Page 2 - About the Cisco PIX 515E Firewall; Hardware Features; 33-MHz Intel Celeron processor; Software Features; stateful failover
2 About the Cisco PIX 515E Firewall The Cisco PIX 515E delivers enterprise-class security for small-to-medium business and enterprise networks, in a modular, purpose-built appliance. Its versatile one-rack unit (1RU) design supports up to 6 10/100 Fast Ethernet interfaces, making it an excellent cho...
Page 3 - Check Items Included
3 1 Check Items Included End User License and Software Warranty PIX 515E Getting Started Guide Safety and Compliance Guide PIX 515E PC terminal adapter (74-0495-01) Documentation Blue console cable (72-1259-01) Yellow Ethernet cable (72-1482-01) Cisco PIX Security Appliance Product CD DO NOT INSTALL...
Page 4 - Install the PIX 515E; Follow these steps to install the PIX 515E:; onto the five, round, recessed areas on the bottom of the chassis; Cisco PIX Firewall Hardware Installation Guide; Note; For additional hardware installation procedures, refer to the
4 2 Install the PIX 515E Follow these steps to install the PIX 515E: Step 1 Install the rubber feet onto the five, round, recessed areas on the bottom of the chassis . Note The chassis is also rack-mountable. For rack-mounting and failover instructions, refer to the Cisco PIX Firewall Hardware Insta...
Page 5 - Configure the PIX 515E; For more information about the; icmp; command, refer to the
5 3 Configure the PIX 515E The PIX 515E comes with a factory-default configuration that meets the needs of most small and medium business networking environments. A default DHCP server address pool is included for hosts on the inside interface. The factory-default configuration on the PIX 515E prote...
Page 6 - into your Internet browser.; Remember to add the “; Leave both the username and password boxes empty. Press; Enter; Select; Yes; Example Configurations; DMZ Configuration
6 Step 4 To access the Startup Wizard, use the PC connected to the switch or hub and enter the URL https://192.168.1.1/startup.html into your Internet browser. Note Remember to add the “ s ” in “ https ” or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser...
Page 7 - Step 1 Manage IP Pools for Network Translations; Click the; Configuration; button at the top of the PDM window.
7 Step 1 Manage IP Pools for Network Translations For an inside HTTP client (10.10.10.10) to access the web server on the DMZ network (30.30.30.30), it is necessary to define an IP pool (30.30.30.50–30.30.30.60) for the DMZ interface. Similarly, an IP pool for the outside interface (209.165.156.10) ...
Page 11 - Step 2 Configure Address Translations on Private Networks; Select the; tab. Ensure that the; Translation Rules; radio button is selected.
11 Step 2 Configure Address Translations on Private Networks Network Address Translation (NAT) replaces the source IP addresses of network traffic traversing between two PIX interfaces. This translation prevents the private address spaces from being exposed on public networks and permits routing thr...
Page 13 - button and select the Pool ID if there are multiple HTTP clients.
13 Note Enter the entire network range (10.10.10.0) or select the network using the Browse button and select the Pool ID if there are multiple HTTP clients.
Page 14 - button
14 j. Click the OK button. k. Click the Proceed button. Check the displayed configuration for accuracy. l. Click the Apply button to configure the PIX Firewall. Repeat the steps to configure interface PAT between the inside and outside interfaces. The procedure remains the same, except the interface...
Page 15 - Step 3 Configure External Identity for the DMZ Web Server
15 Step 3 Configure External Identity for the DMZ Web Server The DMZ server is easily accessible by all hosts on the Internet. This configuration requires translating the DMZ server IP address so that it appears to be located on the Internet, enabling outside HTTP clients to access it unaware of the...
Page 16 - The configurations should display as shown below:
16 The configurations should display as shown below:
Page 17 - Step 4 Provide HTTP Access to the DMZ Web Server; Access rules; In the table, right click and select; Add
17 Step 4 Provide HTTP Access to the DMZ Web Server In addition to configuring address translations, you must configure the PIX 515E to allow the specific traffic types from the public networks. To configure access lists for HTTP traffic originating from any client on the Internet to the DMZ web ser...
Page 18 - Under Action, select; permit; from the drop-down menu; IP Address; outside
18 The Edit Rule window opens up, allowing you to select the ACL rules to permit/deny traffic. a. Under Action, select permit from the drop-down menu to allow traffic through the firewall. b. Under Source Host/Network, click the IP Address radio button. c. Select outside from the Interface drop-down...
Page 21 - Step 1 Start the VPN Wizard; VPN Wizard
21 PDM provides an easy-to-use VPN Wizard that can quickly guide you through the process of configuring a site-to-site VPN in five simple steps. The illustration below shows an example VPN tunnel between two PIX 515E, and will be referenced in the following steps. Step 1 Start the VPN Wizard Use PDM...
Page 22 - Step 2 Configure the VPN Peer; same; Certificate; radio button and the; Next
22 Step 2 Configure the VPN Peer a. Enter the Peer IP Address (PIX 2) and select an authentication key (for example,“CisCo”), which is shared for IPSec negotiations between both PIX 515E units. Note To configure PIX 2, enter the IP address for PIX 1 (1.1.1.1) and the same Pre-shared Key (CisCo). b. ...
Page 24 - Step 3 Configure the IKE Policy; This step is comprised of two windows:
24 Step 3 Configure the IKE Policy This step is comprised of two windows: 1. Configure the IKE negotiation parameters. In most cases, the default values are sufficient to establish secure VPN tunnels between two peers. a. Select the Encryption (DES/3DES/AES), Authentication algorithms (MD5/SHA), and...
Page 25 - Configure the IPSec parameters.
25 2. Configure the IPSec parameters. a. In the second window, select the Encryption algorithm (DES/3DES/AES) and Authentication algorithm (MD5/SHA). Confirm all values before continuing to the next window. Note When configuring PIX 2, enter the exact same values for each of the options that you sel...
Page 26 - Step 4 Configure Internal Traffic; Use the; Browse; button to select from preconfigured groups.
26 Step 4 Configure Internal Traffic This step is comprised of two windows: 1. Select network traffic on the local PIX 515E encrypted through the VPN tunnel. a. Select the Local Host/Network based on the IP Address, Name, or Group. Note Use the Browse button to select from preconfigured groups. Add ...
Page 27 - Select traffic permitted from the remote PIX Firewall.; Finish; button to complete the configuration.
27 2. Select traffic permitted from the remote PIX Firewall. a. In the second window, select VPN traffic for remote network configuration. For PIX 1, the remote network is Network B (20.20.20.0) so traffic encrypted from this tunnel is permitted through the tunnel. Note When configuring PIX 2, ensur...
Page 28 - Step 5 View and Enable VPN Commands; Preferences
28 Step 5 View and Enable VPN Commands If you enabled preview commands, you will see this page: To enable preview commands: a. In the main PDM page, select Options. b. Select Preferences and check the Preview commands before sending to firewall box. Check the configuration to ensure that all values ...
Page 29 - Establishing Site-to-Site VPNs with other Cisco Products; Optional Maintenance and Upgrade Procedures; Obtaining DES and 3DES/AES Encryption Licenses; If you are a registered user of Cisco.com and would like to obtain; a DES or 3DES/AES encryption; go to the following website:; show; Cisco PIX Firewall and VPN Configuration Guide
29 Establishing Site-to-Site VPNs with other Cisco Products For information on configuring VPN between a PIX 515E and other products such as a Cisco router that runs Cisco IOS software, and Cisco VPN 3000 Concentrators, go to the following links: http://www.cisco.com/warp/customer/471/pix_router_dyn...
Page 30 - Restore the Default Configuration; is a; Command
30 Enter these commands and follow these steps to use the activation key: Restore the Default Configuration To restore your default configuration back to the factory-default values, enter the following CLI commands by completing the following steps: Command Description Step 1 show version Shows the ...
Page 32 - Alternative Ways to Access the PIX 515E; PC terminal adapter DB-9; Console
32 Alternative Ways to Access the PIX 515E You can access the CLI for administration using the console port on the PIX Firewall. To do so, you must run a serial terminal emulator on a PC or workstation. Step 1 Connect the blue console cable so that you have a DB-9 connector on one end as required by...
Page 33 - If you need to install an optional circuit board, refer to the “
33 • If your PIX 515E has one or two single-port Ethernet circuit boards installed in the auxiliary assembly on the left of the unit at the rear, the circuit boards are numbered top to bottom so that the top circuit board is Ethernet 2 and the bottom circuit board is Ethernet 3. (Using more than one...
Page 34 - Check the LEDs; Table 1; LED
34 Step 3 Connect the inside, outside, or perimeter network cables to the interface ports. Starting from the top left, the connectors are Ethernet 2, Ethernet 3, Ethernet 4, and Ethernet 5. The maximum number of allowed interfaces is six with an unrestricted license. Note Do not add a single-port ci...
Page 36 - Obtaining Documentation; You can access the Cisco website at this URL:; Ordering Documentation; You can find instructions for ordering documentation at this URL:
36 6 Obtaining Documentation Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation on the World Wide Web at...
Page 37 - You can order Cisco documentation in these ways:; Documentation Feedback; We appreciate your comments.; Obtaining Technical Assistance; Cisco TAC Website
37 You can order Cisco documentation in these ways: • Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace: http://www.cisco.com/en/US/partner/ordering/index.shtml • Nonregistered Cisco.com users can order documentation th...
Page 38 - Opening a TAC Case; To open a case by telephone, use one of the following numbers:; TAC Case Priority Definitions
38 Opening a TAC Case Using the online TAC Case Open Tool is the fastest way to open P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Case Open Tool automatically recommen...
Page 39 - Obtaining Additional Publications and Information
39 9 Obtaining Additional Publications and Information Information about Cisco products, technologies, and network solutions is available from various online and printed sources. • The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer ...
Cisco MGX-FRSM-HS2
Manual
Cisco 3545
Manual
Cisco Dial NMS
Manual
Cisco DOC-7813565=
Manual
Cisco 2620
Manual
Cisco CP7910GRF
Manual
Cisco ME-C6524GS-8S
Manual
Cisco OL-2056-02
Manual
Cisco TD 92322GB
Manual
Cisco OL-11524-01
Manual
Cisco OL-5532-02
Manual
Cisco VG204XM
Manual
Cisco DS71-MD4
Manual
Cisco 247933900
Manual
Cisco 4.5
Manual