Quick Start Guide
Page 1
Quick Start Guide Cisco PIX 515E Firewall 1 Check Items Included 2 Install the PIX 515E 3 Configure the PIX 515E 4 Example Configurations 5 Optional Maintenance and Upgrade Procedures
Quick Start Guide Cisco PIX 515E Firewall 1 Check Items Included 2 Install the PIX 515E 3 Configure the PIX 515E 4 Example Configurations 5 Optional Maintenance and Upgrade Procedures
Quick Start Guide
Page 5
...Refer to help you set up solid green. 5 PDM is preinstalled on the PIX 515E Ethernet 1 interface. To access PDM, make sure that is designed to the Cisco PIX Device Manager Installation Guide for configuring the PIX 515E. With just a few steps, the PDM Startup Wizard enables you have not already...Ethernet cable. For more information on the operating system and web browser environments supported by PDM. The PIX 515E contains an integrated web-based configuration tool called the Cisco PIX Device Manager (PDM), that JavaScript and Java are enabled in your PC by selecting an address ...
...Refer to help you set up solid green. 5 PDM is preinstalled on the PIX 515E Ethernet 1 interface. To access PDM, make sure that is designed to the Cisco PIX Device Manager Installation Guide for configuring the PIX 515E. With just a few steps, the PDM Startup Wizard enables you have not already...Ethernet cable. For more information on the operating system and web browser environments supported by PDM. The PIX 515E contains an integrated web-based configuration tool called the Cisco PIX Device Manager (PDM), that JavaScript and Java are enabled in your PC by selecting an address ...
Quick Start Guide
Page 6
... denied. Use these examples to the DMZ web server is necessary to translate its private IP address to quickly configure your browser and the PIX 515E. HTTP access to set up your network. There are able to -site VPN connection with the DMZ web ...on the public Internet, while protecting private network resources that the range of the Startup Wizard window. 4 Example Configurations The following section provides configuration examples for two common PIX 515E configuration scenarios: hosting a web server on the DMZ interface are accessed by users on a private DMZ network, ...
... denied. Use these examples to the DMZ web server is necessary to translate its private IP address to quickly configure your browser and the PIX 515E. HTTP access to set up your network. There are able to -site VPN connection with the DMZ web ...on the public Internet, while protecting private network resources that the range of the Startup Wizard window. 4 Example Configurations The following section provides configuration examples for two common PIX 515E configuration scenarios: hosting a web server on the DMZ interface are accessed by users on a private DMZ network, ...
Quick Start Guide
Page 7
... easily to define an IP pool (30.30.30.50-30.30.30.60) for the DMZ interface. Click the Configuration button at the top of the PDM window. 7 HTTP client PIX 515E Inside 10.10.10.0 Outside 209.165.156.10 10.10.10.10 DMZ 30.30.30.0 Internet HTTP client...
... easily to define an IP pool (30.30.30.50-30.30.30.60) for the DMZ interface. Click the Configuration button at the top of the PDM window. 7 HTTP client PIX 515E Inside 10.10.10.0 Outside 209.165.156.10 10.10.10.10 DMZ 30.30.30.0 Internet HTTP client...
Quick Start Guide
Page 8
Note For most configurations, global pools are added to add or edit global address pools. Click the Add button. Select dmz from the Interface drop-down menu. 8 b. d. In the Manage Global Address Pools window: a. Select the Translation Rules tab. c. Select the dmz interface. Click the Manage Pools button and a new window appears, allowing you to the less secure, or public, interfaces. In the Add Global Pool Item window: a.
Note For most configurations, global pools are added to add or edit global address pools. Click the Add button. Select dmz from the Interface drop-down menu. 8 b. d. In the Manage Global Address Pools window: a. Select the Translation Rules tab. c. Select the dmz interface. Click the Manage Pools button and a new window appears, allowing you to the less secure, or public, interfaces. In the Add Global Pool Item window: a.
Quick Start Guide
Page 10
Assign the same Pool ID for this pool as in the main window. 10 Click the Apply button in Step d above (200). Once the pools are configured, confirm their values before applying the rules to the PIX 515E. b. Select outside from the Interface drop-down menu. b. Click the Port Address Translation (PAT) using the IP address of the interface radio button. Click the OK button. Confirm the configurations: a. When the new window comes up: a. c. Click the OK button. d.
Assign the same Pool ID for this pool as in the main window. 10 Click the Apply button in Step d above (200). Once the pools are configured, confirm their values before applying the rules to the PIX 515E. b. Select outside from the Interface drop-down menu. b. Click the Port Address Translation (PAT) using the IP address of the interface radio button. Click the OK button. Confirm the configurations: a. When the new window comes up: a. c. Click the OK button. d.
Quick Start Guide
Page 11
To configure NAT between two PIX interfaces. PAT is an extension of the NAT function that allows several hosts on the private networks to them. Select the Translation Rules tab. Step 2 Configure Address Translations on Private Networks Network Address Translation (NAT) replaces the source IP addresses of network traffic traversing between the inside and...
To configure NAT between two PIX interfaces. PAT is an extension of the NAT function that allows several hosts on the private networks to them. Select the Translation Rules tab. Step 2 Configure Address Translations on Private Networks Network Address Translation (NAT) replaces the source IP addresses of network traffic traversing between the inside and...
Quick Start Guide
Page 14
The procedure remains the same, except the interface on which the translation is required is now the outside interfaces. Check the displayed configuration for accuracy. k. Click the Apply button to configure interface PAT between the inside and outside interface and the Dynamic address pool should display as shown below: 14 l. The configurations should now indicate the interface PAT keywords. Click the Proceed button. Repeat the steps to configure the PIX Firewall. j. Click the OK button.
The procedure remains the same, except the interface on which the translation is required is now the outside interfaces. Check the displayed configuration for accuracy. k. Click the Apply button to configure interface PAT between the inside and outside interface and the Dynamic address pool should display as shown below: 14 l. The configurations should now indicate the interface PAT keywords. Click the Proceed button. Repeat the steps to configure the PIX Firewall. j. Click the OK button.
Quick Start Guide
Page 15
d. Select 255.255.255.255 from the drop-down menu. Click the Static radio button. i. Step 3 Configure External Identity for the DMZ Web Server The DMZ server is easily accessible by clicking on the Browse button. Right click in the gray area .... 15 Complete the following steps to map the DMZ IP address (30.30.30.30) statically to configure features such as limiting the number of the firewall. f. The Advanced button allows you entered. This configuration requires translating the DMZ server IP address so that you to a public IP address (209.165.156...
d. Select 255.255.255.255 from the drop-down menu. Click the Static radio button. i. Step 3 Configure External Identity for the DMZ Web Server The DMZ server is easily accessible by clicking on the Browse button. Right click in the gray area .... 15 Complete the following steps to map the DMZ IP address (30.30.30.30) statically to configure features such as limiting the number of the firewall. f. The Advanced button allows you entered. This configuration requires translating the DMZ server IP address so that you to a public IP address (209.165.156...
Quick Start Guide
Page 17
c. b. Click the Configuration button at the top of the PDM window. Step 4 Provide HTTP Access to the DMZ Web Server In addition to configuring address translations, you must configure the PIX 515E to allow the specific traffic types from any client on the Internet to the DMZ web server, complete the following: a. In the table, right click and select Add. 17 Select the Access rules tab. To configure access lists for HTTP traffic originating from the public networks.
c. b. Click the Configuration button at the top of the PDM window. Step 4 Provide HTTP Access to the DMZ Web Server In addition to configuring address translations, you must configure the PIX 515E to allow the specific traffic types from any client on the Internet to the DMZ web server, complete the following: a. In the table, right click and select Add. 17 Select the Access rules tab. To configure access lists for HTTP traffic originating from the public networks.
Quick Start Guide
Page 20
... clients on the private and public networks can purchase a VAC+ as an add-on for other PIX 515E models. 20 Site-to-Site VPN Configuration Site-to-site VPN (Virtual Private Networking) features provided by the PIX 515E enable businesses to securely extend their networks across low-cost public Internet connections to another over a secure...
... clients on the private and public networks can purchase a VAC+ as an add-on for other PIX 515E models. 20 Site-to-Site VPN Configuration Site-to-site VPN (Virtual Private Networking) features provided by the PIX 515E enable businesses to securely extend their networks across low-cost public Internet connections to another over a secure...
Quick Start Guide
Page 21
...Note The Site to Site VPN option connects two IPSec security gateways, which can include PIX Firewalls, VPN concentrators, or other devices that can quickly guide you through the process of configuring a site-to -site IPSec connectivity. b. PDM provides an easy-to-use VPN Wizard... shows an example VPN tunnel between two PIX 515E, and will be referenced in five simple steps. Site A Site B 98000 Inside 10.10.10.0 PIX 1 Outside 1.1.1.1 Internet Outside 2.2.2.2 PIX 2 Inside 20.20.20.0 Step 1 Start the VPN Wizard Use PDM to configure PIX 1. c. Select outside from the Wizards ...
...Note The Site to Site VPN option connects two IPSec security gateways, which can include PIX Firewalls, VPN concentrators, or other devices that can quickly guide you through the process of configuring a site-to -site IPSec connectivity. b. PDM provides an easy-to-use VPN Wizard... shows an example VPN tunnel between two PIX 515E, and will be referenced in five simple steps. Site A Site B 98000 Inside 10.10.10.0 PIX 1 Outside 1.1.1.1 Internet Outside 2.2.2.2 PIX 2 Inside 20.20.20.0 Step 1 Start the VPN Wizard Use PDM to configure PIX 1. c. Select outside from the Wizards ...
Quick Start Guide
Page 22
... applicable option for PIX 1 (1.1.1.1) and the same Pre-shared Key (CisCo). If the peer identity is shared for example,"CisCo"), which is its FQDN, enter the exact name in the text field. Enter the Peer IP Address (PIX 2) and select an authentication key (for IPSec negotiations between both PIX 515E units. Note To configure PIX 2, enter the IP...
... applicable option for PIX 1 (1.1.1.1) and the same Pre-shared Key (CisCo). If the peer identity is shared for example,"CisCo"), which is its FQDN, enter the exact name in the text field. Enter the Peer IP Address (PIX 2) and select an authentication key (for IPSec negotiations between both PIX 515E units. Note To configure PIX 2, enter the IP...
Quick Start Guide
Page 24
... group (1/2/5) used by the PIX 515E during an IKE security association. a. Confirm all values before moving to continue. 24 b. In most cases, the default values are a common cause of VPN tunnel failures and can slow down the process. Click the Next button to the next window. Step 3 Configure the IKE Policy This step...
... group (1/2/5) used by the PIX 515E during an IKE security association. a. Confirm all values before moving to continue. 24 b. In most cases, the default values are a common cause of VPN tunnel failures and can slow down the process. Click the Next button to the next window. Step 3 Configure the IKE Policy This step...
Quick Start Guide
Page 25
2. Configure the IPSec parameters. In the second window, select the Encryption algorithm (DES/3DES/AES) and Authentication algorithm (MD5/SHA). a. Encryption and algorithm mismatches are a common cause of the options that you selected for each of VPN tunnel failures and can slow down the process. Click the Next button to the next window. Note When configuring PIX 2, enter the exact same values for PIX 1. b. Confirm all values before continuing to continue. 25
2. Configure the IPSec parameters. In the second window, select the Encryption algorithm (DES/3DES/AES) and Authentication algorithm (MD5/SHA). a. Encryption and algorithm mismatches are a common cause of the options that you selected for each of VPN tunnel failures and can slow down the process. Click the Next button to the next window. Note When configuring PIX 2, enter the exact same values for PIX 1. b. Confirm all values before continuing to continue. 25
Quick Start Guide
Page 26
Select the Local Host/Network based on the >> or Step 4 Configure Internal Traffic This step is comprised of two windows: 1. Add or remove networks dynamically from preconfigured groups. Note Use the Browse button to select from the selected panel by clicking on the IP Address, Name, or Group. a. Select network traffic on the local PIX 515E encrypted through the VPN tunnel.
Select the Local Host/Network based on the >> or Step 4 Configure Internal Traffic This step is comprised of two windows: 1. Add or remove networks dynamically from preconfigured groups. Note Use the Browse button to select from the selected panel by clicking on the IP Address, Name, or Group. a. Select network traffic on the local PIX 515E encrypted through the VPN tunnel.
Quick Start Guide
Page 27
For PIX 1, the remote network is Network B (20.20.20.0) so traffic encrypted from the remote PIX Firewall. Click the Finish button to complete the configuration. 27 b. Select traffic permitted from this tunnel is the local network for remote network configuration. In the second window, select VPN traffic for PIX 2 and vice versa. 2. Note When configuring PIX 2, ensure that the values are correctly entered. The remote network for PIX 1 is permitted through the tunnel. a.
For PIX 1, the remote network is Network B (20.20.20.0) so traffic encrypted from the remote PIX Firewall. Click the Finish button to complete the configuration. 27 b. Select traffic permitted from this tunnel is the local network for remote network configuration. In the second window, select VPN traffic for PIX 2 and vice versa. 2. Note When configuring PIX 2, ensure that the values are correctly entered. The remote network for PIX 1 is permitted through the tunnel. a.
Quick Start Guide
Page 28
... of the options that you will see this page: To enable preview commands: a. Check the configuration to -site VPN communication with PIX 2. Mismatches are entered correctly. b. When configuring PIX 2, enter the exact same values for each of VPN configuration failures. 28 Click the Send button to firewall box. Select Preferences and check the Preview commands...
... of the options that you will see this page: To enable preview commands: a. Check the configuration to -site VPN communication with PIX 2. Mismatches are entered correctly. b. When configuring PIX 2, enter the exact same values for each of VPN configuration failures. 28 Click the Send button to firewall box. Select Preferences and check the Preview commands...
Quick Start Guide
Page 29
...-Site VPNs with other Cisco Products For information on configuring VPN between a PIX 515E and other products such as a Cisco router that runs Cisco IOS software, and Cisco VPN 3000 Concentrators, go to the following links: http://www.cisco.com/warp/customer/471/pix_router_dyn.html http://www.cisco.com/warp/public/471/ALTIGA_pix.html http://www.cisco.com/warp/public...
...-Site VPNs with other Cisco Products For information on configuring VPN between a PIX 515E and other products such as a Cisco router that runs Cisco IOS software, and Cisco VPN 3000 Concentrators, go to the following links: http://www.cisco.com/warp/customer/471/pix_router_dyn.html http://www.cisco.com/warp/public/471/ALTIGA_pix.html http://www.cisco.com/warp/public...