About the Cisco PIX 515E Firewall The Cisco PIX 515E delivers enterprise-class security for small-to-medium business and enterprise networks, in a modular, purpose-built appliance. Its versatile one-rack unit (1RU) design supports up to 6 10/100 Fast Ethernet interfaces, making it an excellent choice for businesses requiring a cost-effective, resilient security solution with demilitarized zone (DMZ) support.
Check Items Included 100 Mbps Link 100 Mbps FAILOVE R Link 10/100 ETHER NET 1 10/100 ETHER NET 0 CONSO LE PIX 515E Blue console cable (72-1259-01) PC terminal adapter (74-0495-01) Yellow Ethernet cable (72-1482-01) Mounting brackets Failover serial cable (700-01170-02 AO SSI-3) (74-1213-01) 4 cap screws...
Step 1 The chassis is also rack-mountable. For rack-mounting and failover instructions, refer to Note Cisco PIX Firewall Hardware Installation Guide. Use the yellow Ethernet cable (72-1482-01) provided to connect the outside 10/100 Ethernet Step 2 interface, Ethernet 0, to a DSL modem, cable modem, or switch.
Reference. The PIX 515E contains an integrated web-based configuration tool called the Cisco PIX Device Manager (PDM), that is designed to help you set up the PIX Firewall. PDM is preinstalled on the PIX 515E. To access PDM, make sure that JavaScript and Java are enabled in your web browser.
To access the Startup Wizard, use the PC connected to the switch or hub and enter the URL Step 4 https://192.168.1.1/startup.html into your Internet browser. Remember to add the “s” in “https” or the connection fails. HTTPS (HTTP over SSL) Note provides a secure connection between your browser and the PIX 515E.
Page 7
HTTP client PIX 515E Inside Outside HTTP client Internet 10.10.10.0 209.165.156.10 10.10.10.10 30.30.30.0 HTTP client Web server 30.30.30.30 Step 1 Manage IP Pools for Network Translations For an inside HTTP client (10.10.10.10) to access the web server on the DMZ network (30.30.30.30), it is necessary to define an IP pool (30.30.30.50–30.30.30.60) for the DMZ interface.
Page 8
c. Select the Translation Rules tab. d. Click the Manage Pools button and a new window appears, allowing you to add or edit global address pools. For most configurations, global pools are added to the less secure, or public, interfaces. Note In the Manage Global Address Pools window: a.
Page 9
b. Click the Range radio button to enter the IP address range. c. Because the range of IP addresses for the DMZ interface is 30.30.30.50– 30.30.30.60, enter these values in the two fields. d. Enter a unique Pool ID (in this case, enter 200). e.
Page 10
When the new window comes up: a. Select outside from the Interface drop-down menu. b. Click the Port Address Translation (PAT) using the IP address of the interface radio button. c. Assign the same Pool ID for this pool as in Step d above (200). d.
Page 11
Step 2 Configure Address Translations on Private Networks Network Address Translation (NAT) replaces the source IP addresses of network traffic traversing between two PIX interfaces. This translation prevents the private address spaces from being exposed on public networks and permits routing through the public networks. Port Address Translation (PAT) is an extension of the NAT function that allows several hosts on the private networks to map into a single IP address on the public network.
Page 12
b. Right click in the gray area below the Manage Pools button and select Add. c. In the new window, select the inside interface. d. Enter the IP address of the client (10.10.10.10). e. Select 255.255.255.255 from the Mask drop-down menu. You can select the inside host by clicking on the Browse button.
Page 13
Enter the entire network range (10.10.10.0) or select the network using the Browse Note button and select the Pool ID if there are multiple HTTP clients.
Page 14
j. Click the OK button. button. Check the displayed configuration for accuracy. k. Click the Proceed button to configure the PIX Firewall. l. Click the Apply Repeat the steps to configure interface PAT between the inside and outside interfaces. The procedure remains the same, except the interface on which the translation is required is now the outside interface and the Dynamic address pool should now indicate the interface PAT keywords.
Page 15
Step 3 Configure External Identity for the DMZ Web Server The DMZ server is easily accessible by all hosts on the Internet. This configuration requires translating the DMZ server IP address so that it appears to be located on the Internet, enabling outside HTTP clients to access it unaware of the firewall.
Page 16
The configurations should display as shown below:...
Page 17
Step 4 Provide HTTP Access to the DMZ Web Server In addition to configuring address translations, you must configure the PIX 515E to allow the specific traffic types from the public networks. To configure access lists for HTTP traffic originating from any client on the Internet to the DMZ web server, complete the following: a.
Page 18
The Edit Rule window opens up, allowing you to select the ACL rules to permit/deny traffic. a. Under Action, select permit from the drop-down menu to allow traffic through the firewall. b. Under Source Host/Network, click the IP Address radio button. c.
Page 19
d. Enter the Source Host/Network information (0.0.0.0 for any host or network). e. Under Destination Host/Network, click the IP Address radio button. f. Select dmz from the Interface drop-down menu. g. Enter 30.30.30.30 in the IP address box. h. Select 255.255.255.255 from the Mask drop-down menu. Alternatively, you can select the Hosts/Networks in both cases by clicking on the Note respective Browse buttons.
Page 20
The configurations should display as shown below: The HTTP clients on the private and public networks can now securely access the DMZ web server. Site-to-Site VPN Configuration Site-to-site VPN (Virtual Private Networking) features provided by the PIX 515E enable businesses to securely extend their networks across low-cost public Internet connections to business partners and remote offices worldwide.
Page 21
PDM provides an easy-to-use VPN Wizard that can quickly guide you through the process of configuring a site-to-site VPN in five simple steps. The illustration below shows an example VPN tunnel between two PIX 515E, and will be referenced in the following steps. Site A Site B PIX 1...
Page 22
Step 2 Configure the VPN Peer a. Enter the Peer IP Address (PIX 2) and select an authentication key (for example,“CisCo”), which is shared for IPSec negotiations between both PIX 515E units. To configure PIX 2, enter the IP address for PIX 1 (1.1.1.1) and the same Pre-shared Note Key (CisCo).
Page 24
Step 3 Configure the IKE Policy This step is comprised of two windows: 1. Configure the IKE negotiation parameters. In most cases, the default values are sufficient to establish secure VPN tunnels between two peers. a. Select the Encryption (DES/3DES/AES), Authentication algorithms (MD5/SHA), and the Diffie-Hellman group (1/2/5) used by the PIX 515E during an IKE security association.
Page 25
2. Configure the IPSec parameters. a. In the second window, select the Encryption algorithm (DES/3DES/AES) and Authentication algorithm (MD5/SHA). Confirm all values before continuing to the next window. Note When configuring PIX 2, enter the exact same values for each of the options that you selected for PIX 1.
Page 26
Step 4 Configure Internal Traffic This step is comprised of two windows: 1. Select network traffic on the local PIX 515E encrypted through the VPN tunnel. a. Select the Local Host/Network based on the IP Address, Name, or Group. Use the Browse button to select from preconfigured groups. Note Add or remove networks dynamically from the selected panel by clicking on the >>...
Page 27
2. Select traffic permitted from the remote PIX Firewall. a. In the second window, select VPN traffic for remote network configuration. For PIX 1, the remote network is Network B (20.20.20.0) so traffic encrypted from this tunnel is permitted through the tunnel. When configuring PIX 2, ensure that the values are correctly entered.
Page 28
Step 5 View and Enable VPN Commands If you enabled preview commands, you will see this page: To enable preview commands: a. In the main PDM page, select Options. b. Select Preferences and check the Preview commands before sending to firewall box. Check the configuration to ensure that all values are entered correctly.
Establishing Site-to-Site VPNs with other Cisco Products For information on configuring VPN between a PIX 515E and other products such as a Cisco router that runs Cisco IOS software, and Cisco VPN 3000 Concentrators, go to the following links: http://www.cisco.com/warp/customer/471/pix_router_dyn.html http://www.cisco.com/warp/public/471/ALTIGA_pix.html...
Enter these commands and follow these steps to use the activation key: Command Description show version Shows the PIX Firewall software version, hardware configuration, Step 1 license key, and related uptime data. configure terminal Starts configuration mode. Step 2 activation-key Updates the PIX Firewall activation key by replacing the Step 3 activation-key-four-tuple with the activation key obtained with your...
Page 31
Step 15 exit Exits the current configuration mode. Refer to the following website for detailed command information and configuration examples: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/index.htm The Cisco TAC website is available to all customers who need technical assistance. To access the TAC website, go to: http://www.cisco.com/tac...
Page 32
Alternative Ways to Access the PIX 515E You can access the CLI for administration using the console port on the PIX Firewall. To do so, you must run a serial terminal emulator on a PC or workstation Connect the blue console cable so that you have a DB-9 connector on one end as required by Step 1 the serial port for your computer, and the RJ-45 connector on the other end.
Page 33
“Installing a Circuit Board in the Note 515E” section in the Cisco PIX Firewall Hardware Installation Guide. If you have a second PIX 515E to use as a failover unit, install the failover feature and cable as described in the “Installing...
Connect the inside, outside, or perimeter network cables to the interface ports. Starting from Step 3 the top left, the connectors are Ethernet 2, Ethernet 3, Ethernet 4, and Ethernet 5. The maximum number of allowed interfaces is six with an unrestricted license. Do not add a single-port circuit board in the extra slot below the four-port circuit board Note because the maximum number of allowed interfaces is six.
Page 35
100 Mbps 100 Mbps LINK LINK 100 Mbps FAILO VER LINK 100 Mbps LINK 10/1 00 ETH ERN ET 1 10/1 00 ETH ERN ET 0 CON SOL E 10/100BaseTX 10/100BaseTX Console Power switch ETHERNET 1 ETHERNET 0 port (RJ-45) (RJ-45) (RJ-45) Table 2...
Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com...
365 days a year. The Cisco TAC website is located at this URL: http://www.cisco.com/tac Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:...
After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using the recommended resources, your case will be assigned to a Cisco TAC engineer. The online TAC Case Open Tool is located at this URL: http://www.cisco.com/tac/caseopen For P1 or P2 cases (P1 and P2 cases are those in which your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone.
Information about Cisco products, technologies, and network solutions is available from various online and printed sources. • The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL: http://www.cisco.com/en/US/doctypes/prod_series_index_listing_sitecopy.html...
Page 41
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA,...