Table Of Contents
Installing PDM on a PIX Firewall
What Is PDM?
How Do I Obtain PDM?
Where Does PDM Reside?
Operating Requirements
PIX Firewall Requirements
Browser Requirements
PC/Workstation Requirements
Windows Requirements
SUN Solaris Requirements
Linux Requirements
Preparing a Console
Using PDM on a New PIX Firewall Unit
Installing PDM on an Existing PIX Firewall Unit
Installing PDM on a PIX Firewall
This chapter describes how to get the Cisco PIX Device Manager (PDM) installed and running on your PIX Firewall unit, so you can use the PDM graphical user interface to configure and monitor PIX Firewall features and resources.
Note 
In this guide, the term "PIX Firewall" refers to all models running PIX Firewall version 6.0 or higher, unless specifically noted.
This chapter includes the following sections:
•What Is PDM?
•Operating Requirements
•Preparing a Console
•Using PDM on a New PIX Firewall Unit
•Installing PDM on an Existing PIX Firewall Unit
What Is PDM?
The Cisco PIX Device Manager, hereafter referred to as PDM, is a browser-based configuration tool designed to help you set up, configure, and monitor your PIX Firewall graphically, without requiring an extensive knowledge of the PIX Firewall command-line interface (CLI).
PDM lets you configure your PIX Firewall unit using task-oriented menu choices, drop-down menus, and browse options, sending the correct CLI (command-line interface) commands to the PIX Firewall unit for the configuration you choose.
PDM works with PIX Firewall version 6.0 and can operate on the PIX 506, PIX 515, PIX 520, PIX 525, and PIX 535 units once they are upgraded to version 6.0.
PDM configures and monitors PIX Firewall units individually; you can use PDM to create or update a PIX Firewall configuration through your web browser running on a console workstation. (Additionally, you can point your browser to more than one PIX Firewall unit and administer different units from a single workstation.) However, if you are using Cisco Secure Policy Manager (Cisco Secure PM), use PDM for monitoring only. PDM cannot be used to configure PIX Firewall units that are being managed by Cisco Secure PM because all changes that were made using PDM will be overwritten the next time Cisco Secure PM synchronizes with the PIX Firewall.
PDM is implemented in Java to provide a robust real-time monitoring tool. PDM runs on a variety of platforms and does not require a plug-in or complex software installation. The PDM applet uploads to your workstation when you access the PIX Firewall from your browser.
PDM works with the Secure Socket Layer (SSL) protocol to ensure that communication with the PIX Firewall unit is secure.
This section includes the following topics:
•How Do I Obtain PDM?
•Where Does PDM Reside?
How Do I Obtain PDM?
If you have a new PIX Firewall unit with PIX Firewall version 6.0, PDM comes preloaded on the PIX Firewall unit's Flash memory. (Flash memory retains information even when the unit is powered off.)
Note If you are upgrading from a previous version of PIX Firewall, you need to obtain the PDM software from Cisco in the same way that you download the PIX Firewall software, and then use TFTP to download the image on your PIX Firewall unit. For more information, refer to "Upgrading to a New PDM Version."
Note If you upgrade your PIX Firewall to Release 6.0 and plan to use PDM, both the PIX image and the PDM image must be installed on your failover units.
Note If you will use PDM with an existing PIX Firewall configuration, refer to "PDM Support for PIX Firewall CLI Commands" for information on what commands are supported and which are not.
Where Does PDM Reside?
PDM resides in the Flash memory of all PIX Firewall units running PIX Firewall version 6.0 and higher. If your PIX Firewall unit is new and came with PIX Firewall version 6.0, the software is already loaded in your Flash memory for you.
If you are upgrading from a previous version of PIX Firewall, you need to use TFTP from the PIX Firewall unit's inside interface to copy the PDM image to your PIX Firewall. This is explained in "Installing PDM on an Existing PIX Firewall Unit."
Operating Requirements
This section includes the following topics:
•PIX Firewall Requirements
•Browser Requirements
•PC/Workstation Requirements
PIX Firewall Requirements
A PIX Firewall unit must meet the following requirements to run PDM:
Note New PIX Firewall units that contain version 6.0 also ship with a pre-installed DES activation key. If you are using a new PIX Firewall, you have all the requirements discussed in this section and you can continue to the next section.
•You must have an activation (license) key that enables Data Encryption Standard (DES) or the more secure 3DES, which PDM requires for support of the Secure Socket Layer (SSL) protocol.
To obtain a DES (56-bit) license key for the PIX Firewall, use the IPSec 56-bit Customer Registration form. Accessing this form requires prior registration on Cisco.com at http://www.cisco.com/register. However, access to this form does not require a purchase or service contract. You can register as a guest and then proceed to fill out the form. The form is available at the following website:
http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324
You must purchase a 3DES (168-bit) license key to obtain a 3DES license key. If you have already purchased a 3DES upgrade, and you have your Cisco PIX Firewall 3DES upgrade document with the entitlement number printed on it, you can register your license key for use on your PIX Firewall with the License Registration form. Accessing this form also requires prior registration on Cisco.com at http://www.cisco.com/register. The License Registration form is available at the following website:
http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=301
You must also purchase or have a service contract to download PIX Firewall software.
•Verify that your PIX Firewall meets all version 6.0 requirements listed in the Release Notes for the Cisco Secure PIX Firewall Version 6.0. You must have version 6.0 installed on the PIX Firewall unit before using PDM. You can download version 6.0 and the PDM software from the following website:
http://www.cisco.com/pcgi-bin/tablebuild.pl/pix
•You must have at least 8 MB of Flash memory on the PIX Firewall unit.
•The optimal configuration file size to use with PDM is less than 100 KB, which is approximately 1500 lines. PIX Firewall configuration files over 100 KB may interfere with the performance of PDM on your workstation. You can determine the size of your configuration file by entering the command show flashfs at a PIX Command Line Interface (CLI) prompt. Then, look for a line in the output which begins with "file 1." The number labeled "length" on the same line is the configuration file size in bytes.
Note The PIX Firewall platforms do not have the same configuration file size limitations as PDM. Most PIX Firewall platforms support up to 1 MB, though the PIX 525 and PIX 535 support even larger configurations (up to 2 MB).
Browser Requirements
The following are required to access PDM from a browser:
•PDM requires JavaScript and Java to be enabled. If these are not enabled, PDM will guide you on how to enable them. If you are using Microsoft Internet Explorer, your JDK version should be 1.1.4 or higher. To check which version you have, launch PDM. When the PDM information window comes up, the field "JDK Version" indicates your JDK version. If you have an older JDK version, you can get the latest JVM from Microsoft by downloading the product called "Virtual Machine."
•Browser support for Secure Socket Layer (SSL) must be enabled. The supported versions of Internet Explorer and Netscape Navigator support SSL without requiring additional configuration.
Note PIX Firewall version 6.0 supports SSL 2.0, SSL 3.0 and TLS 1.0 in the browser. PIX Firewall supports all browser encryption levels.
PC/Workstation Requirements
PDM has different requirements depending on the platform from which you access it. This topic includes the following sections:
•Windows Requirements
•SUN Solaris Requirements
•Linux Requirements
Note PDM is not supported for use on computers equipped with the Macintosh, Windows 3.1, or
Windows 95 operating systems.
Note You can run several PDM sessions on a single workstation. The maximum number of PDM sessions you can run varies depending on your workstation's resources such as memory, CPU speed, and browser type.
Note The time required to download the PDM applet can be greatly affected by the speed of the link between your workstation and the PIX Firewall unit. A minimum of 56 Kbps link speed is required; however, 1.5 Mbps or higher is recommended. Once the PDM applet is loaded on your workstation, the link speed impact on PDM operation is negligible.
Note If your workstation's resources are running low, you should close and re-open your browser before launching PDM.
Windows Requirements
The following requirements apply to the use of PDM with Windows. PDM does not support use on
Windows 3.1 or Windows 95.
•Windows 2000 (Service Pack 1), Windows NT 4.0 (Service Pack 4 and higher), Windows 98, or Windows ME.
•Supported browsers: Internet Explorer 5.0 (Service Pack 1) or higher (5.5 recommended), Netscape Communicator 4.51 or higher (4.76 recommended). We recommend Internet Explorer due to its faster load times.
•Any Pentium or Pentium-compatible processor running at 350 MHz or higher.
•At least 128 MB of random-access memory (RAM). We recommend 192 MB or more.
•An 800 x 600 pixel display with at least 256 colors. We recommend a 1024 x 768 pixel display and at least High Color (16-bit) colors.
Note The use of virus checking software may dramatically increase the time required to start PDM. This is especially true for Netscape Communicator on any Windows platform or Windows 2000 running any browser.
SUN Solaris Requirements
The following requirements apply to the use of PDM with Sun SPARC:
•Sun Solaris 2.6 or later running CDE or OpenWindows window manager.
•SPARC microprocessor.
•Supported browser: Netscape Communicator 4.51 or higher (4.76 recommended).
•At least 128 MB of random-access memory (RAM).
•An 800 x 600 pixel display with at least 256 colors. We recommend a 1024 x 768 pixel display and at least High Color (16-bit) colors.
Note PDM does not support Solaris on IBM PCs.
Linux Requirements
The following requirements apply to the use of PDM with Linux:
•Red Hat Linux 7.0 running the GNOME or KDE 2.0 desktop environment.
•Supported browser: Netscape Communicator 4.75 or later version.
•At least 64 MB of random-access memory (RAM).
•A 800 x 600 pixel display with at least 256 colors. We recommend a 1024 x 768 pixel display and at least 16-bit colors.
Preparing a Console
Before you can use or install PDM, you need to enter information on the PIX Firewall unit via a console terminal. The information in this section describes how to use Windows HyperTerminal as a console (if you are using a Windows system). If you are using Linux or a Sun SPARC station, refer to your system documentation for a terminal program.
The Windows HyperTerminal accessory provides easy-to-use software for communicating with the firewall.
HyperTerminal also lets you cut and paste configuration information from your computer to the firewall console.
Follow these steps to configure HyperTerminal:
Step 1 Connect the serial port of your PC to the console port of the PIX Firewall with the serial cable supplied in the PIX Firewall accessory kit.
Step 2 Locate HyperTerminal by opening the Windows 98, Windows ME, Windows NT, or Windows 2000 Start menu and clicking Programs>Accessories>Communications>HyperTerminal.
Step 3 Double-click the Hyperterm accessory. The New Connection window opens with the smaller Connection Description dialog box in the center.
Step 4 Enter the name of the connection. You can use any name such as PIX Firewall Console. Click OK when you are ready to continue.
Step 5 In the Phone Number dialog box, ignore all the fields except "Connect using." In this field, click the arrow at the right to view the choices. Click Direct to Com 1, unless you are using another serial port. Click OK to continue.
Step 6 At the COM1 Properties dialog box, set the following fields:
•Bits per second to 9600.
•Data bits to 8.
•Parity to None.
•Stop bits to 1.
•Flow control to Hardware.
Step 7 Click OK to continue.
Step 8 The HyperTerminal window is now ready to receive information from the PIX Firewall console. If the serial cable is connected to the firewall, power on the firewall and you should be able to view the console startup display.
If nothing happens, first wait 60 seconds. The firewall does not send information for about 30 seconds. If messages do not appear after 60 seconds, press the Enter key. If still nothing appears, ensure that the serial cable is attached to COM1 and not to COM2 if your computer is so equipped. If garbage characters appear, ensure that the bits per second setting is 9600.
Step 9 On the File menu, click Save to save your settings.
Step 10 On the File menu, click Exit to exit HyperTerminal. HyperTerminal prompts you to be sure you want to disconnect. Click Yes.
HyperTerminal saves a log of your console session that you can access the next time you use it.
To restart HyperTerminal, double-click the connection name you chose in the HyperTerminal folder. When HyperTerminal starts, drag the scroll bar up to view the previous session.
Using PDM on a New PIX Firewall Unit
New PIX Firewall units containing version 6.0 come equipped with PDM preloaded into Flash memory. This section describes how to prepare the PIX Firewall unit so you can use PDM.
If you have a PIX Firewall unit that has an existing configuration, skip to "Installing PDM on an Existing PIX Firewall Unit."
Before you can use PDM, your PIX Firewall must be cabled and powered on according to the directions provided with your PIX Firewall unit. Follow these steps to enable PDM on a new PIX Firewall:
Step 1 Meet all requirements listed in "Operating Requirements."
Step 2 Collect basic network information:
a. IP addresses of each interface
b. The addresses to be used as a global address pool for NAT and PAT
c. The PIX Firewall device name and domain name
d. The addresses of any mail or web servers to which the PIX Firewall will have to pass traffic
e. The address of the default router and the addresses of any routers that will be the destination of statically defined routes
When you boot PIX Firewall, you will be prompted for this information from the setup command.
Step 3 Unpack and set up your PIX Firewall unit according to the directions provided with your unit.
Step 4 Physically connect the inside interface of the PIX Firewall unit so that the PDM workstation can communicate with the PIX Firewall. Ensure that the default route of the PDM workstation points to the inside interface of the PIX Firewall. If you are unsure how to do this, refer to the Configuration Guide for the Cisco Secure PIX Firewall Version 6.0.
Step 5 Attach a console to the PIX Firewall unit as described in "Preparing a Console."
Step 6 Power on the PIX Firewall unit. Startup messages display on the console:
PhoenixPICOBIOS 4.0 Release 6.0
Copyright 1985-1998 ABC Technologies Ltd.
Build Time:04/27/01 17:08:34
Polaris BIOS Version 0.09
CPU = Pentium with MMX 600 MHz
limit segment address:EFE5
Cisco Secure PIX Firewall BIOS (4.0) #0:Mon Sep 13 13:28:49 PDT 2000
Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 2011648 bytes of image from flash.
BIOS Flash=AT29C257 @ 0xfffd8000
mcwa i82559 Ethernet at irq 11 MAC:00aa.0000.000f
mcwa i82559 Ethernet at irq 10 MAC:00aa.0000.0010
Step 7 After displaying messages, PIX Firewall displays the following prompt:
Pre-configure PIX Firewall now through interactive prompts [yes]?
Enter y at the prompt to start the setup command.
Table 1-1 describes the setup command prompts. You can press the Enter key instead of entering a value at the prompt, which lets you accept the default value within the brackets.
Table 1-1 setup Command Prompts
setup Command Prompt
|
Description
|
Enable Password [<use current password>]:
|
Enter a password up to 16-character alphanumeric to protect the PIX Firewall unit's privileged mode. Write the password down in accordance with your site's security policy. You must use this password to login to PDM.
|
Time [22:47:37]:
|
Set the PIX Firewall clock to Universal Coordinated Time (UTC, also known as Greenwich Mean Time, or GMT). For example, if you are in the Pacific Daylight Savings time zone, set the clock 7 hours ahead of your local time to set the clock to UTC. Enter the UTC year, month, day, and time. Ensure that the time is entered in 24-hour time as hours:minutes:seconds.
|
|
Specify the IP address of the PIX Firewall unit's inside interface. Ensure that this IP address is unique on the network and not used by any other computer or network device, such as a router.
|
|
Specify the network mask for the inside interface. An example mask is 255.255.255.0. You can also specify a subnetted mask, for example: 255.255.255.224. Do not use all 255s, such as 255.255.255.255. This prevents traffic from passing on the interface.
|
|
Specify up to 16 characters as a name for the PIX Firewall unit.
|
|
Specify the domain name for the PIX Firewall.
|
IP address of host running PIX Device
Manager:
|
Specify the IP address of the workstation that will access PDM from its browser.
|
After you enter the IP address of the workstation running PDM, PIX Firewall displays the information that you just entered. For example:
The following configuration will be used:
Enable Password: ciscopix
Clock (UTC): 14:22:00 Aug 28 2001
Inside IP address: 192.168.1.1
Inside network mask: 255.255.255.0
Host name: accounting_pix
IP address of host running PIX Device Manager: 192.168.1.2
Note You can use PDM to enable additional workstations to access your PIX Firewall. You do not need to re-run the setup command.
Step 8 You are then prompted to use this information in your configuration. If you enter n, you can edit the values before continuing.
Use this configuration and write to flash? y
Step 9 Enter y at the prompt to save the information to the PIX Firewall Flash memory. You can now start PDM.
Step 10 On a browser capable of reaching the PIX Firewall (see "Operating Requirements"), enter the following:
https://PIX_Inside_Interface_IP_Address
Note Do not forget to add the "s" to "https" or the connection will fail. The acronym "HTTPS" stands for "Secure Hypertext Transfer Protocol."
Step 11 When PDM starts, you are prompted to accept or reject a security certificate. This certificate appears immediately after the browser contacts PIX Firewall, and once you accept it, enables secure encrypted communication between PDM and PIX Firewall. You must accept the certificate to use PDM. You are then prompted for your username and password. Do not enter a username. If there is an enable password, enter it in the password field. If there is no enable password, click OK to continue.
Step 12 Once successfully logged in, you are prompted with a second certificate. This certificate, issued by the VeriSign certification authority (CA), ensures that the certificate originated from Cisco Systems and enables PDM to run as a signed applet. For Internet Explorer, you can optionally click the Always trust content from Cisco Systems check box, which causes the certificate screen to not be displayed when you start PDM the next time. For Netscape Communicator, you can optionally click the Remember this decision check box, which causes the certificate screen to not be displayed when you start PDM the next time.
Step 13 PDM then launches the Startup Wizard. Follow the instructions to enter your network information.
Once PDM is running, you can begin designating the hosts and servers that make up your network and the rules you want to apply to them.
Refer to the online help in PDM for information on each screen.
Installing PDM on an Existing PIX Firewall Unit
Follow these steps to install the latest version of PDM on an existing PIX Firewall unit:
Note If you upgrade your PIX Firewall to Release 6.0 and plan to use PDM, both the PIX image and the PDM image must be installed on your failover units.
Step 1 Meet all requirements listed in "Operating Requirements." As described in that section, the PIX Firewall unit must be running version 6.0, and you must have a DES or 3DES activation key to use PDM.
Step 2 Attach a console to the PIX Firewall unit as described in "Preparing a Console."
Step 3 Power on the PIX Firewall unit. If a failover PIX Firewall unit is present, only configure the active unit. At the first prompt, enter the enable command. When prompted, enter the enable password if there is one.
Step 4 Refer to "Frequently Asked Questions," for information on how you may need to restructure your configuration from the PIX Firewall CLI before continuing with installing PDM.
Step 5 Obtain the PDM software from the PIX Firewall software download website:
http://www.cisco.com/pcgi-bin/tablebuild.pl/pix
Copy the pdmnnn.bin file to a folder where it can be accessed from your TFTP server.
Step 6 Start your TFTP server. If you need to obtain a TFTP server, refer to "Downloading PDM Software" in "Upgrading to a New PDM Version," for more information.
Step 7 Determine the IP address of the computer running the TFTP server. If you are not sure how to do this, refer to "Determining the IP Address of Your TFTP Server" in "Using a TFTP Server."
Step 8 Load the PDM image file into the PIX Firewall:
pixfirewall# copy tftp://Your_TFTP_Server_IP_Address/Your_pdmfile_name flash:pdm
Or you can enter the generic command and follow the prompts:
pixfirewall# copy tftp flash:pdm
Step 9 Enter configuration mode:
pixfirewall# configure terminal
Step 10 Enter the setup command and follow the prompts:
pixfirewall (config)# setup
Table 1-2 describes the setup command prompts. You can press the Enter key instead of entering a value at the prompt, which lets you accept the default value within the brackets.
Table 1-2 setup Command Prompts
setup Command Prompt
|
Description
|
Enable Password [<use current password>]:
|
Enter an up to 16-character alphanumeric password to protect the PIX Firewall unit's privileged mode. Write the password down in accordance with your site's security policy. You must use this password to log in to PDM.
|
Time [22:47:37]:
|
Set the PIX Firewall clock to Universal Coordinated Time (UTC, also known as Greenwich Mean Time, or GMT). For example, if you are in the Pacific Daylight Savings time zone, set the clock 7 hours ahead of your local time to set the clock to UTC. Enter the year, month, day, and time. Enter the UTC time in 24-hour time as hour:minutes:seconds.
|
|
Specify the IP address of the PIX Firewall unit's inside interface. Ensure that this IP address is unique on the network and not used by any other computer or network device, such as a router.
|
|
Specify the network mask for the inside interface. An example mask is 255.255.255.0. You can also specify a subnetted mask, for example: 255.255.255.224. Do not use all 255s, such as 255.255.255.255. This prevents traffic from passing on the interface.
|
|
Specify up to 16 characters as a name for the PIX Firewall unit.
|
|
Specify the domain name for the PIX Firewall.
|
IP address of host running PIX Device
Manager:
|
Specify the IP address of the workstation that will access PDM from its browser.
|
After you enter the IP address of the workstation running PDM, PIX Firewall displays the information you just entered. For example:
The following configuration will be used:
Enable Password: ciscopix
Clock (UTC): 14:22:00 Aug 28 2001
Inside IP address: 192.168.1.1
Inside network mask: 255.255.255.0
Host name: accounting_pix
IP address of host running PIX Device Manager: 192.168.1.2
Step 11 You are then prompted to use this information in your configuration. If you enter n, you can edit the values before continuing.
Use this configuration and write to flash? y
Enter y at the prompt to save the information to the PIX Firewall Flash memory. Your PIX Firewall is now ready to start PDM.
Step 12 On a browser capable of reaching the PIX Firewall (see "Operating Requirements"), enter the following:
https://PIX_Inside_Interface_IP_Address
Note Do not forget to add the "s" to "https" or the installation will fail. The acronym "HTTPS" stands for "Secure Hypertext Transfer Protocol."
Step 13 When PDM starts, you are prompted to accept or reject a security certificate. This certificate appears immediately after the browser contacts PIX Firewall, and once you accept it, enables secure encrypted communication between PDM and PIX Firewall. You must accept the certificate to use PDM. You are then prompted for your username and password. Do not enter a username. If there is an enable password, enter it in the password field. If there is no enable password, click OK to continue.
Step 14 Once successfully logged in, you are prompted with a second certificate. This certificate, issued by the VeriSign certification authority (CA), ensures that the certificate originated from Cisco Systems and enables PDM to run as a signed applet. For Internet Explorer, you can optionally click the Always trust content from Cisco Systems check box, which causes the certificate screen to not be displayed when you start PDM the next time. For Netscape Communicator, you can optionally click the Remember this decision check box, which causes the certificate screen to not be displayed when you start PDM the next time.
Step 15 PDM then launches.
Step 16 Once PDM is running, it parses your existing configuration and builds a topology database that associates host and network IP addresses and masks to each PIX Firewall interface.
If PDM cannot resolve an IP address or mask in your configuration, you are prompted to specify the interface name on which a host or network resides. If you do not specify these, PDM only lets you access the Monitoring tab. PDM uses the routing table from your configuration to provide a recommended interface.
For more information about how PDM parses individual commands, refer to "PDM Support for PIX Firewall CLI Commands."
You are now ready to use PDM to change your configuration.
Refer to the online Help in PDM for usage instructions on how to use each screen.
