Getting Started Guide
Page 1
Cisco PIX 515E Security Appliance Getting Started Guide Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7817654= Text Part Number: 78-17645-01
Cisco PIX 515E Security Appliance Getting Started Guide Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7817654= Text Part Number: 78-17645-01
Getting Started Guide
Page 2
... California, Berkeley (UCB) as part of UCB's public domain version of the word partner does not imply a partnership relationship between Cisco and any other company. (0601R) Cisco PIX 515E Security Appliance Getting Started Guide © 2006 Cisco Systems, Inc. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED "AS IS" WITH...
... California, Berkeley (UCB) as part of UCB's public domain version of the word partner does not imply a partnership relationship between Cisco and any other company. (0601R) Cisco PIX 515E Security Appliance Getting Started Guide © 2006 Cisco Systems, Inc. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED "AS IS" WITH...
Getting Started Guide
Page 3
1 C H A P T E R 2 C H A P T E R 78-17645-01 CONTENTS Installing and Setting Up the PIX 515E Security Appliance 1-1 Verifying the Package Contents 1-2 Installing the PIX 515E Security Appliance 1-3 Front and Back Panel Components 1-4 Setting Up the Security Appliance 1-5 About the Factory-Default Configuration 1-6 About the Adaptive Security Device Manager 1-6 Using the Startup Wizard 1-7 Before Launching the Startup Wizard 1-7 Running the Startup Wizard 1-8 What to Do Next 1-9 Scenario...
1 C H A P T E R 2 C H A P T E R 78-17645-01 CONTENTS Installing and Setting Up the PIX 515E Security Appliance 1-1 Verifying the Package Contents 1-2 Installing the PIX 515E Security Appliance 1-3 Front and Back Panel Components 1-4 Setting Up the Security Appliance 1-5 About the Factory-Default Configuration 1-6 About the Adaptive Security Device Manager 1-6 Using the Startup Wizard 1-7 Before Launching the Startup Wizard 1-7 Running the Startup Wizard 1-8 What to Do Next 1-9 Scenario...
Getting Started Guide
Page 4
...VPN Network Topology 3-1 Implementing the IPsec Remote-Access VPN Scenario 3-2 Information to Have Available 3-3 Starting ASDM 3-3 Configuring the PIX 515E for an IPsec Remote-Access VPN 3-5 Selecting VPN Client Types 3-6 Specifying the VPN Tunnel Group Name and Authentication Method ... Starting ASDM 4-3 Configuring the Security Appliance at the Local Site 4-4 Providing Information About the Remote VPN Peer 4-6 Configuring the IKE Policy 4-7 Configuring IPsec Encryption and Authentication Parameters 4-9 Specifying Hosts and Networks 4-10 PIX 515E Security Appliance Getting Started Guide iv 78-...
...VPN Network Topology 3-1 Implementing the IPsec Remote-Access VPN Scenario 3-2 Information to Have Available 3-3 Starting ASDM 3-3 Configuring the PIX 515E for an IPsec Remote-Access VPN 3-5 Selecting VPN Client Types 3-6 Specifying the VPN Tunnel Group Name and Authentication Method ... Starting ASDM 4-3 Configuring the Security Appliance at the Local Site 4-4 Providing Information About the Remote VPN Peer 4-6 Configuring the IKE Policy 4-7 Configuring IPsec Encryption and Authentication Parameters 4-9 Specifying Hosts and Networks 4-10 PIX 515E Security Appliance Getting Started Guide iv 78-...
Getting Started Guide
Page 5
Contents A A P P E N D I X Viewing VPN Attributes and Completing the Wizard 4-11 Configuring the Other Side of the VPN Connection 4-13 What to Do Next 4-13 Obtaining a DES License or a 3DES-AES License A-1 78-17645-01 PIX 515E Security Appliance Getting Started Guide v
Contents A A P P E N D I X Viewing VPN Attributes and Completing the Wizard 4-11 Configuring the Other Side of the VPN Connection 4-13 What to Do Next 4-13 Obtaining a DES License or a 3DES-AES License A-1 78-17645-01 PIX 515E Security Appliance Getting Started Guide v
Getting Started Guide
Page 6
Contents PIX 515E Security Appliance Getting Started Guide vi 78-17645-01
Contents PIX 515E Security Appliance Getting Started Guide vi 78-17645-01
Getting Started Guide
Page 7
CH A P T E R 1 Installing and Setting Up the PIX 515E Security Appliance This chapter describes how to Do Next, page 1-9 78-17645-01 PIX 515E Security Appliance Getting Started Guide 1-1 This chapter includes the following sections: • Verifying the Package Contents, page 1-2 • Installing the PIX 515E Security Appliance, page 1-3 • Front and Back Panel Components, page 1-4 • Setting Up the Security Appliance, page 1-5 • What to install and perform the initial configuration of the security appliance.
CH A P T E R 1 Installing and Setting Up the PIX 515E Security Appliance This chapter describes how to Do Next, page 1-9 78-17645-01 PIX 515E Security Appliance Getting Started Guide 1-1 This chapter includes the following sections: • Verifying the Package Contents, page 1-2 • Installing the PIX 515E Security Appliance, page 1-3 • Front and Back Panel Components, page 1-4 • Setting Up the Security Appliance, page 1-5 • What to install and perform the initial configuration of the security appliance.
Getting Started Guide
Page 8
... 1-1, to ensure that you have received all items necessary to install your PIX 515E security appliance. Verifying the Package Contents Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Verifying the Package Contents Verify the contents of PIX 515E Package PC terminal adapter (74-0495-01) PIX-515E DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED 100 Mbps Link FDX 100...
... 1-1, to ensure that you have received all items necessary to install your PIX 515E security appliance. Verifying the Package Contents Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Verifying the Package Contents Verify the contents of PIX 515E Package PC terminal adapter (74-0495-01) PIX-515E DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED 100 Mbps Link FDX 100...
Getting Started Guide
Page 9
...to the chassis with the supplied screws. b. Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Installing the PIX 515E Security Appliance Installing the PIX 515E Security Appliance This section describes how to install your PIX 515E security appliance into your own network, which might resemble the example network in a rack by ...performing the following steps: a. Use one end of the power cable to the rear of the PIX 515E security appliance and the other provided yellow Ethernet cable to connect the inside 10/100 Ethernet interface, Ethernet 1, to the equipment...
...to the chassis with the supplied screws. b. Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Installing the PIX 515E Security Appliance Installing the PIX 515E Security Appliance This section describes how to install your PIX 515E security appliance into your own network, which might resemble the example network in a rack by ...performing the following steps: a. Use one end of the power cable to the rear of the PIX 515E security appliance and the other provided yellow Ethernet cable to connect the inside 10/100 Ethernet interface, Ethernet 1, to the equipment...
Getting Started Guide
Page 10
...panel of a failover pair, the light is on when the unit is the active unit. On If part of the PIX515E Security Appliance. Figure 1-4 illustrates the back panel components. PIX 515E Security Appliance Getting Started Guide 1-4 78-17645-01 The power switch is located at least one network interface is in standby mode. Flashing ... a failover pair, the light is off when the unit is passing traffic. Front and Back Panel Components Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Step 5 Power up the PIX 515E security appliance. Off If part of the chassis.
...panel of a failover pair, the light is on when the unit is the active unit. On If part of the PIX515E Security Appliance. Figure 1-4 illustrates the back panel components. PIX 515E Security Appliance Getting Started Guide 1-4 78-17645-01 The power switch is located at least one network interface is in standby mode. Flashing ... a failover pair, the light is off when the unit is passing traffic. Front and Back Panel Components Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Step 5 Power up the PIX 515E security appliance. Off If part of the chassis.
Getting Started Guide
Page 11
... "Obtaining a DES License or a 3DES-AES License." Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Setting Up the Security Appliance Figure 1-4 PIX 515E Security Appliance Back Panel 100 Mbps LED ACT LED CDAORDNSOTWIINTSHTPAOLLWIENRTEARPFPALCIEED 100 Mbps LED LINK ACT LED LED USB LINK LED...RJ-45) (RJ-45) PIX-515 97784 Setting Up the Security Appliance This section describes the initial configuration of the security appliance. However, the procedures in this chapter refer to the method using either the browser-based Cisco Adaptive Security Device Manager (ASDM) or...
... "Obtaining a DES License or a 3DES-AES License." Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Setting Up the Security Appliance Figure 1-4 PIX 515E Security Appliance Back Panel 100 Mbps LED ACT LED CDAORDNSOTWIINTSHTPAOLLWIENRTEARPFPALCIEED 100 Mbps LED LINK ACT LED LED USB LINK LED...RJ-45) (RJ-45) PIX-515 97784 Setting Up the Security Appliance This section describes the initial configuration of the security appliance. However, the procedures in this chapter refer to the method using either the browser-based Cisco Adaptive Security Device Manager (ASDM) or...
Getting Started Guide
Page 12
... and use ASDM to the appliance. About the Adaptive Security Device Manager PIX 515E Security Appliance Getting Started Guide 1-6 78-17645-01 By default, the security appliance management interface is configured with a factory-default configuration that enables quick startup. Setting Up the Security Appliance Chapter 1 Installing and Setting Up the PIX 515E Security Appliance About the Factory-Default Configuration Cisco security appliances are shipped with a default DHCP...
... and use ASDM to the appliance. About the Adaptive Security Device Manager PIX 515E Security Appliance Getting Started Guide 1-6 78-17645-01 By default, the security appliance management interface is configured with a factory-default configuration that enables quick startup. Setting Up the Security Appliance Chapter 1 Installing and Setting Up the PIX 515E Security Appliance About the Factory-Default Configuration Cisco security appliances are shipped with a default DHCP...
Getting Started Guide
Page 13
... or a 3DES-AES license. Enable Java and Javascript in your security appliance. Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Setting Up the Security Appliance The Adaptive Security Device Manager (ASDM) is a feature-rich graphical interface that enables...security appliance, see the Cisco Security Appliance Command Line Configuration Guide and the Cisco Security Appliance Command Reference. In addition to the ASDM web configuration tool, you to configure the security appliance so that it allows packets to simplify the initial configuration of the security appliance...
... or a 3DES-AES license. Enable Java and Javascript in your security appliance. Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Setting Up the Security Appliance The Adaptive Security Device Manager (ASDM) is a feature-rich graphical interface that enables...security appliance, see the Cisco Security Appliance Command Line Configuration Guide and the Cisco Security Appliance Command Reference. In addition to the ASDM web configuration tool, you to configure the security appliance so that it allows packets to simplify the initial configuration of the security appliance...
Getting Started Guide
Page 14
... address from the PIX 515E). On the PC connected to identify the security appliance on the rear panel of your browser and the security appliance. In the address field of the PIX 515E. Remember to the inside port of 192.168.1.1. This IP address is assigned to add the "s" in "https" or the connection fails. b. PIX 515E Security Appliance Getting Started Guide...
... address from the PIX 515E). On the PC connected to identify the security appliance on the rear panel of your browser and the security appliance. In the address field of the PIX 515E. Remember to the inside port of 192.168.1.1. This IP address is assigned to add the "s" in "https" or the connection fails. b. PIX 515E Security Appliance Getting Started Guide...
Getting Started Guide
Page 15
... the security appliance for remote-access VPN Configure the security appliance for Site-to -Site VPN Configuration" PIX 515E Security Appliance Getting Started Guide 1-9 Chapter 2, "Scenario: DMZ Configuration" Chapter 3, "Scenario: IPsec Remote-Access VPN Configuration" Chapter 4, "Scenario: Site-to -Site VPN See ... From the Wizards menu, choose Startup Wizard. For information about the icmp command, see the Cisco Security Appliance Command...
... the security appliance for remote-access VPN Configure the security appliance for Site-to -Site VPN Configuration" PIX 515E Security Appliance Getting Started Guide 1-9 Chapter 2, "Scenario: DMZ Configuration" Chapter 3, "Scenario: IPsec Remote-Access VPN Configuration" Chapter 4, "Scenario: Site-to -Site VPN See ... From the Wizards menu, choose Startup Wizard. For information about the icmp command, see the Cisco Security Appliance Command...
Getting Started Guide
Page 16
What to Do Next Chapter 1 Installing and Setting Up the PIX 515E Security Appliance 1-10 PIX 515E Security Appliance Getting Started Guide 78-17645-01
What to Do Next Chapter 1 Installing and Setting Up the PIX 515E Security Appliance 1-10 PIX 515E Security Appliance Getting Started Guide 78-17645-01
Getting Started Guide
Page 17
CH A P T E R 2 Scenario: DMZ Configuration This chapter describes a configuration scenario in which the security appliance is a separate network located in the neutral zone between a private (inside) network and a public (outside) ... includes the following sections: • Example DMZ Network Topology, page 2-1 • Configuring the Security Appliance for a DMZ Deployment, page 2-4 • What to protect network resources located in Figure 2-1 is typical of most DMZ implementations of the security appliance. 78-17645-01 PIX 515E Security Appliance Getting Started Guide 2-1
CH A P T E R 2 Scenario: DMZ Configuration This chapter describes a configuration scenario in which the security appliance is a separate network located in the neutral zone between a private (inside) network and a public (outside) ... includes the following sections: • Example DMZ Network Topology, page 2-1 • Configuring the Security Appliance for a DMZ Deployment, page 2-4 • What to protect network resources located in Figure 2-1 is typical of most DMZ implementations of the security appliance. 78-17645-01 PIX 515E Security Appliance Getting Started Guide 2-1
Getting Started Guide
Page 18
...2-2 shows the outgoing traffic flow of HTTP requests from the private network to both the DMZ web server and to the DMZ web server; PIX 515E Security Appliance Getting Started Guide 2-2 78-17645-01 all other traffic is denied. • The network has two routable IP addresses that are publicly available:... address: 209.165.200.226 This example scenario has the following characteristics: • The web server is on the DMZ interface of the security appliance. • HTTP clients on the private network can access the web server in the DMZ and can also communicate with devices on the Internet...
...2-2 shows the outgoing traffic flow of HTTP requests from the private network to both the DMZ web server and to the DMZ web server; PIX 515E Security Appliance Getting Started Guide 2-2 78-17645-01 all other traffic is denied. • The network has two routable IP addresses that are publicly available:... address: 209.165.200.226 This example scenario has the following characteristics: • The web server is on the DMZ interface of the security appliance. • HTTP clients on the private network can access the web server in the DMZ and can also communicate with devices on the Internet...
Getting Started Guide
Page 19
Figure 2-3 shows HTTP requests originating from the Internet and destined for the public IP address of the DMZ web server. PIX 515E Security Appliance Getting Started Guide 2-3 Outgoing traffic appears to an address from an IP pool. For traffic destined for the DMZ web .... For traffic destined for the Internet, private IP addresses are not visible to the public IP address of the security appliance. To permit the traffic through, the security appliance configuration includes the following: • Access control rules permitting traffic destined for the DMZ web server and for devices...
Figure 2-3 shows HTTP requests originating from the Internet and destined for the public IP address of the DMZ web server. PIX 515E Security Appliance Getting Started Guide 2-3 Outgoing traffic appears to an address from an IP pool. For traffic destined for the DMZ web .... For traffic destined for the Internet, private IP addresses are not visible to the public IP address of the security appliance. To permit the traffic through, the security appliance configuration includes the following: • Access control rules permitting traffic destined for the DMZ web server and for devices...
Getting Started Guide
Page 20
...Server Public IP address: 209.165.200.226 To permit incoming traffic to access the DMZ web server, the security appliance configuration includes the following: • An address translation rule translating the public IP address of the DMZ web...server. PIX 515E Security Appliance Getting Started Guide 2-4 78-17645-01 Configuring the Security Appliance for a DMZ Deployment Chapter 2 Scenario: DMZ Configuration Figure 2-3 Incoming HTTP Traffic Flow From the Internet Security Appliance 2 Incoming request 1 HTTP request destined for public sent to configure the security appliance for the...
...Server Public IP address: 209.165.200.226 To permit incoming traffic to access the DMZ web server, the security appliance configuration includes the following: • An address translation rule translating the public IP address of the DMZ web...server. PIX 515E Security Appliance Getting Started Guide 2-4 78-17645-01 Configuring the Security Appliance for a DMZ Deployment Chapter 2 Scenario: DMZ Configuration Figure 2-3 Incoming HTTP Traffic Flow From the Internet Security Appliance 2 Incoming request 1 HTTP request destined for public sent to configure the security appliance for the...