Table Of Contents
Installing PDM on a PIX Firewall
Preparing to Install PDM
Installing PDM
Starting PDM
Using the PDM Startup Wizard
Tips on Using PDM
Installing PDM on a PIX Firewall
This chapter describes how to install Cisco PIX Device Manager (PDM) version 2.0 on your PIX Firewall unit.
Note 
In this guide, the term "PIX Firewall" refers to all models running PIX Firewall software version 6.2 unless specifically noted. PIX Firewall software version 6.2 is required for PDM version 2.0.
This chapter includes the following sections:
•Preparing to Install PDM
•Installing PDM
•Starting PDM
•Using the PDM Startup Wizard
•Tips on Using PDM
Preparing to Install PDM
Before you install PDM, prepare as follows:
•Save or print your PIX Firewall configuration. (You can save a copy of your configuration by using the PIX Firewall CLI write terminal command to display your configuration. Then, you can cut and paste the displayed configuration into a text file.)
•Write down your activation key. (You can view your activation key by using the PIX Firewall CLI show version command.)
•If you are upgrading from a previous version of the PIX Firewall software, you need to obtain the PDM software from Cisco in the same way that you do PIX Firewall software, and then use TFTP to download the image onto your PIX Firewall unit. For instructions on how to obtain and use a TFTP server, refer to "Using a TFTP Server."
•If you plan to upgrade a PIX Firewall failover pair to use PIX Firewall software version 6.2 and PDM version 2.0, both the PIX Firewall image and the PDM image must be installed on your failover units.
•If you are using PDM with an existing PIX Firewall configuration, refer to the Cisco PIX Device Manager Version 2.0 Release Notes for information on which commands are supported and which are not.
If your PIX Firewall unit is new and shipped with PIX Firewall software version 6.2, then the PDM version 2.0 software is already loaded in the PIX Firewall Flash memory for you, and you can skip to Step 6 in "Installing PDM."
Installing PDM
To install PDM version 2.0, perform the following steps:
Step 1 Verify that all system requirements have been met by referring to "System Requirements." For example, the PIX Firewall unit must be running PIX Firewall software version 6.2 and have a DES or 3DES activation key to use PDM version 2.0.
Step 2 Check the PIX Firewall software version running on your PIX Firewall unit. (If you have command line access to your PIX Firewall, you can use the CLI show version command to display the version currently running on your PIX Firewall.)
If you are not running PIX Firewall software version 6.2, then you must install it before installing PDM version 2.0. Instructions for installing PIX Firewall software are included in the Cisco PIX Firewall and VPN Configuration Guide. (After installing a PIX Firewall image, be sure to reboot your PIX Firewall. This is required for the new image to start running on the PIX Firewall.)
If your PIX Firewall is new and was shipped with PIX Firewall software version 6.2, then PDM version 2.0 should already be loaded into the Flash memory of your unit, and you can skip forward to Step 6. Otherwise, continue with the next step.
Step 3 Ensure that you have a TFTP server installed. If you need to install a TFTP server, please see "Using a TFTP Server."
Step 4 Ensure that you have a Cisco Connection Online (CCO) account. You need a CCO username and password to download PDM software. If you do not have a CCO account, go to http://tools.cisco.com/RPF/register/register.do and enter the information requested.
Step 5 You can download the PDM software from Cisco Connection Online (CCO).
To install PDM from Cisco Connection Online (the Web), do the following:
a. Go to http://www.cisco.com using a web browser.
b. Click Log In under the Log In banner.
c. Enter your CCO username and password and click OK.
d. Enter http://www.cisco.com/pcgi-bin/tablebuild.pl/pix in the web address area of your web browser and press the Return or Enter key on your keyboard. (If you are prompted again for a username and password, enter your CCO username and password.)
e. Find the section titled "Select a File to Download" on the Cisco Secure PIX Firewall Software page (http://www.cisco.com/pcgi-bin/tablebuild.pl/pix), click pdm-nnn.bin (where nnn represents the PDM software image version that you want to install) and follow the instructions presented.
Step 6 If you already have a console connection from a Microsoft Windows workstation to your PIX Firewall unit, skip to Step 7. Otherwise, use the following steps to set up a console connection:
a. Power off your PIX Firewall unit.
b. Connect the serial port of a Microsoft Windows workstation to the console port of the PIX Firewall with the serial cable supplied in the PIX Firewall accessory kit.
c. Power on the PIX Firewall unit. If a failover PIX Firewall unit is present, configure the primary unit first.
Step 7 Locate the Windows HyperTerminal accessory by looking for it on the Windows Start menu. It is usually located under Programs>Accessories>Communications>HyperTerminal.
Step 8 Click HyperTerminal to open the New Connection window; the Connection Description dialog box appears.
Step 9 Enter a name for the connection and click OK.
Step 10 In the Connect To dialog box, do not enter an area code or phone number. Leave these fields blank.
Step 11 In the Connect using drop-down menu, select Com 1 (unless you are using another serial port to connect, in which case select that port) and click OK.
Step 12 Next, set the values in the following table:
Field Name
|
Value to Set
|
Bits per second
|
9600
|
Data bits
|
8
|
Parity
|
None
|
Stop bits
|
1
|
Flow control
|
Hardware
|
Step 13 Click OK to continue.
Step 14 The HyperTerminal window is now ready to receive information from the PIX Firewall console. Wait 30 seconds for the PIX Firewall startup messages to display. These messages should appear similiar to the following example:
Cisco Secure PIX Firewall BIOS (4.0) #0: Thu Mar 2 22:59:20 PST 2000
Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 1507840 bytes of image from flash.
#############################################################################
BIOS Flash=AT29C257 @ 0xfffd8000
mcwa i82559 Ethernet at irq 10 MAC: 0050.54ff.3772
mcwa i82559 Ethernet at irq 7 MAC: 0050.54ff.3773
mcwa i82559 Ethernet at irq 11 MAC: 00d0.b792.409d
-----------------------------------------------------------------------
Private Internet eXchange
-----------------------------------------------------------------------
Cisco PIX Firewall Version 6.2(0)227
Cut-through Proxy: Enabled
If it takes more than a minute for the PIX Firewall command prompt to appear, press the Enter key. If it still does not appear, power off the PIX Firewall and ensure that the serial cable is attached to COM1 and not to COM2, if your computer is so equipped. Power the PIX Firewall back on and try to connect again.
If garbage characters appear, reset the Bits per second to 9600 and try to connect again.
Step 15 If your PIX Firewall unit is being run for the first time, enter the enable command. When prompted, enter your PIX Firewall enable password. (After starting a new PIX Firewall, you should change the enable password to secure administrative access to the unit.) If no enable password has been set, you can choose one and enter it at this time.
Step 16 Start your TFTP server. If you need to obtain a TFTP server or more information on using one, refer to "Using a TFTP Server."
Step 17 Determine the IP address of the computer running the TFTP server. If you are not sure how to do this, refer to "Determining the IP Address of Your TFTP Server" in "Using a TFTP Server."
Step 18 Load the PDM image file into the PIX Firewall by entering the following at the command prompt:
pixfirewall# copy tftp://Your_TFTP_Server_IP_Address/Your_pdmfile_name flash:pdm
Or you can enter the generic command and follow the prompts:
pixfirewall# copy tftp flash:pdm
Step 19 Enter configuration mode by entering the following at the command prompt:
pixfirewall# configure terminal
After entering the configure terminal command, the prompt changes to the following:
Caution If your PIX Firewall is running a pre-existing configuration, refer to the
Cisco PIX Device Manager Version 2.0 Release Notes for information on the configuration commands supported for use with PDM.
Step 20 If you have a PIX 501 or PIX 506/506E, you can use the factory default configuration loaded on the unit and skip to the next section, "Starting PDM," instead of entering setup.
To enter setup, use the setup command as shown in the following example:
pixfirewall (config)# setup
Step 21 Follow the prompts and press the Enter key to accept the default value shown within brackets, unless you have other values you want to use.
Table 2-1 describes the setup command prompts.
Table 2-1 Setup Command Prompts
Setup Command Prompt
|
Description
|
Enable Password [<use current password>]:
|
Enter an alphanumeric password, up to 16 characters in length, to protect the PIX Firewall privileged (access) mode. Record the password in accordance with your security policy. If you assign a password here, then it is used for authentication every time you launch PDM unless you configured your PIX Firewall to use an AAA server for authentication, in which case the AAA server provides the authentication.
|
Time [22:47:37]:
|
Set the PIX Firewall clock to Universal Coordinated Time (UTC, also known as Greenwich Mean Time, or GMT). For example, if you are in the Pacific Daylight Savings time zone, set the clock 7 hours ahead of your local time to set the clock to UTC. Enter the year, month, day, and time. Enter the UTC time in 24-hour time as hour:minutes:seconds.
|
|
Specify the IP address of the PIX Firewall unit's inside interface. Ensure that this IP address is unique on the network and not used by any other computer or network device, such as a router.
|
|
Specify the network mask for the inside interface. An example mask is 255.255.255.0. You can also specify a subnetted mask, for example: 255.255.255.224. Do not use all 255s, such as 255.255.255.255. This prevents traffic from passing on the interface.
|
|
Specify up to 16 characters as a name for the PIX Firewall unit.
|
|
Specify the domain name for the PIX Firewall.
|
IP address of host running PIX Device
Manager:
|
Specify the IP address of the workstation designated to run PDM.
|
After you enter the IP address of the workstation running PDM, PIX Firewall displays the information you just entered.
The following is a sample display:
The following configuration will be used:
Enable Password: ciscopix
Clock (UTC): 14:22:00 Aug 28 2001
Inside IP address: 192.168.1.1
Inside network mask: 255.255.255.0
Host name: accounting_pix
IP address of host running PIX Device Manager: 192.168.1.2
Step 22 You are then prompted to use this information in your configuration. If you enter n, you can edit the values before continuing.
Use this configuration and write to flash? y
Or, enter y at the prompt to save the information to the PIX Firewall Flash memory.
Step 23 After you are finished, click Save on the HyperTerminal File menu to save your settings so you can use the same connection configuration again in the future. Then click Exit. When HyperTerminal prompts you to ask if you are sure you want to disconnect, click Yes to exit HyperTerminal.
Starting PDM
Step 1 On a browser running on a workstation connected to the PIX Firewall unit, enter the following:
https://pix_inside_interface_ip_address
where pix_inside_interface_ip_address is the IP address of the inside interface of your PIX Firewall, entered in standard (number) format.
For the PIX 501 and PIX 506/506E, the factory default inside interface address is as follows:
inside IP address to 192.168.1.1
Enter https://192.168.1.1 for the PIX 501 and PIX 506/506E platforms.
This launches PDM.
Note Ensure that you add the "s" to "https"or the web browser cannot connect.
"https" is what you enter to use Secure Hypertext Transfer Protocol instead of plain Hypertext Transfer Protocol (HTTP).
Step 2 Accept the security certificate. (You must accept the certificate to use PDM.)
Step 3 Do not enter a username. If there is an enable password, enter it. If there is no enable password, click OK to continue.
Step 4 Accept the second certificate presented also. This certificate, issued by the VeriSign certification authority (CA), ensures that the certificate originated from Cisco Systems and enables PDM to run as a signed applet.
Step 5 PDM starts after the certificates are accepted. Follow the instructions on screen.
Step 6 Refer to the PDM online help for information on how to use PDM.
Using the PDM Startup Wizard
We recommend that you use the PDM Startup Wizard to begin configuring your PIX Firewall. By completing this wizard, your PIX Firewall is immediately enabled to enforce network security policy as specified by you during the wizard prompts.
After PDM launches, you can access the PDM Startup Wizard from the main PDM control panel as follows:
Step 1 On the PDM top menu, click Wizards>Startup Wizard.
Step 2 Read the Welcome to the Startup Wizard page and click Next when ready to continue.
Step 3 Fill in the configuration prompts according your network security policies. Click Next at the end of each wizard page to go to the next set of prompts, or click Back to go back to the previous prompts.
For assistance with deciding what to enter into the Startup Wizard dialog boxes, click Help.
Step 4 When you have completed all the wizard pages, the Startup Wizard Completed page displays. To send the configuration to your PIX Firewall and exit the wizard, click Finish. Otherwise, click Back to make changes to previous pages.
Tips on Using PDM
The optimal configuration file size for use with PDM is less than 100 KB, which is approximately 1500 lines. The PIX Firewall platforms do not have the same configuration file size limitations as PDM. Most PIX Firewall platforms support up to 1 MB, though the PIX 525 and PIX 535 support even larger configurations (up to 2 MB).
Tips You can view the size of your configuration from the PIX Firewall console. Either connect a computer to the PIX Firewall unit or use Telnet to access the console.
After entering the enable mode password, use the show flashfs command to view the configuration size, as shown in the following example:
pixdoc515(config)# show flashfs
flash file system: version:2 magic:0x12345679
file 0: origin: 0 length:1511480
file 1: origin: 2883584 length:1639
file 2: origin: 0 length:0
file 3: origin: 3014656 length:4311804
file 4: origin: 8257536 length:280
The "file 1" line lists the number of characters in your configuration after the "length" parameter. In this example, the configuration consists of 1639 characters. Divide this number by 1024 to view the number of kilobytes. The configuration in this example is slightly more than 1.6 KB.
Once PDM is running, it reads in the configuration from the PIX Firewall and displays the current settings.
The first time you use PDM with a PIX Firewall, PDM asks permission to save PDM-specific commands to your PIX Firewall configuration. These commands are necessary to update PDM's network topology information and do not change your network security policy on the PIX Firewall. When prompted, you can choose not to accept these commands, but without the network topology information, PDM can only monitor your PIX Firewall. Consequently, not accepting these commands limits your access in PDM to the Monitoring tab.
Tips For Microsoft Internet Explorer web browsers, when prompted to accept certificates select the Always trust content from Cisco Systems check box so that the certificate is automatically accepted the next time you run PDM.
For Netscape Communicator or Navigator, select the Remember this decision check box so that the certificate is automatically accepted when you run PDM.
The following conditions can affect the performance of PDM on your workstation:
•You can run several PDM sessions on a single workstation. The maximum number of PDM sessions you can run varies depending on your workstation's resources such as memory, CPU speed, and browser type.
•The time required to download the PDM applet can be greatly affected by the speed of the link between your workstation and the PIX Firewall unit. A minimum of 56 Kbps link speed is required; however, 1.5 Mbps or higher is recommended. Once the PDM applet is loaded on your workstation, the link speed impact on PDM operation is negligible.
•If your workstation's resources are running low, you should close and re-open your browser before launching PDM.
For information on PDM caveats, refer to the "Caveats" section of the Cisco PIX Device Manager Version 2.0 Release Notes.
Feedback
