Quick Start Guide
Page 2
...highly resilient network security services via award-winning stateful failover on certain PIX 515E models 2 Hardware Features Software Features • 433-MHz Intel Celeron processor • 32-MB RAM with the restricted (R) license; 64-MB RAM with the unrestricted (UR) and ...Up to handle over 130,000 simultaneous sessions. 99550 About the Cisco PIX 515E Firewall The Cisco PIX 515E delivers enterprise-class security for businesses requiring a cost-effective, resilient security solution with demilitarized zone (DMZ) support. Its versatile one-rack unit (1RU) design supports up...
...highly resilient network security services via award-winning stateful failover on certain PIX 515E models 2 Hardware Features Software Features • 433-MHz Intel Celeron processor • 32-MB RAM with the restricted (R) license; 64-MB RAM with the unrestricted (UR) and ...Up to handle over 130,000 simultaneous sessions. 99550 About the Cisco PIX 515E Firewall The Cisco PIX 515E delivers enterprise-class security for businesses requiring a cost-effective, resilient security solution with demilitarized zone (DMZ) support. Its versatile one-rack unit (1RU) design supports up...
Quick Start Guide
Page 4
... yellow Ethernet cable (72-1482-01) provided to connect the outside 10/100 Ethernet interface, Ethernet 0, to the Cisco PIX Firewall Hardware Installation Guide. Power up the PIX 515E. The power switch is also rack-mountable. 2 Install the PIX 515E DMZ server Switch DMZ PIX 515E Switch Inside Outside Laptop computer Printer Personal computer Follow these steps to install the...
... yellow Ethernet cable (72-1482-01) provided to connect the outside 10/100 Ethernet interface, Ethernet 0, to the Cisco PIX Firewall Hardware Installation Guide. Power up the PIX 515E. The power switch is also rack-mountable. 2 Install the PIX 515E DMZ server Switch DMZ PIX 515E Switch Inside Outside Laptop computer Printer Personal computer Follow these steps to install the...
Quick Start Guide
Page 6
... The following section provides configuration examples for all other business partners or remote offices. Because the DMZ server is provided for two common PIX 515E configuration scenarios: hosting a web server on the DMZ interface are able to access the web server securely. Step 4 To access the Startup Wizard,... use the PC connected to the switch or hub and enter the URL https://192.168.1.1/startup.html into your browser and the PIX 515E. A DMZ allows you to a public (routable) IP address. HTTPS (HTTP over SSL) provides a secure connection between 30.30.30.50-30...
... The following section provides configuration examples for all other business partners or remote offices. Because the DMZ server is provided for two common PIX 515E configuration scenarios: hosting a web server on the DMZ interface are able to access the web server securely. Step 4 To access the Startup Wizard,... use the PC connected to the switch or hub and enter the URL https://192.168.1.1/startup.html into your browser and the PIX 515E. A DMZ allows you to a public (routable) IP address. HTTPS (HTTP over SSL) provides a secure connection between 30.30.30.50-30...
Quick Start Guide
Page 7
...30.30.30.50-30.30.30.60) for the DMZ interface. Click the Configuration button at the top of the PDM window. 7 Launch PDM. HTTP client PIX 515E Inside 10.10.10.0 Outside 209.165.156.10 10....10.10.10 DMZ 30.30.30.0 Internet HTTP client HTTP client 97999 Web server 30.30...for the inside HTTP client (10.10.10.10) to access the web server on the DMZ network (30.30.30.30), it is necessary to facilitate secure communications between protected network clients and devices ...
...30.30.30.50-30.30.30.60) for the DMZ interface. Click the Configuration button at the top of the PDM window. 7 Launch PDM. HTTP client PIX 515E Inside 10.10.10.0 Outside 209.165.156.10 10....10.10.10 DMZ 30.30.30.0 Internet HTTP client HTTP client 97999 Web server 30.30...for the inside HTTP client (10.10.10.10) to access the web server on the DMZ network (30.30.30.30), it is necessary to facilitate secure communications between protected network clients and devices ...
Quick Start Guide
Page 9
... (in the two fields. Click the OK button to go back to and from the inside HTTP client exits the PIX 515E using the IP address of IP addresses for the DMZ interface. Select the outside interface IP address. Click the Add button. 9 b. This allows traffic from the Internet. ...In the Manage Global Address Pools window: a. Because there are limited IP addresses available for the DMZ interface is 30.30.30.50- 30.30.30.60, enter these values in this case, enter 200). b. d. Because the range of the ...
... (in the two fields. Click the OK button to go back to and from the inside HTTP client exits the PIX 515E using the IP address of IP addresses for the DMZ interface. Select the outside interface IP address. Click the Add button. 9 b. This allows traffic from the Internet. ...In the Manage Global Address Pools window: a. Because there are limited IP addresses available for the DMZ interface is 30.30.30.50- 30.30.30.60, enter these values in this case, enter 200). b. d. Because the range of the ...
Quick Start Guide
Page 11
...the NAT function that allows several hosts on the private networks to them. Port Address Translation (PAT) is selected. 11 To configure NAT between two PIX interfaces. This translation prevents the private address spaces from the main PDM page: a. PAT is essential for the inside and the... DMZ interfaces for small and medium businesses that the Translation Rules radio button is an extension of network traffic traversing between the inside HTTP client, ...
...the NAT function that allows several hosts on the private networks to them. Port Address Translation (PAT) is selected. 11 To configure NAT between two PIX interfaces. This translation prevents the private address spaces from the main PDM page: a. PAT is essential for the inside and the... DMZ interfaces for small and medium businesses that the Translation Rules radio button is an extension of network traffic traversing between the inside HTTP client, ...
Quick Start Guide
Page 17
To configure access lists for HTTP traffic originating from any client on the Internet to allow the specific traffic types from the public networks. c. Click the Configuration button at the top of the PDM window. Select the Access rules tab. In the table, right click and select Add. 17 b. Step 4 Provide HTTP Access to the DMZ Web Server In addition to configuring address translations, you must configure the PIX 515E to the DMZ web server, complete the following: a.
To configure access lists for HTTP traffic originating from any client on the Internet to allow the specific traffic types from the public networks. c. Click the Configuration button at the top of the PDM window. Select the Access rules tab. In the table, right click and select Add. 17 b. Step 4 Provide HTTP Access to the DMZ Web Server In addition to configuring address translations, you must configure the PIX 515E to the DMZ web server, complete the following: a.
Quick Start Guide
Page 19
...IP address box. This is the private address of traffic that you can provide a name for 209.165.156.11 is permitted through the PIX 515E. p. Scroll through the options, and select Any. o. e. Select "=" (equal to ) from any host on the respective Browse buttons.... Check the various fields for any host or network). k. l. Select dmz from the Mask drop-down menu. h. Click the OK button. Under Destination Host/Network, click the IP Address radio button. d. i. Click the ...
...IP address box. This is the private address of traffic that you can provide a name for 209.165.156.11 is permitted through the PIX 515E. p. Scroll through the options, and select Any. o. e. Select "=" (equal to ) from any host on the respective Browse buttons.... Check the various fields for any host or network). k. l. Select dmz from the Mask drop-down menu. h. Click the OK button. Under Destination Host/Network, click the IP Address radio button. d. i. Click the ...
Quick Start Guide
Page 20
... public networks can purchase a VAC+ as an add-on for other PIX 515E models. 20 Some models of the connection, and then automatically encrypting all data sent between the two locations. You can now securely access the DMZ web server. A VPN connection allows you to send data from one... location to business partners and remote offices worldwide. Site-to-Site VPN Configuration Site-to-site VPN (Virtual Private Networking) features provided by the PIX 515E enable businesses to securely extend their...
... public networks can purchase a VAC+ as an add-on for other PIX 515E models. 20 Some models of the connection, and then automatically encrypting all data sent between the two locations. You can now securely access the DMZ web server. A VPN connection allows you to send data from one... location to business partners and remote offices worldwide. Site-to-Site VPN Configuration Site-to-site VPN (Virtual Private Networking) features provided by the PIX 515E enable businesses to securely extend their...
Getting Started Guide
Page 3
... Inside Clients to Communicate with the DMZ Web Server 2-12 Configuring NAT for Inside Clients to Communicate with Devices on the Internet 2-15 Configuring an External Identity for the DMZ Web Server 2-16 Providing Public HTTP Access to the DMZ Web Server 2-18 What to Do Next 2-24 PIX 515E Security Appliance Getting Started Guide...
... Inside Clients to Communicate with the DMZ Web Server 2-12 Configuring NAT for Inside Clients to Communicate with Devices on the Internet 2-15 Configuring an External Identity for the DMZ Web Server 2-16 Providing Public HTTP Access to the DMZ Web Server 2-18 What to Do Next 2-24 PIX 515E Security Appliance Getting Started Guide...
Getting Started Guide
Page 9
...to a DSL modem, cable modem, router, or switch. Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Installing the PIX 515E Security Appliance Installing the PIX 515E Security Appliance This section describes how to a switch or hub. Attach the chassis to the chassis... 10/100 Ethernet interface, Ethernet 0, to a power outlet. 78-17645-01 PIX 515E Security Appliance Getting Started Guide 1-3 b. Figure 1-2 Sample Network Layout DMZ server Switch DMZ PIX 515E Switch Inside Outside Laptop computer Printer Personal computer Router Internet Power cable 97998 To...
...to a DSL modem, cable modem, router, or switch. Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Installing the PIX 515E Security Appliance Installing the PIX 515E Security Appliance This section describes how to a switch or hub. Attach the chassis to the chassis... 10/100 Ethernet interface, Ethernet 0, to a power outlet. 78-17645-01 PIX 515E Security Appliance Getting Started Guide 1-3 b. Figure 1-2 Sample Network Layout DMZ server Switch DMZ PIX 515E Switch Inside Outside Laptop computer Printer Personal computer Router Internet Power cable 97998 To...
Getting Started Guide
Page 15
.... Press Enter. Click Yes to -Site VPN Configuration" PIX 515E Security Appliance Getting Started Guide 1-9 From the Wizards menu, choose Startup Wizard. Chapter 2, "Scenario: DMZ Configuration" Chapter 3, "Scenario: IPsec Remote-Access VPN Configuration..." Chapter 4, "Scenario: Site-to accept the certificates. In the dialog box that requires you to choose the method you should also consider configuring the security appliance to -Site VPN See ... For information about the icmp command, see the Cisco...
.... Press Enter. Click Yes to -Site VPN Configuration" PIX 515E Security Appliance Getting Started Guide 1-9 From the Wizards menu, choose Startup Wizard. Chapter 2, "Scenario: DMZ Configuration" Chapter 3, "Scenario: IPsec Remote-Access VPN Configuration..." Chapter 4, "Scenario: Site-to accept the certificates. In the dialog box that requires you to choose the method you should also consider configuring the security appliance to -Site VPN See ... For information about the icmp command, see the Cisco...
Getting Started Guide
Page 17
... Topology, page 2-1 • Configuring the Security Appliance for a DMZ Deployment, page 2-4 • What to protect network resources located in a demilitarized zone (DMZ). CH A P T E R 2 Scenario: DMZ Configuration This chapter describes a configuration scenario in which the security appliance is typical of most DMZ implementations of the security appliance. 78-17645-01 PIX 515E Security Appliance Getting Started Guide 2-1
... Topology, page 2-1 • Configuring the Security Appliance for a DMZ Deployment, page 2-4 • What to protect network resources located in a demilitarized zone (DMZ). CH A P T E R 2 Scenario: DMZ Configuration This chapter describes a configuration scenario in which the security appliance is typical of most DMZ implementations of the security appliance. 78-17645-01 PIX 515E Security Appliance Getting Started Guide 2-1
Getting Started Guide
Page 18
... traffic is on the Internet are publicly available: one for the outside interface of the security appliance (209.165.200.225), and one for DMZ Configuration Scenario HTTP client Security Appliance inside interface 10.10.10.0 (private address) outside interface 209.165.200.225 (public address) 10.10...132064 DMZ Web Private IP address: 10.30.30.30 Server Public IP address: 209.165.200.226 This example scenario has the following characteristics: • The web server is denied. • The network has two routable IP addresses that are permitted HTTP access to the Internet. PIX 515E ...
... traffic is on the Internet are publicly available: one for the outside interface of the security appliance (209.165.200.225), and one for DMZ Configuration Scenario HTTP client Security Appliance inside interface 10.10.10.0 (private address) outside interface 209.165.200.225 (public address) 10.10...132064 DMZ Web Private IP address: 10.30.30.30 Server Public IP address: 209.165.200.226 This example scenario has the following characteristics: • The web server is denied. • The network has two routable IP addresses that are permitted HTTP access to the Internet. PIX 515E ...
Getting Started Guide
Page 19
.... For traffic destined for devices on the Internet. Outgoing traffic appears to the public IP address of the security appliance. PIX 515E Security Appliance Getting Started Guide 2-3 Chapter 2 Scenario: DMZ Configuration Example DMZ Network Topology Figure 2-2 Outgoing HTTP Traffic Flow from the Private Network HTTP client Security Appliance Internal IP address translated to address...
.... For traffic destined for devices on the Internet. Outgoing traffic appears to the public IP address of the security appliance. PIX 515E Security Appliance Getting Started Guide 2-3 Chapter 2 Scenario: DMZ Configuration Example DMZ Network Topology Figure 2-2 Outgoing HTTP Traffic Flow from the Private Network HTTP client Security Appliance Internal IP address translated to address...
Getting Started Guide
Page 20
... incoming traffic to access the DMZ web server, the security appliance configuration includes the following: • An address translation rule translating the public IP address of the DMZ web server to the private IP address of DMZ web server. PIX 515E Security Appliance Getting Started Guide ...2-4 78-17645-01 Configuring the Security Appliance for a DMZ Deployment This section describes how to use ASDM to configure...
... incoming traffic to access the DMZ web server, the security appliance configuration includes the following: • An address translation rule translating the public IP address of the DMZ web server to the private IP address of DMZ web server. PIX 515E Security Appliance Getting Started Guide ...2-4 78-17645-01 Configuring the Security Appliance for a DMZ Deployment This section describes how to use ASDM to configure...
Getting Started Guide
Page 21
...for Network Address Translation, page 2-7 • Configuring NAT for Inside Clients to Communicate with the DMZ Web Server, page 2-12 • Configuring an External Identity for the DMZ Web Server, page 2-16 • Providing Public HTTP Access to perform each step. To accomplish ... can be used as the source address. 78-17645-01 PIX 515E Security Appliance Getting Started Guide 2-5 Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment This configuration procedure assumes that the DMZ interface security level is set between 0 and 100. (A ...
...for Network Address Translation, page 2-7 • Configuring NAT for Inside Clients to Communicate with the DMZ Web Server, page 2-12 • Configuring an External Identity for the DMZ Web Server, page 2-16 • Providing Public HTTP Access to perform each step. To accomplish ... can be used as the source address. 78-17645-01 PIX 515E Security Appliance Getting Started Guide 2-5 Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment This configuration procedure assumes that the DMZ interface security level is set between 0 and 100. (A ...
Getting Started Guide
Page 22
...rule translates the real IP address of the DMZ web server to the external IP address of the security appliance. Starting ASDM To run ASDM in a web browser, enter the factory-default IP address in "https" or the connection fails. PIX 515E Security Appliance Getting Started Guide 2-6 78-17645...-01 Addresses from this subnet are translated to the public address of the security appliance (209.165.200.225). • For external clients to have HTTP access to the DMZ web server, you must configure...
...rule translates the real IP address of the DMZ web server to the external IP address of the security appliance. Starting ASDM To run ASDM in a web browser, enter the factory-default IP address in "https" or the connection fails. PIX 515E Security Appliance Getting Started Guide 2-6 78-17645...-01 Addresses from this subnet are translated to the public address of the security appliance (209.165.200.225). • For external clients to have HTTP access to the DMZ web server, you must configure...
Getting Started Guide
Page 23
... Configuring the Security Appliance for a DMZ Deployment Creating IP Pools for address translation. This procedure describes how to prevent internal IP addresses from being exposed externally. A single IP pool can contain ... for Network Address Translation The security appliance uses Network Address Translation (NAT) and Port Address Translation (PAT) to create a pool of IP addresses that the DMZ interface and outside interface can contain entries for more than one interface. 78-17645-01 PIX 515E Security Appliance Getting Started Guide 2-7
... Configuring the Security Appliance for a DMZ Deployment Creating IP Pools for address translation. This procedure describes how to prevent internal IP addresses from being exposed externally. A single IP pool can contain ... for Network Address Translation The security appliance uses Network Address Translation (NAT) and Port Address Translation (PAT) to create a pool of IP addresses that the DMZ interface and outside interface can contain entries for more than one interface. 78-17645-01 PIX 515E Security Appliance Getting Started Guide 2-7
Getting Started Guide
Page 24
... Add Global Address Pool dialog box appears. a. The NAT Configuration screen appears. b. Configuring the Security Appliance for a DMZ Deployment Chapter 2 Scenario: DMZ Configuration To configure a pool of IP addresses that can be used for the DMZ interface. In the Features pane, click NAT. Click Add to the less secure, or public, interfaces. In...are added to create a new global pool for network address translation, perform the following steps: Step 1 In the ASDM window, click the Configuration tool. PIX 515E Security Appliance Getting Started Guide 2-8 78-17645-01
... Add Global Address Pool dialog box appears. a. The NAT Configuration screen appears. b. Configuring the Security Appliance for a DMZ Deployment Chapter 2 Scenario: DMZ Configuration To configure a pool of IP addresses that can be used for the DMZ interface. In the Features pane, click NAT. Click Add to the less secure, or public, interfaces. In...are added to create a new global pool for network address translation, perform the following steps: Step 1 In the ASDM window, click the Configuration tool. PIX 515E Security Appliance Getting Started Guide 2-8 78-17645-01