|
|
This document describes how to install Cisco's PIX Firewall and perform the initial configuration. It is designed to help you get the PIX Firewall up and running as quickly and efficiently as possible. By default, the initial configuration enables connections from the inside network to the outside network, and disables connections from the outside network to the inside network. Here are the steps you will use:
Step 1 Gather information about the networks that will be connected to the PIX Firewall. See "Before You Begin."
Step 2 Install the PIX Firewall and connect its network interface cables, serial cable, and power cable. See "Installing the PIX Firewall."
Step 3 If you have ordered an optional spare or upgrade kit for the PIX Firewall, install the spare or upgrade. See "Installing a Spare or Upgrade in the PIX Firewall."
Step 4 Choose among the available methods of performing the initial configuration, and connect the appropriate workstation to the PIX Firewall's serial cable. See "Choosing a Configuration Method."
Step 5 Configure the PIX Firewall. See "Using a Windows PC and a Terminal Emulator," "Using a Windows PC and the PIX Firewall Setup Wizard," or "Using a Workstation and a Terminal Emulator."
Step 6 Verify that the PIX Firewall is properly connected to its networks and operating correctly, and make decisions about additional configuration options that will tailor the PIX Firewall to meet the needs of your network. See "What to Do Next."
Step 7 If you plan to operate dual PIX Firewall units in a failover configuration, install the standby unit and connect it to the primary unit. See "Installing and Cabling a Failover Standby Unit."
These procedures are intended to be used by network managers who perform any of the following tasks:
This document assumes you are familiar with the topology of the network in which the PIX Firewall is being installed.
This document uses the following conventions:
screen font.
Warning This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. To see translations of the warnings that appear in this publication, refer to the Regulatory Compliance and Safety Information document that accompanied this device.
Waarschuwing Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico's en dient u op de hoogte te zijn van standaard maatregelen om ongelukken te voorkomen. Voor vertalingen van de waarschuwingen die in deze publicatie verschijnen, kunt u het document Regulatory Compliance and Safety Information (Informatie over naleving van veiligheids- en andere voorschriften) raadplegen dat bij dit toestel is ingesloten.
Varoitus Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. Tässä julkaisussa esiintyvien varoitusten käännökset löydät laitteen mukana olevasta Regulatory Compliance and Safety Information -kirjasesta (määräysten noudattaminen ja tietoa turvallisuudesta).
Attention Ce symbole d'avertissement indique un danger. Vous vous trouvez dans une situation pouvant causer des blessures ou des dommages corporels. Avant de travailler sur un équipement, soyez conscient des dangers posés par les circuits électriques et familiarisez-vous avec les procédures couramment utilisées pour éviter les accidents. Pour prendre connaissance des traductions d'avertissements figurant dans cette publication, consultez le document Regulatory Compliance and Safety Information (Conformité aux règlements et consignes de sécurité) qui accompagne cet appareil.
Warnung Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur Vermeidung von Unfällen bewußt. Übersetzungen der in dieser Veröffentlichung enthaltenen Warnhinweise finden Sie im Dokument Regulatory Compliance and Safety Information (Informationen zu behördlichen Vorschriften und Sicherheit), das zusammen mit diesem Gerät geliefert wurde.
Avvertenza Questo simbolo di avvertenza indica un pericolo. La situazione potrebbe causare infortuni alle persone. Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai circuiti elettrici ed essere al corrente delle pratiche standard per la prevenzione di incidenti. La traduzione delle avvertenze riportate in questa pubblicazione si trova nel documento Regulatory Compliance and Safety Information (Conformità alle norme e informazioni sulla sicurezza) che accompagna questo dispositivo.
Advarsel Dette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du utfører arbeid på utstyr, må du vare oppmerksom på de faremomentene som elektriske kretser innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. Hvis du vil se oversettelser av de advarslene som finnes i denne publikasjonen, kan du se i dokumentet Regulatory Compliance and Safety Information (Overholdelse av forskrifter og sikkerhetsinformasjon) som ble levert med denne enheten.
Aviso Este símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos físicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir possíveis acidentes. Para ver as traduções dos avisos que constam desta publicação, consulte o documento Regulatory Compliance and Safety Information (Informação de Segurança e Disposições Reguladoras) que acompanha este dispositivo.
¡Advertencia! Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los procedimientos estándar de prevención de accidentes. Para ver una traducción de las advertencias que aparecen en esta publicación, consultar el documento titulado Regulatory Compliance and Safety Information (Información sobre seguridad y conformidad con las disposiciones reglamentarias) que se acompaña con este dispositivo.
Varning! Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan leda till personskada. Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och känna till vanligt förfarande för att förebygga skador. Se förklaringar av de varningar som förkommer i denna publikation i dokumentet Regulatory Compliance and Safety Information (Efterrättelse av föreskrifter och säkerhetsinformation), vilket medföljer denna anordning.
Before you begin the installation, gather the following information about each network interface that will be connected to the PIX Firewall:
| Outside Network | Inside Network | Perimeter 1 | Perimeter 2 | |
| 1. Interface Speed | ||||
| 2. IP Address and Netmask | ||||
| 3. MTU Size | ||||
| 4. Default Router |
1 ) The speed of each network interface. You only need to specify a value for Ethernet interface boards that do not autosense the interface's speed, connection type, and full/half duplex support; or for Token Ring interface boards.
2 ) The IP address and netmask for each network interface. Even if an interface is not connected to a network, you must assign it an IP address. The IP address for each interface must be different from any others you use in your network.
3 ) Maximum transmission unit (MTU) size for each network interface. You only need to specify a value if you want to set an MTU size that differs from the default (1,500 bytes/block for Ethernet; 8,192 bytes/block for Token Ring).
4 ) The IP address of the default router. This is required only if your network does not use RIP (Routing Information Protocol).
At this time, you should determine your network topology and security policy. We recommend that you take a few minutes to draw a diagram of your network, indicating which computers you are protecting, and which switches, routers, and hosts are on each network. See the Configuration Guide for the PIX Firewall for some examples of networks containing PIX Firewall units.
By default, the initial configuration allows all connections originating from the inside network to the outside network, and disallows all connections originating from the outside network to the inside network. The Configuration Guide for the PIX Firewall describes the methods you use to modify this access model and to set up address translation tables that shield the IP addresses on the inside or perimeter networks from view by the outside network.
Follow these steps to install the PIX Firewall.
Step 1 Review the safety precautions outlined in the Regulatory Compliance and Safety Information for the PIX Firewall, supplied in your PIX Firewall accessory kit.
Step 2 Completely read the Release Notes for the PIX Firewall, supplied in your PIX Firewall accessory kit.
Step 3 Unpack the PIX Firewall (see Figure 1).
Step 4 Place the PIX Firewall on a stable work surface. If desired, you may mount the PIX Firewall in a rack using the screws and brackets supplied with the unit.
Step 5 Familiarize yourself with the PIX Firewall unit (see Figure 2).
Step 6 Verify that the PIX Firewall system diskette is installed in the unit's diskette drive.
Step 7 If you purchased one or more optional PIX Firewall upgrade kits or spare network interface boards, install the upgrade or spare following the steps in "Installing a Spare or Upgrade in the PIX Firewall."
Step 8 Connect network cables to each of the PIX Firewall's network interfaces as shown in Figure 3. The number and position of the network interfaces vary depending on the PIX Firewall model you have and the software version you are running. If you are not certain which model you have, check the label on the back of the unit
PIX Firewall 4.1 software supports a maximum of 3 network interfaces. PIX Firewall 4.2 software supports a maximum of 4 network interfaces.
Step 9 Locate the serial cable. The serial cable assembly consists of a null modem cable with RJ-45 connectors, two separate DB-9 connectors, and a separate DB-25 connector (see Figure 4).
Step 10 Connect one of the DB-9 serial connectors to the console connector on the front panel of the PIX Firewall.
Step 11 Connect one end of the RJ-45 null modem cable to the DB-9 connector.
Step 12 Connect the PIX Firewall's power cord to the power connector on the rear panel of the unit, and to a power outlet.
Step 1 Read the Regulatory Compliance and Safety Information for the PIX Firewall.
Step 2 Ensure that the PIX Firewall is powered off. Unplug the power cord from the power outlet. Once the upgrade is complete, you may safely reconnect the power cord.
Warning Before working on a system that has an On/Off switch, turn OFF the power and unplug the power cord.
Step 3 Remove the three screws holding the top access panel in place, as shown in Figure 5.
Step 4 Remove the top access panel as shown in Figure 6.
Step 5 Insert the new board, as shown in Figure 7, and secure it using the screw provided with the board.
Step 6 Replace the top access panel, as shown in Figure 8, and secure it with the three screws you removed in Step 3.
The method you use to initially configure the PIX Firewall depends upon the version of PIX Firewall software you are installing and the type of workstation you will use to access the PIX Firewall:
Step 1 Place the Windows PC on the work surface next to the PIX Firewall.
Step 2 Determine whether the PC has 9-pin or 25-pin serial connectors. Connect the appropriate connector from the PIX Firewall serial cable assembly to the PC's serial port.
Step 3 Connect the free end of the serial cable to the DB-9 or DB-25 serial connector on the PC.
Step 4 Connect the PC's power cord to a power outlet, and power on the PC.
Step 5 Start HyperTerminal on the PC.
(a) From the Windows Start menu, select Programs>Accessories>HyperTerminal>HyperTerminal.
(b) The New Connection window and the Connection Description dialog box appear. Click OK.
(c) In the Phone Number dialog box, ignore all fields except "Connect using." In this field, select the serial port to which you connected the serial cable (usually COM1). Click OK.
In the COM Properties dialog box, set the following values:
| Field | Value |
|---|---|
| Bits per second | 9600 |
| Data bits | 8 |
| Parity | None |
| Stop bits | 1 |
| Flow Control | Hardware |
(e) Click OK to continue. HyperTerminal is now ready to receive data from the PIX Firewall console.
Step 6 Power on the PIX Firewall. See "PIX Firewall Startup Messages" for an example of the startup messages.
Step 7 At the PIX Firewall prompt, enter PIX Firewall commands.
"Before Configuring the PIX Firewall" in Chapter 2 of the Configuration Guide for the PIX Firewall describes the commands needed to enter configuration mode.
"Initially Configuring the PIX Firewall" in Chapter 2 of the Configuration Guide for the PIX Firewall describes the commands needed to create an initial configuration.
Step 1 Place the Windows PC on the work surface next to the PIX Firewall.
Step 2 Connect the appropriate DB-style connector from the PIX Firewall serial cable assembly to the PC's serial port (depending on the computer, this may be a 9-pin connector or a 25-pin connector).
Step 3 Connect the free end of the null modem cable to the DB-9 or DB-25 serial connector on the PC.
Step 4 Connect the Windows PC's power cord to a power outlet, and power on the PC.
Step 5 Locate the diskette containing the PIX Firewall Setup Wizard, and install the Setup Wizard according to the instructions in Appendix C of the Configuration Guide for the PIX Firewall.
Step 6 Power on the PIX Firewall.
Step 7 Run the Setup Wizard and follow the instructions provided by the help text.
Step 1 Place the workstation on the work surface next to the PIX Firewall.
Step 2 Determine whether the workstation has 9-pin serial connectors or 25-pin serial connectors. Connect the appropriate connector from the PIX Firewall serial cable assembly to the workstation's serial port.
Step 3 Connect the free end of the null modem cable to the DB-9 or DB-25 serial connector on the workstation.
Step 4 Connect the workstation's power cord to a power outlet, and power on the workstation.
Step 5 Start a terminal emulator (for example, tip is a terminal emulator commonly available on UNIX workstations).
Ensure that the terminal emulator is set up as follows:
| Parameter | Value |
|---|---|
| Bits per second | 9600 |
| Data bits | 8 |
| Parity | None |
| Stop bits | 1 |
| Flow Control | Hardware |
Step 7 Power on the PIX Firewall. Refer to "PIX Firewall Startup Messages" for an example of the startup messages.
Step 8 At the PIX Firewall prompt, enter PIX Firewall commands.
"Before Configuring the PIX Firewall" in Chapter 2 of the Configuration Guide for the PIX Firewall describes the commands needed to enter configuration mode.
"Initially Configuring the PIX Firewall" in Chapter 2 of the Configuration Guide for the PIX Firewall describes the commands needed to create an initial configuration.
If you wish to view, add, or modify the PIX Firewall configuration there are several ways to do so:
Once initial configuration is complete and the PIX Firewall is running, you should follow the steps outlined in "Testing the Configuration" in Chapter 2 of the Configuration Guide for the PIX Firewall to test the connections between the PIX Firewall and its attached networks.
After verifying that the PIX Firewall is properly connected to the network and the initial configuration is operating correctly, you may install and configure a failover standby unit. See "Installing and Cabling a Failover Standby Unit" for more information.
Lastly, you should review your security policy and tailor the PIX Firewall configuration to meet the needs of your network.
Follow these steps to install a failover standby unit.
Step 1 Follow the instructions in "Installing the PIX Firewall," Steps 3 through 8, to unpack and set up the standby unit, and connect its network interface cables.
Step 2 Locate the failover cable, shown in Figure 9. This cable is shipped separately from the PIX Firewall unit. The cable is labeled Primary on one end and Secondary on the other.
Step 3 Connect the Primary end of the failover cable to the first PIX Firewall unit, that is, the one you have already configured. As soon as the PIX Firewall detects the presence of the failover cable, the system software enables failover mode and the PIX Firewall unit assumes active status.
Step 4 Connect the Secondary end of the failover cable to the standby unit.
Step 5 Connect the standby unit's power cord to the power connector on the rear panel of the unit, and to a power outlet.
Step 6 Power on the standby unit.
Within a few seconds, the active unit automatically downloads its configuration to the standby unit. The two units are now operating in failover mode. The first PIX Firewall (the one you configured) is the primary unit, and is active by default. The second PIX Firewall is the secondary unit, acting as failover standby.
If the primary unit fails, the secondary unit automatically becomes active.
All further PIX Firewall configuration for this failover pair must be done on the active unit, whichever unit that might be at the time you perform the configuration. The active unit automatically updates the configuration on the standby unit. If the standby unit has failed, updating takes place as soon as the standby is brought back into operation.
Refer to the Configuration Guide for the PIX Firewall for more information about failover.
The PIX Firewall startup messages should be similar to the following example:
PIX Bios V2.7
Booting Floppy
...................................Execing flop
PIX Floppy loader version 1.12
Starting second stage loader.
...
PIX Floppy cloader version 1.1
Flash=AT29C040A
Reading floppy image...............................
Flash version 4.2.0.215, Floppy version 4.2.0.217
Installing to flash
Activation Key: 3bb55731 bb58d0b 2fd1abc2 4ffb0bc0
Do you want to enter a new activation key? [n]
Using flash config
Erasing flash...
Writing image into flash...
Saving config...
16MB RAM
Flash=AT29C040A @ 0x300
mcwa i82557 Ethernet at irq 10 MAC: 00a0.c90a.eb4d
mcwa i82557 Ethernet at irq 10 MAC: 00a0.c986.8eea
mcwa i82557 Ethernet at irq 11 MAC: 00a0.c90a.eb43
CA9568 Encryption @ 0x3a0
-----------------------------------------------------------------------
|| ||
|| ||
|||| ||||
..:||||||:..:||||||:..
c i s c o S y s t e m s
Private Internet eXchange
-----------------------------------------------------------------------
PIX Firewall
Maximum Connections: 16384
Copyright (c) 1996-1998 by Cisco Systems, Inc.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Type help or '?' for a list of available commands.
pixfirewall>
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.
|
|