Table of Contents

Preparing Your Firewall Devices

Before you can use Firewall MC to manage a firewall device, you must bootstrap the device. Bootstrapping configures a device, using the CLI, with the basic settings that allow the CiscoWorks Server to connect and deploy commands to it. Firewall devices are those versions of the PIX Firewall or Firewall Services Module (FWSM) supported by Firewall MC. This appendix describes how to prepare firewall devices to be managed by Firewall MC and how to prepare a PIX Firewall to use the AutoUpdate Server (AUS). (FWSM does not support AUS.) If the required configuration exists on the device, Firewall MC can import the settings, and you do not have to follow the bootstrap procedures. However, you should review the following procedures to ensure that the device configuration includes the settings required for Firewall MC to connect to and discover each device on your network.

Tip You can also use the PIX Firewall Device Manager (PDM) Startup Wizard to configure the firewall. See Cisco PIX Firewall and VPN Configuration Guide for more information.

Note   For Firewall MC and PIX Firewall to communicate, you must configure https in Firewall MC. See Configuring HTTPS (SSL).

Bootstrapping PIX Firewalls

Before you can use Firewall MC to manage a PIX Firewall, you must configure the firewall so that Firewall MC can contact and administer it. If the firewall is already configured, you should verify that its configuration is correct for Firewall MC. The procedures in this section take you through using the command line to verify the configuration.

Determining When to Bootstrap a PIX Firewall

The following two scenarios require that you bootstrap a PIX Firewall before managing it with Firewall MC:

To verify an existing PIX Firewall can be administered by CiscoWorks Server, follow these steps:

Step 2   Enter enable.

Step 3   Enter password at the command prompt.

The password identifies the enable password used to administer this PIX Firewall.

The PIX Firewall enters privileged mode.

Step 4   Enter config terminal.

The PIX Firewall enters configuration mode.

Step 5   Enter show http.

Verify that the IP address of the CiscoWorks Server appears in the list and that the HTTP server is enabled. If these two settings exist, you do not need to bootstrap the device. Otherwise, see Bootstrapping an Existing PIX Firewall.

The PIX Firewall lists the allowed hosts and the enable state of the HTTP server.

Note   You should also verify that HTTPS access is enabled as described in Verifying PIX Firewall Configuration.

Step 6   Enter exit.

The PIX Firewall exits configuration mode.

PIX Firewall Configuration Worksheet

Before you bootstrap a PIX Firewall, you must collect the information that describes the placement of that PIX Firewall on your network. Complete the following worksheet to identify the information used when you bootstrap a PIX Firewall.

Note   This worksheet assumes that Firewall MC will connect to the firewall device using the inside interface. Although the inside interface is recommended for this connection, it is not required.

Bootstrapping an Existing PIX Firewall

Before You Begin

Make sure that the interfaces, IP addresses, and routes are defined for this PIX Firewall. To configure a new PIX Firewall, see Bootstrapping a New PIX Firewall.

Step 2   Enter enable.

Step 3   Enter password at the command prompt.

The password identifies the enable password used to administer this PIX Firewall.

The PIX Firewall enters privileged mode.

Step 4   Enter config terminal.

The PIX Firewall enters configuration mode.

Step 5   If you have never used Cisco PIX Device Manager (PDM) to manage this PIX Firewall, follow Step 6 through Step 19. If you are already using PDM to manage this PIX Firewall, skip to Step 20.

If you configured this PIX Firewall to work with PDM, you could be using an interface other than inside for management. Step 20 allows you to specify an additional administrative host, the CiscoWorks Server, on the appropriate interface. Step 14 assumes the inside interface is used to manage this PIX Firewall.

Step 6   Enter setup.

---

Note    The setup command enables the PIX Firewall HTTP server, allows you to specify the IP address of the CiscoWorks Server that will manage the PIX Firewall, and populates those settings required to generate the default certificate used by SSL-based connections to the HTTP server. The setup command adds to any existing list of hosts allowed to manage the device; it does not replace existing settings.

---

TimeSaver If the settings are correct for a given prompt, press Enter to bypass the question.

Step 7   Enter y at the Pre-configure PIX Firewall now through interactive prompts [yes]? prompt.

The Enable password [<use current password>]: prompt appears.

Step 8   Enter the current enable password for this PIX Firewall.

The Clock (UTC) prompt appears.

Step 9   Verify that the PIX Firewall clock is set to Universal Coordinated Time (UTC), formerly known as Greenwich Mean Time (GMT), then press Enter.

The Year [system year]: prompt appears.

Step 10   Enter the current year, or default to the year stored in the host computer.

The Month [system month]: prompt appears.

Step 11   Enter the current month, or default to the month stored in the host computer.

The Day [system day]: prompt appears.

Step 12   Enter the current day, or default to the day stored in the host computer.

The Time [system time]: prompt appears.

Step 13   Enter the current time in hh:mm:ss format, or default to the time stored in the host computer.

The Inside IP address: prompt appears.

Step 14   Verify the network interface IP address of the PIX Firewall, then press Enter.

The Inside network mask: prompt appears.

Step 15   Verify the network mask that applies to inside IP address, then press Enter.

Use 0.0.0.0 to specify a default route. The 0.0.0.0 network mask can be abbreviated as 0.

The Host name: prompt appears.

Step 16   Verify the hostname to display in the PIX Firewall command line prompt, then press Enter.

---

Note    The hostname for each device must be unique. Firewall MC cannot manage multiple devices with the same hostname.

---

The Domain name: prompt appears.

Step 17   Verify the DNS domain name of the network on which the PIX Firewall runs, for example, example.com, then press Enter.

---

Note    The hostname and domain name are used to generate the default certificate for the SSL connection. The interface type is determined by the hardware.

---

The IP address of host running PIX Device Manager: prompt appears.

Step 18   Enter the IP address of the CiscoWorks Server that will manage this PIX Firewall.

The Use this configuration and write to flash? prompt appears.

Step 19   Enter yes.

---

Note    We assume that you also want to manage or monitor the PIX Firewall with PDM; therefore, Step 20 explains how to enable an additional administrative host for this use. For security reasons, you should limit the number of administrative hosts to the minimum number required by your organization.

---

If you answer yes, the inside interface is enabled and the requested configuration is written to Flash memory. If you answer anything other than yes, the setup prompts repeat using the values already entered as the defaults for the questions.

If you do not require additional administrative hosts to have access to this firewall, you have performed the necessary configuration, skip to Step 22. Otherwise, follow Step 20.

Step 20   Enter http ip_address [netmask] [if_name] to specify that the CiscoWorks Server can connect to and configure the PIX Firewall using HTTP.

---

Note    Access from any host is allowed if 0.0.0.0 0.0.0.0 (or 0 0) is specified for ip_address and netmask. However, we do not recommend this nonrestrictive configuration.

---

Step 21   Enter write memory.

The PIX Firewall stores the configuration in Flash memory.

Step 22   Enter exit.

The PIX Firewall exits configuration mode.

Bootstrapping a New PIX Firewall

To bootstrap a new PIX Firewall, you configure only the information required for the Firewall MC to connect to the inside interface of that PIX Firewall. After you connect to the PIX Firewall, use Firewall MC to define the remaining configuration settings, such as the remaining interfaces and routes.

This procedure makes the following assumptions:

This procedure also assumes the PIX Firewall has been booted for the first time and that the terminal displays the Pre-configure PIX Firewall now through interactive prompts [yes]? prompt, which indicates that the setup command has been run. The setup command enables the PIX Firewall HTTP server, allows you to specify the IP address of one host that can managed the PIX Firewall, and populates those settings required to generate the default certificate used by SSL-based connections to the HTTP server.

To bootstrap a new PIX Firewall attached on your network, follow these steps:

Step 2   Enter y at the Pre-configure PIX Firewall now through interactive prompts [yes]? prompt.

The Enable password [<use current password>]: prompt appears.

Step 3   Enter the current enable password for this PIX Firewall.

The Clock (UTC) prompt appears.

Step 4   Set the PIX Firewall clock to Universal Coordinated Time (also known as Greenwich Mean Time), then press Enter.

The Year [system year]: prompt appears.

Step 5   Enter current year, or default to the year stored in the host computer.

The Month [system month]: prompt appears.

Step 6   Enter current month, or default to the month stored in the host computer.

The Day [system day]: prompt appears.

Step 7   Enter current day, or default to the day stored in the host computer.

The Time [system time]: prompt appears.

Step 8   Enter current time in hh:mm:ss format, or default to the time stored in the host computer.

The Inside IP address: prompt appears.

Step 9   Enter the network interface IP address of the PIX Firewall.

The Inside network mask: prompt appears.

Step 10   Enter the network mask that applies to the inside IP address.

Use 0.0.0.0 to specify a default route. The 0.0.0.0 network mask can be abbreviated as 0.

The Host name: prompt appears.

Step 11   Enter the hostname to display in the PIX Firewall command line prompt.

---

Note    The hostname for each device must be unique. Firewall MC cannot manage multiple devices with the same hostname.

---

The Domain name: prompt appears.

Step 12   Enter the DNS domain name of the network on which the PIX Firewall runs, for example, "example.com," then press Enter.

---

Note    The hostname and domain name are used to generate the default certificate for the SSL connection. The interface type is determined by the hardware.

---

The IP address of host running PIX Device Manager: prompt appears.

Step 13   Enter the IP address of the CiscoWorks Server that will manage this PIX Firewall.

The Use this configuration and write to flash? prompt appears.

Step 14   Enter yes.

If you answer yes, the inside interface is enabled and the requested configuration is written to Flash memory. If you answer anything else, the setup dialog repeats using the values already entered as the defaults for the questions.

Step 15   Enter exit.

The command line interface exits configuration mode.

Bootstrapping PIX Firewall to Use Auto Update Server

You can specify that you want your firewall to poll an AutoUpdate Server (AUS) and retrieve any configuration changes from that AUS server. You can specify this option before or after you begin to manage the firewall with Firewall MC. This procedure describes how to prepare the firewall before you begin managing it with Firewall MC.

Caution   If you are managing firewalls that are configured for failover (serial or LAN), you cannot use the AutoUpdate server. You must deploy directly to the firewalls from Firewall MC.

If you are already managing the firewall, do not bootstrap the device manually. Instead, select Configuration > Settings > Auto Update Server to specify settings for the AutoUpdate Server at either the group level or device level for this PIX Firewall. For more information on these settings, see "Representing Auto Update Servers" section. For more information about AutoUpdate Server, see Using the AutoUpdate Server 1.1.

To bootstrap a PIX Firewall to poll an AUS server for configuration file updates, follow these steps from the console terminal connected to the PIX Firewall console port:

Step 2   Enter enable.

Step 3   Enter password at the command prompt.

The password identifies the enable password used to administer this PIX Firewall.

The PIX Firewall enters privileged mode.

Step 4   Enter config terminal.

The PIX Firewall enters configuration mode.

Step 5   Enter route if_name ip_address netmask gateway_ip [metric].

Specifies a static (default) route for the specified interface.

---

Note    You must configure a route only if the AUS server is on a different network than either the Firewall MC server or the PIX Firewall. In this case, configure the route to the network on which the AUS server resides.

---

Step 6   Enter auto-update server https://username: password@AUSserver_IP_address:port/ autoupdate/AutoUpdateServlet.

Connects the device to AUS.

Step 7   Enter auto-update poll-period poll_period [retry_count] [retry_period]

Changes the polling period for AUS.

Step 8   auto-update device-id hardware-serial_ip | hostname | ip_address [if_name | mac-address  [if_name] | string text].

Configures the device to use the specified device ID to identify itself.

Because a PIX Firewall might have more than one interface, the assigned device ID could be the IP address or MAC address of one of the interfaces.

In the following example, outside is the name of the outside interface and the device ID is the IP address of that outside interface.

auto-update device-id ipaddress outside

Alternatively, we can use the hostname as the device ID, which is resolved to an address via DNS:

auto-update device-id hostname

Step 9   Enter write memory.

Stores the current configuration in Flash memory.

Step 10   Enter exit.

Exits configuration mode.

Verifying PIX Firewall Configuration

You can verify that the PIX Firewall is configured properly by using an HTTPS connection to connect to the PIX Firewall and view the configuration file.

Step 2   Enter https://ip_address/exec/show%20config, where ip_address is the IP address of the PIX Firewall.

The PIX Firewall prompts for credentials, which verifies that the HTTP server is enabled on this PIX Firewall. If you are not prompted for credentials, see Bootstrapping an Existing PIX Firewall, or Bootstrapping a New PIX Firewall.

Step 3   At the username prompt, press Tab.

Step 4   At the password prompt, enter the enable password for the PIX Firewall.

The configuration running on this PIX Firewall appears (equivalent to the show config command). Your ability to view the configuration verifies that the CiscoWorks Server can administer this PIX Firewall. If you cannot authenticate, see Bootstrapping an Existing PIX Firewall, or Bootstrapping a New PIX Firewall.

Step 5   Close the browser.

Bootstrapping Firewall Services Modules

Before you can use Firewall MC to manage a FWSM, you must configure the firewall so that Firewall MC can contact and administer it. If the firewall is already configured, you should verify that its configuration is correct for Firewall MC. The procedures in this section take you through using the command line to verify the configuration.

Determining When to Bootstrap FWSM

The following two scenarios require that you bootstrap a FWSM before managing it with Firewall MC:

Verify that an existing FWSM can be administered by the CiscoWorks Server.

Step 2   To determine the module number of the FWSM, enter show module all at command prompt.

A list of the install modules appears, showing the Mod, Slot, Ports, Module-Type, Model, Sub, and Status fields.

Step 3   Enter session slot slot-number processor 1, where slot-number is the slot in which the FWSM module resides.

Step 4   Enter the Telnet password used to access this module.

Step 5   Enter enable.

Step 6   Enter password at the command prompt.

The password identifies the enable password used to administer this FWSM.

The FWSM enters privileged mode.

Step 7   Enter config terminal.

The FWSM enters configuration mode.

Step 8   Enter show http.

Verify that the IP address of the CiscoWorks Server appears in the list and that the HTTP server is enabled. If these two settings exist, you do not need to bootstrap the device. Otherwise, see Bootstrapping an Existing FWSM.

The FWSM lists the allowed hosts and the enable state of the HTTP server.

Step 9   Enter exit.

The command line interface exits FWSM configuration mode.

Step 10   Enter logout

You log out of the FWSM and return to the Catalyst switch prompt.

Step 11   Enter exit to log out of the Catalyst switch.

FWSM Configuration Worksheet

Before you bootstrap a FWSM, you must collect the information that describes the placement of that FWSM on your network.Complete the following worksheet to identify the information used when you bootstrap a FWSM.

Bootstrapping an Existing FWSM

Before You Begin

This procedure assumes the interfaces, IP addresses, and routes are defined for this FWSM. To bootstrap a new FWSM, see Bootstrapping a New FWSM.

Step 2   To determine the module number for the Firewall Services Module, enter show module all at command prompt.

A list of the install modules appears, showing the Mod, Slot, Ports, Module-Type, Model, Sub, and Status fields.

Step 3   Enter session slot  slot-number processor 1, where slot-number is the slot that the Firewall Services Module module resides in.

Step 4   Enter the Telnet password used to access this module.

Step 5   Enter enable.

Step 6   Enter password at the command prompt.

The password identifies the enable password used to administer this FWSM.

The FWSM enters privileged mode.

Step 7   Enter config terminal.

The FWSM enters configuration mode.

Step 8   If you have never used Cisco PIX Device Manager (PDM) to manage this FWSM, follow Step 9 through Step 17. If you are already using PDM to manage this FWSM, skip to Step 18.

If you configured this FWSM to work with PDM, you could be using an interface other than inside for management. Step 18 allows you to specify an additional administrative host, the CiscoWorks Server, on the appropriate interface. Step 12 assumes the inside interface is used to manage this FWSM.

Step 9   Enter setup.

---

Note    The setup command enables the FWSM HTTP server, allows you to specify the IP address of the CiscoWorks Server that will manage the FWSM, and populates those settings required to generate the default certificate used by SSL-based connections to the HTTP server. The setup command adds to any existing list of hosts allowed to manage the device; it does not replace existing settings.

---

Step 10   Enter y at the Pre-configure FWSM Firewall now through interactive prompts [yes]? prompt.

The Enable password [<use current password>]: prompt appears.

Step 11   Enter the current enable password for this FWSM.

The Inside IP address: prompt appears.

Step 12   Verify the network interface IP address of the FWSM is correct, then press Enter.

The Inside network mask: prompt appears.

Step 13   Verify the network mask that applies to inside IP address, then press Enter.

Use 0.0.0.0 to specify a default route. The 0.0.0.0 network mask can be abbreviated as 0.

The Host name: prompt appears.

Step 14   Verify the hostname to display in the FWSM command line prompt, then press Enter.

---

Note    The hostname for each device must be unique. FWSM cannot manage multiple devices with the same host name.

---

The Domain name: prompt appears.

Step 15   Verify the DNS domain name of the network on which the FWSM runs, for example, example.com, then press Enter.

---

Note    The hostname and domain name are used to generate the default certificate for the SSL connection. The interface type is determined by the hardware.

---

The IP address of host running PIX Device Manager: prompt appears.

Step 16   Enter the IP address of the CiscoWorks Server that will manage this FWSM.

The Use this configuration and write to flash? prompt appears.

Step 17   Enter yes.

---

Note    We assume that you also want to manage or monitor the FWSM with PDM; therefore, Step 18 explains how to enable an additional administrative host for this use. For security reasons, you should limit the number of administrative hosts to the minimum number required by your organization.

---

If you answer yes, the inside interface is enabled and the requested configuration is written to Flash memory. If you answer anything other than yes, the setup prompts repeat using the values already entered as the defaults for the questions.

If you do not require additional administrative hosts to have access to this firewall, you have performed the necessary configuration, skip to Step 20. Otherwise, follow Step 18.

Step 18   Enter http ip_address [netmask] [if_name] to specify that the CiscoWorks Server can connect to and configure the FWSM using HTTP.

---

Note    Access from any host is allowed if 0.0.0.0 0.0.0.0 (or 0 0) is specified for ip_address and netmask. However, we do not recommend this nonrestrictive configuration.

---

Step 19   Enter write memory.

The FWSM stores the current configuration in Flash memory.

Step 20   Enter exit.

The command line interface exits FWSM configuration mode.

Step 21   Enter logout

You log out of the FWSM and return to the Catalyst switch prompt.

Step 22   Enter exit to log out of the Catalyst switch.

Bootstrapping a New FWSM

To bootstrap a new FWSM, you configure only the information required for the Firewall MC to connect to the inside interface of that FWSM. Also, you must configure a default VLAN group for the module before the module is recognized by the switch. After you bootstrap the FWSM, you can connect to it and use Firewall MC to define the remaining configuration information, such as the remaining interfaces, VLANs, and routes.

Before You Begin

This procedure makes the following assumptions:

To bootstrap a new FWSM in a switch attached on your network, follow these steps:

Step 2   To determine the module number of the Firewall Services Module, enter show module all at command prompt.

A list of the install modules appears, showing the Mod, Slot, Ports, Module-Type, Model, Sub, and Status fields.

Step 3   Enter EXEC mode, then enter configure terminal to enter configuration mode.

Step 4   To create a VLAN, enter vlan vlan_number for each VLAN number that you want to define for the VLAN range that you plan to assign to the FWSM.

Step 5   To define a controlled VLAN (SVI) on the MSFC (route processor), enter interface vlan vlan_number

Note   You must configure a controlled VLAN (SVI) on the MSFC or you will be unable to configure VLANs on the module. You must also define the same VLAN on the FWSM. It is the common VLAN that the two modules must share.

Step 6   To assign an IP address to the VLAN interface, enter the following commands:

config t

interface vlan vlan_number

ip address ip_address net_mask

no shut

Step 7   To exit the VLAN mode and return to configuration mode, enter exit.

Next, you must bind the VLANs that were previously defined in Step 4 and Step 5 to be protected by the FWSM.

Step 8   To create a firewall group of controlled VLANs, enter firewall vlan-group firewall_group vlan_range.

Step 9   To attach the VLAN and firewall group to the slot where the FWSM module is located, enter firewall module module_number vlan-group firewall_group.

Step 10   To update the VLAN database and return to privileged EXEC mode, enter end.

Step 11   Enter session slot  slot-number processor 1, where slot-number is the slot that the Firewall Services Module module resides in.

Step 12   Enter the Telnet password used to access this module.

Since this FWSM is new, the default telnet password is cisco.

Step 13   Enter enable.

Step 14   Enter password at the command prompt.

The password identifies the enable password used to administer this FWSM.

The FWSM enters privileged mode.

Step 15   Enter config terminal.

The FWSM enters configuration mode.

Step 16   Enter nameif vlan_number inside 100 to associate the interface with a VLAN, where vlan_number is one of VLANs that you defined within the range of the firewall group VLAN defined in Step 8.

This command names the interface as inside, assigns it the security level of 100 with the interface, and associates it with a VLAN.

Step 17   Enter setup.

---

Note    The setup command enables the FWSM HTTP server, allows you to specify the IP address of the CiscoWorks Server that will manage the FWSM, and populates those settings required to generate the default certificate used by SSL-based connections to the HTTP server. The setup command adds to any existing list of hosts allowed to manage the device; it does not replace existing settings.

---

Step 18   Enter y at the Pre-configure FWSM Firewall now through interactive prompts [yes]? prompt.

The Enable password [<use current password>]: prompt appears.

Step 19   Enter the current enable password for this FWSM.

The Inside IP address: prompt appears.

Step 20   Enter the network interface IP address of the FWSM.

Step 21   The Inside network mask: prompt appears.

Step 22   Enter the network mask that applies to inside IP address.

Use 0.0.0.0 to specify a default route. The 0.0.0.0 network mask can be abbreviated as 0.

The Host name: prompt appears.

Step 23   Enter the hostname to display in the FWSM command line prompt.

Firewall MC does not support dashes or underscores (- _) in the hostname.

---

Note    The hostname for each device must be unique. Firewall MC cannot manage multiple devices with the same hostname.

---

The Domain name: prompt appears.

Step 24   Enter the DNS domain name of the network on which the FWSM runs, for example, "example.com," then press Enter

---

Note    The hostname and domain name are used to generate the default certificate for the SSL connection. The interface type is determined by the hardware.

---

The IP address of host running PIX Device Manager: prompt appears.

Step 25   Enter the IP address of the CiscoWorks Server that will manage this FWSM.

The Use this configuration and write to flash? prompt appears.

Step 26   Enter yes.

If you answer yes, the inside interface is enabled and the requested configuration is written to Flash memory. If you answer anything else, the setup dialog repeats using the values already entered as the defaults for the questions.

Step 27   Enter exit.

The command line interface exits FWSM configuration mode.

Step 28   Enter logout.

You log out of the FWSM and return to the Catalyst switch prompt.

Step 29   Enter exit to log out of the Catalyst switch.

Verifying an FWSM Configuration

You can verify that the FWSM is configured properly by using an HTTPS connection to connect to the FWSM and view the configuration file.

Step 2   Enter https://ip_address/exec/show%20config, where ip_address is the IP address of the FWSM.

The FWSM prompts for credentials, which verifies that the HTTP server is enabled on this FWSM. If you are not prompted for credentials, see Bootstrapping an Existing FWSM, or Bootstrapping a New FWSM.

Step 3   At the username prompt, press Tab.

Step 4   At the password prompt, enter the enable password for the FWSM.

The current configuration running on this FWSM appears (equivalent to the show config command). Your ability to view the configuration verifies that the CiscoWorks Server can administer this FWSM. If you cannot authenticate, see Bootstrapping an Existing FWSM, or Bootstrapping a New FWSM.

Step 5   Close the browser.