Cisco PIX Security Appliance Hardware Installation Guide, Version 7.2
PIX 520

Table Of Contents

PIX 520

PIX 520 Product Overview

Installing the PIX 520

Installing Interface Cables to the PIX 520

PIX 520 Feature Licenses

Installing Failover

Installing LAN-Based Failover

Removing and Replacing the PIX 520 Chassis Cover

Removing the Chassis Cover

Replacing the Chassis Cover

Replacing a Lithium Battery

Installing a Memory Upgrade

Memory Installation Steps

Installing a Circuit Board in the PIX 520

16 MB Flash Circuit Board

VPN Accelerator Circuit Board

Gigabit Ethernet Circuit Board

Installing the PIX 520 DC Model


PIX 520


This chapter guides you through the installation of the PIX 520, and includes the following sections:

PIX 520 Product Overview

Installing the PIX 520

PIX 520 Feature Licenses

Installing Failover

Installing LAN-Based Failover

Removing and Replacing the PIX 520 Chassis Cover

Replacing a Lithium Battery

Installing a Memory Upgrade

Installing a Circuit Board in the PIX 520

Installing the PIX 520 DC Model


Note The PIX 520 is not supported in software Version 7.0(1).


PIX 520 Product Overview

This section describes the PIX 520 front and rear panels and the panel LEDs.

Figure 5-1 shows the front view of the PIX 520.

Figure 5-1 PIX 520 Front Panel

Figure 5-2 shows the rear view of the PIX 520.

Figure 5-2 PIX 520 Rear Panel


Note Use of the four-port Ethernet circuit board changes the position of the outside and inside interfaces depending on the slot in which the circuit board is installed. Four-port Ethernet connectors are numbered from the top connector down sequentially. On horizontally mounted cards, the slots are numbered left to right.


The PIX 520 can be used with Ethernet circuit boards.

The four-port Ethernet circuit board provides four 10/100 Ethernet connections and has autosense capability. Connectors on the four-port Ethernet circuit board are numbered top to bottom sequentially; however, the actual device number depends on the slot in which the four-port Ethernet circuit board is installed.

Table 5-1 describes how the top connector is numbered.

Table 5-1 Numbering Devices with a Four-Port Connector

Slot 0 Contains
Slot 1 Contains
Slot 2 Contains
Four-Port Top
Connector

4-port

Any

Any

ethernet0

Ethernet

4-port

Any

ethernet1

Ethernet

Ethernet

4-port

ethernet2

Token Ring

4-port

Any

ethernet0

Token Ring

Token Ring

4-port

ethernet0

Token Ring

Ethernet

4-port

ethernet1

Ethernet

Token Ring

4-port

ethernet1


With the four-port Ethernet circuit board, having a circuit board in slot 3 makes the number of interfaces greater than six; while the circuit board in slot 3 cannot be accessed, its presence does not cause problems with the PIX security appliance.

Figure 5-3 shows the location of the interfaces if you install a four-port Ethernet circuit board in slot 0.

Figure 5-3 Four-Port Ethernet Circuit Board Installed in Slot 0

Figure 5-4 shows how the slots are numbered if a single-port Ethernet circuit board is inserted in
slot 0, and a four-port Ethernet circuit board is inserted in slot 1.

Figure 5-4 Single-Port Ethernet Circuit Board Installed in Slot 0 and Four-Port Ethernet Circuit Board Installed in Slot 1

Figure 5-5 shows how the slots are numbered if single-port Ethernet circuit boards are installed in slot 0 and in slot 1, and a four-port Ethernet circuit board is inserted in slot 2.

Figure 5-5 Single-Port Ethernet Circuit Board Installed in Slot 0 and 1 and Four-Port Ethernet Circuit Board Installed in Slot 2

Installing the PIX 520

To install the PIX 520, perform the following steps:


Step 1 Refer to Figure 5-6 for information on the features of the PIX 520.

Figure 5-6 PIX 520 Front, Rear, and Side Panels

Step 2 Connect network cables to each of the PIX security appliance network interfaces. On the PIX 520, connect the cables at the front of the unit.

If you are not installing a four-port Ethernet circuit board, add the cables as shown in Figure 5-7.

Figure 5-7 Up to Four Single-Port Interfaces in the PIX Security Appliance


Installing Interface Cables to the PIX 520

To install interface cables to the PIX 520, perform the following steps:


Step 1 Locate the serial cable. The serial cable assembly consists of a null modem cable with RJ-45 connectors, two separate DB-9 connectors, and a separate DB-25 connector as shown in Figure 5-8.

Step 2 Install the serial cable between the PIX security appliance and your console computer.

Figure 5-8 PIX Security Appliance Serial Cable Assembly

Step 3 Connect one of the DB-9 serial connectors to the console connector on the front panel of the PIX security appliance.

Step 4 Connect one end of the RJ-45 null modem cable to the DB-9 connector.

Step 5 If you are installing an AC voltage PIX security appliance, connect the power cord to the power connector on the rear panel of the PIX security appliance, and to a power outlet.

If you are installing a DC voltage PIX security appliance, refer to the "Installing the PIX 520 DC Model" section.

Step 6 The following options are available:

a. If you have a second PIX security appliance to use as a failover unit, install the failover feature and cable as described in the "Installing Failover" section.


Note Do not power on the failover units until the primary unit is configured.


If needed, install the PIX security appliance syslog server as described in the logging command page in the command reference online at:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_command_reference_list.html

b. If you need to install an optional circuit board such as a single-port Ethernet board, or the four-port Ethernet board, refer to the "Installing a Circuit Board in the PIX 520" section for more information.

c. If you need to install additional memory, refer to the "Installing a Memory Upgrade" section.

If you are ready to start configuring the PIX security appliance, power on the unit. Refer to the configuration guide online at:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/conf_gd.html


Always check the release notes first before configuring the PIX security appliance for the latest release details. You can find the latest versions of release notes online at:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_notes_list.html

PIX 520 Feature Licenses

If you have a PIX 520-UR unrestricted feature license, the following options are available:

If you have a second PIX 520 to use as a failover unit, install the failover feature and cable as described in the "Installing Failover" section.

If needed, install the PIX security appliance syslog server as described in the logging command in the command reference online at:

http://cisco.com/en/US/products/sw/secursw/ps2120/prod_command_reference_list.html

Refer to the "Installing LAN-Based Failover" section for information about how to remove and replace the chassis cover if you need to install optional circuit boards.


Note It is very important to remove the chassis cover before installing circuit boards in the PIX 520. Even though it appears possible to add or remove circuit boards from the back panel, removing the chassis cover greatly simplifies the process.


If you need to install additional memory, refer to the "Installing a Memory Upgrade" section.

Installing Failover

To install a failover connection, perform the following steps:


Note This section only applies to PIX security appliance units with a "UR" (unrestricted) license.



Step 1 Power off both the primary and secondary units.


Note Both PIX security appliances must be the same model number, have at least as much RAM, have the same Flash memory size, and be running the same software version.


Step 2 Locate the Failover cable (shown in Figure 5-9). This cable is shipped separately from the PIX security appliance. The cable is labeled Primary on one end and Secondary on the other. Install the cable for the PIX 520 as shown in Figure 5-9.

Figure 5-9 PIX 520 Failover Cable Connection

Step 3 Connect the Primary end of the Failover cable to the first PIX security appliance unit, that is, the one you have already configured.

Step 4 Connect the Secondary end of the Failover cable to the standby unit.

Step 5 Connect a power cord to the power connector on the rear panel of each unit, and the other end of each power cord to (preferably separate) power outlets.

Step 6 If you are using Stateful Failover, use one of the following types of connections, that is appropriate for your system, between the dedicated interfaces on the PIX security appliance units:

Category 5 crossover cable directly connecting the primary unit to the secondary unit.

100BaseTX half-duplex hub using straight Category 5 cables.

100BaseTX full duplex on a dedicated switch or dedicated VLAN of a switch.

All enabled interfaces must be connected between the active and standby units. Only configure the active unit. On the PIX 520, you can access the console and determine which unit is active with the show failover command in the command reference online at:

http://cisco.com/en/US/products/sw/secursw/ps2120/prod_command_reference_list.html.


Caution Do not turn the power on until the units are connected and the primary unit is configured completely.

Step 7 Use the power switch at the back of the units to power the primary unit on and then power on the standby unit.

Within a few seconds, the active unit automatically downloads its configuration to the standby unit.

If the primary unit fails, the secondary unit automatically becomes active.


Installing LAN-Based Failover

LAN-based failover supports failover between two units connected over a dedicated Ethernet interface. LAN-based failover eliminates the need for a special Failover cable and overcomes the distance limitations imposed by the Failover cable.

For information on configuring a LAN-based failover, refer to the configuration guide online at:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/conf_gd.html


Note Both chassis must be the same model number, have the same amount of RAM, Flash memory, number and type of interfaces, and be running the same software version.


To set up a LAN-based failover connection, perform the following steps:


Step 1 Disconnect both the PIX security appliances, so that there is no traffic flow between them. If the Failover cable is connected to the PIX security appliance, disconnect it.

Step 2 Configure the PIX security appliances for LAN-based failover. Refer to the chapter on configuring LAN-based failover in the configuration guide online at:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/conf_gd.html

Step 3 Power off both units.

Step 4 Connect the LAN failover interfaces to the dedicated switch/hub, as shown in Figure 5-10.


Note A dedicated LAN interface and a dedicated switch (or VLAN) is required to implement LAN-based failover. You cannot use a crossover Ethernet cable to connect the two PIX security appliances.


Figure 5-10 LAN-Based Failover Connections

Step 5 If you are using Stateful Failover, use one of the following types of connections, that is appropriate for your system, between the dedicated interfaces on the PIX security appliances:

Category 5 crossover cable directly connecting the primary unit to the secondary unit.

100BaseTX full duplex on a dedicated switch or dedicated VLAN of a switch.

1000BaseTX full duplex on a dedicated switch or dedicated VLAN of a switch.


Note For Stateful Failover on the PIX 520, if you have Gigabit Ethernet (GE) interfaces, then the failover link must be GE.



Caution Do not turn the power on until the units are connected and the primary unit is configured completely.

Step 6 Power the primary unit on first, then power on the secondary unit. Within a few seconds, the active unit automatically downloads its configuration to the standby unit.

If the primary unit fails, the secondary unit automatically becomes active.


Removing and Replacing the PIX 520 Chassis Cover

This section describes how to remove and replace the chassis cover from the PIX 520. This section includes the following topics:

Removing the Chassis Cover

Replacing the Chassis Cover

Removing the Chassis Cover

To remove the chassis cover, perform the following steps:


Note Removing the PIX security appliance case does not affect your Cisco warranty. Upgrading the PIX security appliance does not require any special tools and does not create any radio frequency leaks.



Step 1 Read the Regulatory Compliance and Safety Information document.

Step 2 Ensure that the PIX security appliance is powered off. Unplug the power cord from the power outlet. Once the upgrade is complete, you can safely reconnect the power cord.


Warning Before working on a system that has an On/Off switch, turn OFF the power and unplug the power cord.


Step 3 Remove the three screws holding the chassis cover in place, as shown in Figure 5-11.

Figure 5-11 Removing the Chassis Cover Screws

Step 4 Remove the chassis cover as shown in Figure 5-12.

Figure 5-12 Removing the Chassis Cover


Replacing the Chassis Cover


Caution Do not operate PIX security appliance units without the chassis cover installed. The chassis cover protects the internal components, prevents electrical shorts, and provides proper air-flow for cooling the electronic components.

To replace the chassis cover, perform the following steps:


Step 1 Replace the chassis cover, as shown in Figure 5-13.

Step 2 Secure the three screws.

Step 3 Reinstall all interface cables.

Figure 5-13 Replacing the Chassis Cover


Replacing a Lithium Battery

The PIX security appliance has a lithium battery on its main circuit board. This battery has an operating life of about ten years. When the battery loses its charge, the PIX security appliance cannot function. The lithium battery is not a field-replacable unit (FRU). Contact Cisco TAC to replace the battery.


Note Do not attempt to replace this battery yourself.



Warning Danger of explosion exists if the lithium battery is incorrectly replaced. Replace only with the same or equivalent type recommended by the manufacturer. Dispose of used batteries according to the manufacturer's instructions.


Installing a Memory Upgrade

Observe the following warnings, cautions, and notes when installing additional PIX security appliance system memory.

The following statement applies to DC models:


Warning Before performing any of the following procedures, ensure that power is removed from the DC circuit. To ensure that all power is OFF, locate the circuit breaker on the panel board that services the DC circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit breaker in the OFF position.


The following statement applies to both AC and DC models:


Warning Before working on a system that has an On/Off switch, turn OFF the power and unplug the power cord.



Caution Always remove old memory before installing new memory.


Note After installing additional memory in the PIX 520, do not remove the memory strips and power on the unit, or the PIX security appliance will become inoperable.



Caution If you remove the PIX security appliance chassis chassis cover, always reinstall the chassis cover. Running the PIX security appliance without the chassis cover causes overheating and damage to electrical components.

Memory Installation Steps

To install additional system memory, perform the following steps:


Step 1 If the unit is rack-mounted, remove network wires and any cords connecting to the PIX security appliance. The PIX 520 should be removed from the rack and placed on a stable working surface. Ensure that the unit is unplugged from its power source.

Step 2 Unpack the items in the memory upgrade kit.

Remove the chassis cover from the PIX security appliance. Remove all screws holding the assembly in place. Refer to the "Removing and Replacing the PIX 520 Chassis Cover" section for more information.

Step 3 Determine the location of your system memory sockets (see Figure 5-14).

Step 4 Use the markings on the motherboard to determine the socket numbers. Always install the first memory strip into the lowest socket number. Progressively add memory boards into higher numbered sockets.

Figure 5-14 PIX 520 System Memory Location

Step 5 Locate the wrist grounding strap in the accessory kit and connect one end to the unit as shown in Figure 5-17, or to the PIX security appliance chassis, and securely attach the other to your wrist so it contacts your bare skin.

Step 6 With the wrist strap on your wrist, carefully grasp the memory strip from either end. Note that a DIMM strip has notches.

Step 7 To install a DIMM strip:

Remove the old memory strip by opening the two plastic wing connectors, and pulling the old strip up. Discard the old strip.

When installing the memory strip in the PIX 520, install the new strip in Bank 0 as shown in Figure 5-15 and Figure 5-16, by opening the two plastic wing connectors, inserting the strip, and closing the wing connectors.

Figure 5-15 Inserting a DIMM Memory Strip in the PIX 520

Figure 5-16 Securing a DIMM Memory Strip in the PIX 520

When you finish inserting new RAM memory, replace the chassis cover on the chassis. Reattach the screws. If desired, rack mount the PIX security appliance and attach all cables and cords as discussed in previous sections. After the PIX security appliance is installed, you can view the amount of RAM memory in the system startup messages or with the show version command in the command reference online at:

http://cisco.com/en/US/products/sw/secursw/ps2120/prod_command_reference_list.html.


Installing a Circuit Board in the PIX 520

The information in this section refers to the installation of a circuit board in the PIX 520.

The 4-port 64 bit/66 MHz FE card (PIX-4FE-66) is supported in software Versions 6.3, 6.2(2), 6.1(4), and 5.2(9), and later versions. These are the minimum software versions that support the card.


Note The PIX-4FE card continues to be supported but is no longer manufactured.


The new card has the following characteristics:

Includes an Intel 21154BE bridge and 4 Intel 82559 Ethernet MAC/PHY devices.

Supports 10/100mbps full/half-duplex operation on each port.

Retains bus performance when installed with other 66 MHz devices.

Does not support auto MDI/MDIX operation.

This section includes the following topics:

16 MB Flash Circuit Board

VPN Accelerator Circuit Board

Gigabit Ethernet Circuit Board

Installing the PIX 520 DC Model

To install a circuit board in the PIX 520, perform the following steps:


Step 1 Locate the grounding strap from the accessory kit. Fasten the grounding strap to your wrist so that it contacts your bare skin. Attach the other end to bare metal inside the PIX security appliance chassis as shown in Figure 5-17.

Figure 5-17 Attaching Grounding Strap to Your Wrist and to the PIX Security Appliance

Step 2 Insert the new circuit board, as shown in Figure 5-18, and secure it using the screw provided with the circuit board.

Figure 5-18 Installing the New Circuit Board

Step 3 Figure 5-19 displays how the circuit boards are numbered according to their position. If you have Version 4.4 and a four-port Ethernet circuit board, refer to the "PIX 520 Product Overview" section.


Note When adding a network interface or encryption circuit board, install the new circuit board in the first empty slot to the right of the existing network interface circuit board.


Figure 5-19 PIX Security Appliance Network Circuit Boards

Step 4 If you are installing a 4-port circuit board, note that the circuit board will overlap the slot connector on the motherboard. This does not affect the use or operation of the circuit board. See Figure 5-20.

Figure 5-20 4-Port Circuit Board Overlap


16 MB Flash Circuit Board

Along with upgrading your Flash memory to 16 MB, the PIX security appliance 16 MB Flash circuit board includes pre-installed PIX security appliance software and a UR (unrestricted) 56-bit DES encryption license. The 16 MB Flash circuit board installs into the PIX security appliance ISA slot.

An illustration of the 16 MB Flash circuit board is shown in Figure 5-21.

Figure 5-21 PIX Security Appliance 16 MB Flash Circuit Board

Use the following information to install a 16 MB Flash circuit board:

The PIX security appliance must have a minimum of 32 MB of RAM memory.

You must obtain a new activation key if you will be using 3DES.

The PIX security appliance should not be downgraded to a software revision lower than 5.0(3) after the new software from the 16 MB circuit board is installed.

If you downgrade from software Version 5.3 to 5.2 or lower, you will lose private data (keys, certifications, and CRLs) that are stored in Flash memory. You need to use the clear flashfs command, downgrade 5.0 | 5.1 | 5.2 options if your PIX security appliance has 16 MB Flash memory, private data stored in the Flash memory, and you used the ca save all command to save these items in Flash memory.

To install the 16 MB Flash circuit board, perform the following steps:


Step 1 Record the present PIX security appliance unit serial number.

Step 2 Record the new serial number from the 16 MB Flash circuit board.


Note After installation, the serial number of the PIX security appliance changes to the serial number supplied with the 16 MB Flash circuit board.


Step 3 Create a backup of your present configuration (to use later to reconfigure your system).

Step 4 Obtain a new Activation key (if using 3DES).

Step 5 Remove any previously installed Flash memory circuit boards from the unit.


Caution Do not remove or reposition the 16 MB Flash circuit board. The PIX security appliance will not work if this jumper is moved.

Step 6 Install the 16 MB Flash circuit board into an available ISA slot in the PIX security appliance chassis.


VPN Accelerator Circuit Board

The VPN Accelerator (PIX-VPN-ACCEL) is an encryption and accelerator circuit board. The VPN Accelerator uses a PCI interface and therefore can only be installed in PIX security appliance platforms with PCI slots. The VPN Accelerator begins to function immediately after installation without the need of special installation configurations.


Note The new VPN Accelerator cannot be used with the former PIX security appliance IPSec accelerator in the same chassis. The PIX security appliance IPSec accelerator was also known as the Private Link card.


An illustration of the VPN Accelerator is shown in Figure 5-22.

Figure 5-22 VPN Accelerator Circuit Board

Gigabit Ethernet Circuit Board

PIX security appliance supports 1000 Mbps (Gigabit) Ethernet. The Gigabit Ethernet circuit board uses only has one hardware speed and the following duplex options:

1000SXfull—Forces full-duplex operation

1000BaseSX—Forces half-duplex operation

1000auto—Auto negotiates full or half duplex

The Gigabit Ethernet circuit board and the fiber optic cable connection are shown in Figure 5-23.

Figure 5-23 Gigabit Ethernet Circuit Board

The Gigabit Ethernet circuit board has three LEDs:

TX—Transmitting data

RX—Receiving data

LINK—The Gigabit Ethernet circuit board has established a network connection

Installing the PIX 520 DC Model


Warning Before performing any of the following procedures, ensure that power is removed from the DC circuit. To ensure that all power is OFF, locate the circuit breaker on the panel board that services the DC circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit breaker in the OFF position.


To install the PIX 520 DC power model, perform the following steps:


Step 1 Read the Regulatory Compliance and Safety Information document.

Step 2 Terminate the DC input wiring on a DC source capable of supplying at least 15 amps. A 15-amp circuit breaker is required at the 48 VDC facility power source. An easily accessible disconnect device should be incorporated into the facility wiring.

Step 3 Be sure the PIX 520 power is off by checking the power switch at the rear of the unit.

Step 4 As shown in Figure 5-24, the PIX 520 is equipped with two grounding studs at the back of the unit, which you can use to connect a two-hole grounding lug to the PIX 520. Use the 10-32 nuts provided with the PIX 520 to connect a copper standard barrel grounding lug to the studs. The PIX 520 requires a lug where the distance between the center of each hole is 0.56 inches. A lug is not supplied with the PIX 520.

Figure 5-24 Attaching a Grounding Lug to the PIX Security Appliance

Step 5 Ensure that power is removed from the DC circuit. To ensure that all power is OFF, locate the circuit breaker on the panel board that services the DC circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit breaker in the OFF position.

Step 6 Strip the ends of the wires for insertion into the power connect lugs on the PIX 520.

Step 7 Insert the ground wire into the connector for the earth ground and tighten the screw on the connector (see Figure 5-25). Using the same method as for the ground wire, connect the negative wire and then the positive wire.

Figure 5-25 Attaching DC Power Cables

Step 8 Reconnect power to the PIX 520. After wiring the DC power supply, remove the tape from the circuit breaker switch handle and reinstate power by moving the handle of the circuit breaker to the ON position.

Step 9 Insert the PIX 520 system diskette in the drive at the front of the unit.

Step 10 If needed, install the interface boards as described in the "Installing a Circuit Board in the PIX 520" section.

Step 11 Power on the unit from the switch at the rear of the unit.



Note If you need to power cycle the DC PIX security appliance, wait at least five seconds between powering off the unit and powering it back on.