traffic on the IP Address, Name, or Group. Add or remove networks dynamically from preconfigured groups. Note Use the Browse button to select from the selected panel by clicking on the >> or Step 4 Configure Internal Traffic This step is comprised of two windows: 1.
a. Select the Local Host/Network based on the local PIX 515E encrypted through the VPN tunnel. Select network traffic on the IP Address, Name, or Group. Add or remove networks dynamically from preconfigured groups. Note Use the Browse button to select from the selected panel by clicking on the >> or Step 4 Configure Internal Traffic This step is comprised of two windows: 1.
Quick Start Guide
Page 27
Select traffic permitted from this tunnel is the local network for PIX 2 and vice versa. Note When configuring PIX 2, ensure that the values are correctly entered. Click the Finish button to complete the configuration. 27 In the second window, select VPN traffic for PIX 1 is permitted through the tunnel. For PIX 1, the remote network is Network B (20.20.20.0) so traffic encrypted from the remote PIX Firewall. a. The remote network for remote network configuration. b. 2.
Select traffic permitted from this tunnel is the local network for PIX 2 and vice versa. Note When configuring PIX 2, ensure that the values are correctly entered. Click the Finish button to complete the configuration. 27 In the second window, select VPN traffic for PIX 1 is permitted through the tunnel. For PIX 1, the remote network is Network B (20.20.20.0) so traffic encrypted from the remote PIX Firewall. a. The remote network for remote network configuration. b. 2.