|
|
This document describes how to install Cisco's PIX Firewall and its upgrade components. This document applies to all PIX Firewall hardware models including the PIX Firewall, PIX10000, PIX 510, and PIX 520 models.
This guide contains the following topics:
This document is intended for use by network managers who perform any of the following tasks:
This document assumes you are familiar with the topology of the network in which the PIX Firewall is being installed.
This document uses the following conventions:
screen font.
Use this document in conjunction with the following PIX Firewall documents:
For the PIX Firewall and PIX10000 models, refer to the Installing Circuit Boards in the PIX Firewall for information on how to remove and attach the PIX Firewall access panel. You can view this document online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v41/pixinb41.htm
 | Warning This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. To see translations of the warnings that appear in this publication, refer to the Regulatory Compliance and Safety Information document that accompanied this device. |
Waarschuwing Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico's en dient u op de hoogte te zijn van standaard maatregelen om ongelukken te voorkomen. Voor vertalingen van de waarschuwingen die in deze publicatie verschijnen, kunt u het document Regulatory Compliance and Safety Information (Informatie over naleving van veiligheids- en andere voorschriften) raadplegen dat bij dit toestel is ingesloten.
Varoitus Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. Tässä julkaisussa esiintyvien varoitusten käännökset löydät laitteen mukana olevasta Regulatory Compliance and Safety Information -kirjasesta (määräysten noudattaminen ja tietoa turvallisuudesta).
Attention Ce symbole d'avertissement indique un danger. Vous vous trouvez dans une situation pouvant causer des blessures ou des dommages corporels. Avant de travailler sur un équipement, soyez conscient des dangers posés par les circuits électriques et familiarisez-vous avec les procédures couramment utilisées pour éviter les accidents. Pour prendre connaissance des traductions d'avertissements figurant dans cette publication, consultez le document Regulatory Compliance and Safety Information (Conformité aux règlements et consignes de sécurité) qui accompagne cet appareil.
Warnung Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur Vermeidung von Unfällen bewußt. Übersetzungen der in dieser Veröffentlichung enthaltenen Warnhinweise finden Sie im Dokument Regulatory Compliance and Safety Information (Informationen zu behördlichen Vorschriften und Sicherheit), das zusammen mit diesem Gerät geliefert wurde.
Avvertenza Questo simbolo di avvertenza indica un pericolo. La situazione potrebbe causare infortuni alle persone. Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai circuiti elettrici ed essere al corrente delle pratiche standard per la prevenzione di incidenti. La traduzione delle avvertenze riportate in questa pubblicazione si trova nel documento Regulatory Compliance and Safety Information (Conformità alle norme e informazioni sulla sicurezza) che accompagna questo dispositivo.
Advarsel Dette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du utfører arbeid på utstyr, må du vare oppmerksom på de faremomentene som elektriske kretser innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. Hvis du vil se oversettelser av de advarslene som finnes i denne publikasjonen, kan du se i dokumentet Regulatory Compliance and Safety Information (Overholdelse av forskrifter og sikkerhetsinformasjon) som ble levert med denne enheten.
Aviso Este símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos físicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir possíveis acidentes. Para ver as traduções dos avisos que constam desta publicação, consulte o documento Regulatory Compliance and Safety Information (Informação de Segurança e Disposições Reguladoras) que acompanha este dispositivo.
¡Advertencia! Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los procedimientos estándar de prevención de accidentes. Para ver una traducción de las advertencias que aparecen en esta publicación, consultar el documento titulado Regulatory Compliance and Safety Information (Información sobre seguridad y conformidad con las disposiciones reglamentarias) que se acompaña con este dispositivo.
Varning! Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan leda till personskada. Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och känna till vanligt förfarande för att förebygga skador. Se förklaringar av de varningar som förkommer i denna publikation i dokumentet Regulatory Compliance and Safety Information (Efterrättelse av föreskrifter och säkerhetsinformation), vilket medföljer denna anordning.
PIX Firewall ships ready to power on and configure. If you have hardware upgrades, they need to be installed first. The configuration on the installation diskette lets the PIX Firewall start up, but does not permit traffic to pass through the network until you configure it to do so.
To install and configure PIX Firewall:
Step 1 Gather information about the networks that will be connected to the PIX Firewall. See "Before You Begin."
Step 2 Install the PIX Firewall and connect its network interface cables, serial cable, and power cord. See "Installing the PIX Firewall."
Step 3 Install any optional spare or upgrade kit for the PIX Firewall such as system memory or a circuit board. See "Installing a Hardware Upgrade Component."
Step 4 Choose among the available methods of performing the initial configuration, and connect the appropriate workstation to the PIX Firewall's serial cable. See "Choosing a Configuration Method."
Step 5 Configure the PIX Firewall. See "Using a Windows PC and a Terminal Emulator," "Using a Windows PC and the PIX Firewall Setup Wizard," or "Using a Workstation and a Terminal Emulator."
Step 6 Verify that the PIX Firewall is properly connected to its networks and operating correctly, and make decisions about additional configuration options that will tailor the PIX Firewall to meet the needs of your network. See "What to Do Next."
Step 7 If you plan to operate dual PIX Firewall units in a failover configuration, install the Standby unit and connect it to the Primary unit. See "Installing and Cabling a Failover Standby Unit."
Before you begin the installation, gather the following information about each network interface that will be connected to the PIX Firewall:
| Outside Network | Inside Network | Perimeter 1 | Perimeter 2 | |
| Interface Speed |
|
|
|
|
| IP Address and Netmask |
|
|
|
|
| MTU Size |
|
|
|
|
To prepare to configure the PIX Firewall, locate the following information:
In addition, you should determine the following:
1. The IP address of the outside default router.
2. That the PIX Firewall has at least 16 MB of system memory and a 2 MB Flash memory card. If you are not sure, refer to the Release Notes for the PIX Firewall Version 4.3 for more information at:
At this time, you should determine your network topology and security policy. We recommend that you take a few minutes to draw a diagram of your network with IP addresses, indicating which computers you are protecting, and which switches, routers, and hosts are on each network.
Follow these steps to install the PIX Firewall.
Step 1 Review the safety precautions outlined in the Regulatory Compliance and Safety Information for the PIX Firewall Version 4.3, supplied in your PIX Firewall accessory kit. You can view this document online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pixrcs43.htm
Step 2 Completely read the Release Notes for the PIX Firewall Version 4.3, supplied in your PIX Firewall accessory kit. You can view this document online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pixrn43.htm
Step 3 Unpack the PIX Firewall as shown in Figure 1.
Step 4 Place the PIX Firewall on a stable work surface.
Step 5 If you purchased one or more optional PIX Firewall upgrade kits such as system memory or a circuit board, refer to "Installing a Hardware Upgrade Component" before continuing.
Step 6 If desired, you may mount the PIX Firewall in a rack using the screws and brackets supplied with the unit.
Step 7 Familiarize yourself with the PIX Firewall unit as shown in Figure 2.
Step 8 Verify that the PIX Firewall system diskette is installed in the unit's diskette drive.
Step 9 Connect network cables to each of the PIX Firewall's network interfaces as shown in Figure 3. The number and position of the network interfaces vary depending on the PIX Firewall model you have and the software version you are running. If you are not certain which model you have, check the label on the back of the unit.
PIX Firewall software supports a maximum of 4 network interfaces.
Step 10 Locate the serial cable. The serial cable assembly consists of a null modem cable with RJ-45 connectors, two separate DB-9 connectors, and a separate DB-25 connector as shown in Figure 4.
Step 11 Connect one of the DB-9 serial connectors to the console connector on the front panel of the PIX Firewall.
Step 12 Connect one end of the RJ-45 null modem cable to the DB-9 connector.
Step 13 If you are installing an AC voltage PIX Firewall, connect the PIX Firewall's power cord to the power connector on the rear panel of the unit, and to a power outlet.
If you are installing a DC voltage PIX Firewall, refer to "Connecting a DC Voltage PIX Firewall."
The method you use to initially configure the PIX Firewall depends upon the version of PIX Firewall software you are installing and the type of workstation you will use to access the PIX Firewall:
Step 1 Place the Windows PC on the work surface next to the PIX Firewall.
Step 2 Determine whether the PC has 9-pin or 25-pin serial connectors. Connect the appropriate connector from the PIX Firewall serial cable assembly to the PC's serial port.
Step 3 Connect the free end of the serial cable to the DB-9 or DB-25 serial connector on the PC.
Step 4 Connect the PC's power cord to a power outlet, and power on the PC.
Step 5 Start HyperTerminal on the PC.
(a) From the Windows Start menu, select Programs>Accessories>HyperTerminal>HyperTerminal.
(b) The New Connection window and the Connection Description dialog box appear. Click OK.
(c) In the Phone Number dialog box, ignore all fields except "Connect using." In this field, select the serial port to which you connected the serial cable (usually COM1). Click OK.
(d) In the COM Properties dialog box, set the following values:
| Field | Value |
|---|---|
Bits per second | 9600 |
Data bits | 8 |
Parity | None |
Stop bits | 1 |
Flow Control | Hardware |
(e) Click OK to continue. HyperTerminal is now ready to receive data from the PIX Firewall console.
Step 6 Power on the PIX Firewall. See "PIX Firewall Startup Messages" for an example of the startup messages.
Step 7 At the PIX Firewall prompt, enter PIX Firewall commands. Refer to refer to "What to Do Next" for more information.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pix43cfg/pix43cfg.htm
Along with the initial configuration settings, the PIX Firewall Setup Wizard allows you to configure several optional features:
The Private Link and failover features require optional hardware.
Following the initial configuration, refer to "What to Do Next" for more information.
Optional features require the following information and hardware for configuration:
The diskette for installing PIX Firewall Setup Wizard is provided in the PIX Firewall accessory kit.
Step 1 Place the Windows PC on the work surface next to the PIX Firewall.
Step 2 Connect the appropriate DB-style connector from the PIX Firewall serial cable assembly to the PC's serial port (depending on the computer, this may be a 9-pin connector or a 25-pin connector).
Step 3 Connect the free end of the null modem cable to the DB-9 or DB-25 serial connector on the PC.
Step 4 Connect the Windows PC's power cord to a power outlet, and power on the PC.
Step 5 Locate the diskette containing the PIX Firewall Setup Wizard.
Step 6 From the Windows NT system, insert the first PIX Firewall Setup Wizard diskette in the diskette drive. You can install the software:
Once the installation program starts, you are prompted with a series of dialog boxes.
Step 7 Follow the instructions in the dialog boxes. In many cases you can simply click Next to accept the default values, and the installation will proceed without interruption. Alternately, you can enter values appropriate for your site and PIX Firewall installation.
During the installation you are prompted to choose Private Link installation and failover installation. Both the Private Link and failover features are optional, requiring additional hardware.
Step 8 At the last dialog box, click Finish.
Step 9 Power on the PIX Firewall.
Step 10 Run the Setup Wizard and follow the instructions provided by the help text. When done, refer to "What to Do Next."
Step 1 Place the workstation on the work surface next to the PIX Firewall.
Step 2 Determine whether the workstation has 9-pin serial connectors or 25-pin serial connectors. Connect the appropriate connector from the PIX Firewall serial cable assembly to the workstation's serial port.
Step 3 Connect the free end of the null modem cable to the DB-9 or DB-25 serial connector on the workstation.
Step 4 Connect the workstation's power cord to a power outlet, and power on the workstation.
Step 5 Start a terminal emulator (for example, tip is a terminal emulator commonly available on UNIX workstations).
Step 6 Ensure that the terminal emulator is set up as follows:
| Parameter | Value |
|---|---|
Bits per second | 9600 |
Data bits | 8 |
Parity | None |
Stop bits | 1 |
Flow Control | Hardware |
Step 7 Power on the PIX Firewall. Refer to "PIX Firewall Startup Messages" for an example of the startup messages.
Step 8 At the PIX Firewall prompt, enter PIX Firewall commands.
If you wish to view, add, or modify the PIX Firewall configuration there are several ways to do so:
Once initial configuration is complete and the PIX Firewall is running, you should follow the steps outlined in Chapter 2, "Configuring the PIX Firewall" in the Configuration Guide for the PIX Firewall Version 4.3 to test the connections between the PIX Firewall and its attached networks. You can view this chapter online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pix43cfg/pix43cfg.htm
After verifying that the PIX Firewall is properly connected to the network and the initial configuration is operating correctly, you may install and configure a failover Standby unit. See "Installing and Cabling a Failover Standby Unit" for more information.
Lastly, you should review your security policy and tailor the PIX Firewall configuration to meet the needs of your network.
When you reboot or power-on the PIX Firewall, messages appear similar to the following. The first messages to display are:
PIX Bios V2.7 Booting Floppy ...................................Execing flop PIX Floppy loader (V2.0) Reading second stage loader..... Starting second stage loader. PIX flash loader (V2.0) Flash=AT29C040A Reading floppy image.................................. Flash version 4.2.3, Floppy version 4.3.2
The Flash statement indicates the type of Flash memory. Version 4.3 requires that the Flash be 2 MB, which has the "AT29C040A" code. If you had the previous version, the 512 KB, PIX Firewall would have displayed an error message and stopped the installation.
The last line in this example lists the software versions in Flash memory and what you are installing on diskette.
When a diskette is inserted in the PIX Firewall's drive, you are prompted with the following prompt:
Do you want me to install floppy version onto flash? [n]
If you have an existing configuration, enter n for no. Alternatively, you can ignore the prompt by waiting approximately 45 seconds and PIX Firewall will insert No for you.
The listing continues as follows:
Installing to flash
If you did not install the diskette version into Flash memory, proceed to "After the Prompts."
If you are installing for the first time or you want to enter a new activation key, enter y for yes. PIX Firewall then displays:
Activation Key: aaaabbbb ccccddd eeeeffff 11112222 Do you want to enter a new activation key? [n]
If you do not wish to enter an activation key, enter n for no, or wait approximately 45 seconds and PIX Firewall will enter No for you. If you enter y to enter an activation key, you are prompted to enter each part of the activation key:
Enter Activation Key Part 1 of 4:
Enter the first part of your new activation key. (In the previous example for the activation key listing, the first part is aaaabbbb.)
PIX Firewall then prompts you for the other 3 parts of the activation key. Enter each part.
Part 2 of 4: Part 3 of 4: Part 4 of 4:
PIX Firewall then continues the startup messages as follows:
Using flash config Erasing flash... Writing image into flash... Saving config... 16MB RAM Flash=AT29C040A @ 0x300
To install version 4.3, you need to see at least 16 MB of RAM. If you had too little memory, a message would display indicating "insufficient memory."
PIX Firewall then lists each interface. Because PIX Firewall interface cards are polled instead of using interrupts, the IRQ (interrupt request lines) can have duplicate numbers.
mcwa i82557 Ethernet at irq 10 MAC: 00a0.c90a.eb4d mcwa i82557 Ethernet at irq 9 MAC: 00a0.c986.8eea mcwa i82557 Ethernet at irq 10 MAC: 00a0.c9e8.8caf mcwa i82557 Ethernet at irq 11 MAC: 0090.2710.4aa4
In this example, the PIX Firewall has four Ethernet interfaces. The MAC address is a unique hardware identifier for each interface.
If a Private Link card is present, the following message appears:
CA9568 Encryption @ 0x3a0
The PIX Firewall symbol then displays followed by the version number and the number of connections.
-----------------------------------------------------------------------
|| ||
|| ||
|||| ||||
..:||||||:..:||||||:..
c i s c o S y s t e m s
Private Internet eXchange
-----------------------------------------------------------------------
PIX Firewall
PIX Version 4.3(x)
Maximum Connections: 16384
If a Private Link card is present, the following export statement appears:
****************************** Warning *******************************
An encryption device has been discovered.
This product is not authorized for use by persons located outside the
United States and Canada that do not have export license authority
from Cisco Systems, Inc. and/or the U.S. Government.
This product may not be exported outside the U.S. and Canada either by
physical or electronic means without the prior written approval of
Cisco Systems, Inc. and/or the U.S. Government.
Persons outside the U.S. and Canada may not reexport, resell, or
transfer this product by either physical or electronic means without
prior written approval of Cisco Systems, Inc. and/or U.S. Government.
******************************* Warning *******************************
PIX Firewall then displays the following messages:
Copyright (c) 1996-1999 by Cisco Systems, Inc.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Type help or '?' for a list of available commands.
pixfirewall> enable
Enter the enable command to start unprivileged mode. You are then prompted for the enable password as follows:
Password:
Unless you have assigned a value to the enable password, which you can do with the enable password command, press the Enter key to signify the default of no password. You are now in unprivileged mode.
Start configuration mode by entering the configure terminal command:
pixfirewall# configure terminal pixfirewall(config)#
You are now ready to start configuring your PIX Firewall, which is described in the Configuration Guide for the PIX Firewall Version 4.3. You can view this document online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pix43cfg/index.htm
The PIX Firewall Syslog Server (PFSS) lets you view PIX Firewall event information from a Windows NT system and includes special features not found on other syslog servers such as:
PFSS can receive syslog messages from up to 10 PIX Firewall units.
Review the following notes before installing PFSS:
1. You must have access to Cisco Connection Online (CCO) to obtain a copy of the PFSS file.
2. If a PIX Firewall is set to send messages via TCP and if the Windows NT partition containing the log files becomes full, PFSS causes the PIX Firewall to stop all connections until the Windows NT disk space is freed.
3. When you install PFSS on the Windows NT system, write down the values you supply. Once PFSS is installed, the only way you can view the timer durations is by examining the Windows NT registry with regedit and searching for disk_empty_watch. Also, if you need to view the information in the registry, do not change it in the registry. The information can only be changed from the Start>Settings>Control Panel>Services item.
Once PFSS is installed and running, you can view the pfss.log file to see the settings for the percentage of disk full, and the TCP and UDP ports. The pfss.log file can be found in the same directory in which you locate the log files. (During installation you are prompted for the directory in which to install the log files.)
4. Only install PFSS on a Windows NT system version 4.0 system with Service Pack 3 installed. Install PFSS in the NTFS (not the FAT32) partition on your hard disk.
5. You can install PFSS from either a user or the Administrator login.
6. PFSS log files must reside on the local Windows NT system (not accessed across the network).
7. The PIX Firewall Manager (PFM) and PFSS cannot be used together even if installed on different systems. The PFSS or PFM installation script detects the presence of the other program on the same system and advises you to deinstall the other program.
8. PFSS creates seven rotating syslog files monday.log, tuesday.log, wednesday.log, thursday.log, friday.log, saturday.log, and sunday.log. If a week has passed since the last log file was created, it will rename the old log file to day.mmddyy where day is the current day, mm is the month, dd is the day, and yy is the year. The size of a log file depends on how many connections can occur on each PIX Firewall and the types of messages you permit to be logged. Refer to the System Log Messages for the PIX Firewall, which you can view online at:
To install the PFSS:
Step 1 Obtain the PFSS installation program from Cisco Connection Online (CCO):
(a) Use a network browser, such as Netscape Navigator to access http://www.cisco.com.
(b) If you are a registered CCO user, click LOGIN in the upper area of the page. If you have not registered, click REGISTER and follow the steps to register.
(c) After you click LOGIN, a dialog box appears requesting your username and password. Enter these and click OK.
(d) When you are ready to continue, choose Software Center under the Service & Support heading.
(e) On the Service & Support page, click Internet Products from the center column.
(f) On the Internet Products page, click PIX Firewall Software.
(g) On the PIX Firewall Software page, click Download PIX Firewall Software.
(h) On the Software Center page, choose the software you need. If you are downloading software for the first time and you use a Windows or MS-DOS system, choose the executable file (pfss43n.exe). This file is a self-extracting archive.
(i) On the Software Download page, choose how you want to download the software.
(j) You will be again prompted for your CCO login password. Enter it and click OK.
(k) The software then downloads to your system.
Step 2 If you have not done so already, open the window of the folder containing the downloaded file. Start the installation by double-clicking the downloaded file.
Step 3 You will be prompted for the following:
(a) To start the installation---click Yes.
(b) To acknowledge the installation Welcome window---click Next.
(c) Destination target and folder---either accept the default settings or click Browse to specify an alternative. You can specify different partitions for the log files that the server creates and the server itself. First you are prompted for where to store the program and then where to put the log files. Make sure that the log files are on the local disk and not a networked disk.
(d) Port numbers for the TCP syslog server and the UDP syslog server---either accept the defaults of TCP port 1468 and UDP port 514 or specify ports as required by your system. If you enter a port number, it must be between 1024 and 65535.
(e) Percentage of Disk Full---accept the default value of 90% or specify a new value. This integer value between 1 and 100 is the maximum size that the filesystem can achieve before the Windows NT system signals the PIX Firewall to stop its connections.
(f) Disk Empty Watch---specify the duration in seconds that the syslog server waits between checks to see if the disk is still empty. The default is 5 seconds.
(g) Disk Full Watch---specify the duration in seconds that the syslog server waits between checks to see if the disk is still full. The default is 3 seconds.
Refer to the logging command page in the Configuration Guide for the PIX Firewall Version 4.3, Chapter 5, "Command Reference" for additional important information about configuring the PIX Firewall for use with PFSS. You can view this chapter online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pix43cfg/pix43cmd.htm
The PFSS starts immediately after installation. This service can be controlled via the Services Control Panel, which you can use to pause the service, then resume the service, stop, or start the service. The service can also be started with different startup parameters from the Services window.
After you complete the installation, you can change the option values as follows:
Step 1 Select the PIX Firewall Syslog Server entry from the Start>Settings>Control Panel>Services menu. You can add commands to the Startup Parameters edit box. After you enter a command, click Start. If you press the Enter key, the menu closes without information being accepted.
Step 2 Change the values by entering one of these commands:
%_disk_full---The maximum percentage of how full the disk is that you allow the Windows NT to reach before causing the PIX Firewall to stop transmissions. This is an integer value in the range of 1 to 100. The default is 90.
tcp_port---the port used by the Windows NT system to listen for TCP syslog messages, the default is 1468. If you specify another port, it must be in the range of 1024 to 65535.
udp_port---the port used by the Windows NT system to listen for UDP syslog messages, the default is 514. If you specify another port, it must be in the range of 1024 to 65535.
disk_empty_watch_timer---the duration in seconds that PFSS waits between checks to see if the disk partition is still empty. The default is 5 seconds, the range is any number greater than zero.
disk_full_watch_timer---the duration in seconds that PFSS waits between checks to see if the disk partition is still full. The default is 3 seconds, the range is any number greater than zero.
Step 3 Refer to the logging command page in the Configuration Guide for the PIX Firewall Version 4.3 in Chapter 5, "Command Reference" for a description for how to configure the PIX Firewall to work with the PFSS. You can view this chapter online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pix43cfg/pix43cmd.htm
The sections that follow describe how to install these components:
You can install additional system memory in a PIX Firewall to bring the total RAM capacity to 128 MB. All models of PIX Firewalls can be upgraded including the PIX Firewall, PIX10000, PIX Firewall 510, PIX Firewall 520 AC model, and PIX Firewall 520 DC model. References to "PIX Firewall" in this section refer to the model that preceded the PIX10000.
The memory upgrade requires PIX Firewall software version 4.2(1) or later.
For DC models:
| Warning Before performing any of the following procedures, ensure that power is removed from the DC circuit. To ensure that all power is OFF, locate the circuit breaker on the panel board that services the DC circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit breaker in the OFF position. |
For both AC and DC models:
| Warning Before working on a system that has an On/Off switch, turn OFF the power and unplug the power cord. |
After you remove the power cord from the firewall unit, you can install additional system memory as follows:
Step 1 If the unit is rack-mounted, remove network wires and any cords connecting to the firewall unit. Then remove the unit from the rack and place on a stable working surface. Ensure that the unit is unplugged from its power source.
Step 2 Unpack the items in the memory upgrade kit.
Remove the top access panel from the firewall unit. Remove all screws holding the top access panel in place.
For the PIX Firewall 510 and PIX Firewall 520 models, refer to "Installing a Circuit Board in the PIX Firewall" for information on how to open the top access panel.
For the PIX Firewall and PIX10000 models, refer to the Installing Circuit Boards in the PIX Firewall guide that accompanied your unit. You can view this document online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v41/pixinb41.htm
Step 3 Determine the location of your system memory sockets:
Step 4 Locate the wrist grounding strap that accompanied the memory strip and connect one end to the PIX Firewall chassis, as shown in Figure 8, and securely attach the other to your wrist so it contacts your bare skin.
Step 5 With the wrist strap on your wrist, carefully grasp the memory strip from either end. Note that a SIMM strip used for the PIX Firewall and PIX10000 units has circular holes at each side. A DIMM strip used for the PIX Firewall 510 or PIX Firewall 520 has notches.
Step 6 PIX Firewall or PIX10000 with serial numbers 06004001 and higher: remove the old SIMM strip(s) as shown in Figure 9. Remove the installed SIMM by simultaneously pulling outward on the tabs to unlatch them and raising the SIMM to a vertical position, then remove each strip.
PIX Firewall "Classic" unit with a serial number before 06004000: refer to Figure 10 for how to remove the SIMM.
Step 7 PIX Firewall or PIX10000 with serial numbers 06004001 and higher: refer to Figure 11 and Figure 12 for how to insert each SIMM strip in a socket and then swing it forward to secure it.
PIX Firewall "Classic" unit with a serial number before 06004000: refer to Figure 13 and Figure 14 for how to insert the SIMM at an angle and then swing it down to secure it.
You can install the new memory strips both in either Bank 0 or both in Bank 1. Do not position the strips so that one is in one bank and the other is another.
Step 8 PIX Firewall 510 or PIX Firewall 520: refer to Figure 15 and Figure 16 for how to install the DIMM strip in the socket.
(a) Remove the old memory strip by opening the two plastic wing connectors, and pulling the old strip up. Discard the old strip.
(b) Install the new strip in Bank 0 by opening the two plastic wing connectors, inserting the strip, and closing the wing connectors.
When you finish inserting new memory, close the top of the PIX Firewall case, reattach the screws, if desired, rack mount the PIX Firewall, and attach all cables and cords as discussed in previous sections. After the PIX Firewall is installed, you can view the amount of memory in the system startup messages or with the show version command.
Step 1 Read the Regulatory Compliance and Safety Information for the PIX Firewall Version 4.3. You can view this document online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pixrcs43.htm
Step 2 Ensure that the PIX Firewall is powered off. Unplug the power cord from the power outlet. Once the upgrade is complete, you may safely reconnect the power cord.
| Warning Before working on a system that has an On/Off switch, turn OFF the power and unplug the power cord. |
Step 3 Remove the three screws holding the top access panel in place, as shown in Figure 17.
Step 4 Remove the top access panel as shown in Figure 18.
Step 5 Insert the new board, as shown in Figure 19, and secure it using the screw provided with the board.
Step 6 Replace the top access panel, as shown in Figure 20, and secure it with the three screws you removed in Step 3.
Before performing any of the following procedures, ensure that power is removed from the DC circuit. To ensure that all power is OFF, locate the circuit breaker on the panel board that services the DC circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit breaker in the OFF position.
To install the PIX Firewall DC power model:
Step 1 Read the Regulatory Compliance and Safety Information for the PIX Firewall Version 4.3 supplied with your unit.
Step 2 Terminate the DC input wiring on a DC source capable of supplying at least 15 amps. A 15-amp circuit breaker is required at the 48 VDC facility power source. An easily accessible disconnect device should be incorporated into the facility wiring.
Step 3 Power off the PIX Firewall using the switch at the rear of the unit.
Step 4 As shown in Figure 21, the PIX Firewall is equipped with two grounding studs at the back of the unit, which you can use to connect a two-hole grounding lug to the PIX Firewall. Use the 10-32 nuts provided with the PIX Firewall to connect a copper standard barrel grounding lug to the studs. The PIX Firewall requires a lug where the distance between the center of each hole is 0.56 inches. A lug is not supplied with the PIX Firewall.
Step 5 Ensure that power is removed from the DC circuit. To ensure that all power is OFF, locate the circuit breaker on the panel board that services the DC circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit breaker in the OFF position.
Step 6 Strip the ends of the wires for insertion into the power connect lugs on the PIX Firewall.
Step 7 Refer to Figure 22 and insert the ground wire into the connector for the earth ground and tighten the screw on the connector. Then connect the negative wire and then the positive wire using the same method as for the ground wire.
Step 8 Reconnect power to the PIX Firewall. After wiring the DC power supply, remove the tape from the circuit breaker switch handle and reinstate power by moving the handle of the circuit breaker to the ON position.
Step 9 Insert the PIX Firewall system diskette in the drive at the front of the unit.
Step 10 As shown in the previous Figure 3, connect the network cables to ensure that:
Step 11 Power on the unit from the switch at the rear of the unit.
Your unit is now ready to configure. Refer to Chapter 2, "Configuring the PIX Firewall" in the Configuration Guide for the PIX Firewall Version 4.3. You can view this chapter online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pix43cfg/pix43cfg.htm
Follow these steps to install a failover Standby unit.
Step 1 Follow the instructions in "Installing the PIX Firewall," Steps 3 through 9, to unpack and set up the Standby unit, and connect its network interface cables.
Step 2 Locate the failover cable, shown in Figure 23. This cable is shipped separately from the PIX Firewall unit. The cable is labeled Primary on one end and Secondary on the other.
Step 3 Connect the Primary end of the failover cable to the first PIX Firewall unit, that is, the one you have already configured. As soon as the PIX Firewall detects the presence of the failover cable, the system software enables failover mode and the PIX Firewall unit assumes active status.
Step 4 Connect the Secondary end of the failover cable to the Standby unit.
Step 5 Connect the Standby unit's power cord to the power connector on the rear panel of the unit, and to a power outlet.
Step 6 Power on the Standby unit.
Within a few seconds, the Active unit automatically downloads its configuration to the Standby unit. The two units are now operating in failover mode. The first PIX Firewall (the one you configured) is the primary unit, and is active by default. The second PIX Firewall is the secondary unit, acting as failover Standby.
If the primary unit fails, the secondary unit automatically becomes active.
All further PIX Firewall configuration for this failover pair must be done on the Active unit, whichever unit that might be at the time you perform the configuration. The Active unit automatically updates the configuration on the Standby unit. If the Standby unit has failed, updating takes place as soon as the Standby unit is brought back into operation.
Refer to Chapter 3, "Advanced Configurations" in the Configuration Guide for the PIX Firewall Version 4.3. You can view this chapter online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pix43cfg/pix43adv.htm
Should you need to test the cable you received, the pinouts are shown in Figure 24.
This section contains some frequently asked questions about the failover feature.
Refer to the "Failover" section in Chapter 3, "Advanced Configurations" in the Configuration Guide for the PIX Firewall Version 4.3 for additional failover information. You can view this chapter online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pix43cfg/pix43adv.htm
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.
Posted: Mon Feb 8 17:03:54 PST 1999
Copyright 1989-1999©Cisco Systems Inc.
