Installing a PIX Firewall [Cisco PIX 500 Series Security Appliances]

Table Of Contents

Installing a PIX Firewall

Installation Overview

Before You Begin the Installation

Installing a PIX 515

What to Do Next

Downloading a PIX 515 Image over TFTP

TFTP Overview

Downloading an Image

Upgrading the PIX 515 Activation Key

Installing a PIX 520 or Earlier Model

PIX Firewall with a Four-Port Interface Card

Startup Messages

When a Diskette is Inserted

Installing for the First Time or Installing an Activation Key

After the Prompts

Installing a PIX Firewall

This chapter includes the following sections, which describe how to install a PIX 515, PIX 520, and earlier models:

•Installation Overview

•Before You Begin the Installation

•Installing a PIX 515

•Installing a PIX 520 or Earlier Model

•Startup Messages

Installation Overview

Follow these steps to install a PIX Firewall.

Note   If you plan to install a PIX Firewall failover configuration, perform the steps that follow only on the Primary (Active) unit. Refer to "" for information about installing the Standby unit.

Step 1 Review the safety precautions outlined in the Regulatory Compliance and Safety Information for the PIX Firewall for your respective software version listed in the section, "Related Documentation" in "About This Manual."

Step 2 Completely read the release notes for your respective software version listed in the section, "Related Documentation" in "About This Manual."

Step 3 Unpack the PIX Firewall. The PIX Firewall consists of two main components, the firewall unit and a separate accessory kit. The accessory kit contains documentation, power cord, rack mounting hardware, and additional software you can use with your firewall.

Step 4 Place the PIX Firewall on a stable work surface.

If you are installing a PIX 520 or upgrading an earlier model, refer to "Installing a PIX 520 or Earlier Model"; otherwise, for the PIX 515, continue "Installing a PIX 515."

Before You Begin the Installation

Note   The information you gather here is required during configuration and is a reminder to find it while installing your firewall—before beginning the configuration. However, none of the information is required in this guide.

Before you begin the installation, gather the following information about each network interface that will be connected to the PIX Firewall:

Outside Network

Inside Network

Perimeter 1

Perimeter 2

Perimeter 3

Perimeter 4

Interface Speed

IP Address and Netmask

Interface Name—HW

Interface Name—SW

outside

inside

Security Level

0

100

MTU Size

To prepare to configure the PIX Firewall, locate the following information:

•Interface speed—The speed of each network interface. You only need to specify a value for Ethernet interface boards that do not autosense the interface's speed, connection type, and full/half duplex support; or for Token Ring interface boards. All PIX Firewall units purchased after November 1996 with Ethernet interfaces have the autosense feature. Use the interface command to enter the speed for each interface in the configuration.

•IP address and netmask—The IP address and network mask for each network interface. The IP address for each interface must be different from any others you use in your network. Use the ip address command to enter the IP address and network mask for each interface in the configuration.

•Interface name—HW—The hardware name for the interface, such as ethernet0, ethernet1, token0, token1, fddi0, fddi1, and so on. Use the nameif command to enter the hardware name for the interface in the configuration.

•Interface name—SW—The software name for the interface, such as inside or outside. The inside interface must be named "inside." All other interfaces can have any name. Note that you will need to enter this name frequently in the configuration. Use the nameif command to associate the hardware and software names in the configuration.

•Security level—Used to determine the level of trust for each interface. The outside interface must have a security level of 0 and the inside interface must be 100. The perimeter interfaces can be any value from 1 to 99. Use the nameif command to enter the security level in the configuration.

•MTU size—The maximum transmission unit (MTU) size for each network interface. You only need to specify a value if you want to set an MTU size that differs from the default (1,500 bytes/block for Ethernet; 8,192 bytes/block for Token Ring and FDDI).

In addition, you should determine the following:

1 The IP address of the outside default router.

2 Your network topology and security policy. We recommend that you take a few minutes to draw a diagram of your network with IP addresses, indicating which computers you are protecting, and which switches, routers, and hosts are on each network.

Installing a PIX 515

This section describes how to install a PIX 515 and also the following topics:

•Downloading a PIX 515 Image over TFTP

•Upgrading the PIX 515 Activation Key

To install a PIX 515:

Step 1 Refer to for information on the PIX 515 controls and connectors.

Figure 2-1 PIX 515 Features

This graphic shows the Ethernet connectors where you connect your inside and outside network cables, the Console port used to connect a computer to the PIX 515, the optional failover connector (requires a PIX-515-UR license to use), and LEDs for the various transmission states:

•100 Mbps—100 megabit per second 100BaseTX communication for the respective connector. If the light is off, the PIX 515 uses 10 megabits per second data exchange.

•LINK—shows that data is passing on the network to which the connector is attached.

•FDX—shows that the connection uses full-duplex data exchange where data can be transmitted and received simultaneously. If this light is off, half-duplex is in effect.

The USB port to the left of the Console port is not used. The detachable plate above the ETHERNET 1 connector is also not used.

lists the PIX 515 front panel's LEDs.

Figure 2-2 PIX 515 Front Panel LEDs

The LEDs are:

•POWER—on when the unit has power.

•ACT—on when the unit is the Active failover unit. If failover is not enabled, this light is on. If failover is present, the light is on when the unit is the Active unit and off when the unit is in Standby mode.

•NETWORK—on when at least one network interface is passing traffic.

Step 2 Connect the inside network cable to the interface connector marked ETHERNET 1.

Step 3 Connect the outside network cable to the interface connector marked ETHERNET 0.

Step 4 If your unit has a four-port Ethernet card already installed, refer to . If it has one or two single-port cards, refer to .

Figure 2-3 Four-Port Ethernet Connectors in a PIX 515

Connect the perimeter network cables to the card starting with the left connector and moving to the right. (The four-port interface card requires the PIX-515-UR license to be accessed.) Starting from the left the connectors are Ethernet 2, Ethernet 3, Ethernet 4, and Ethernet 5. The maximum number of allowed interfaces is 6; do not add a single-port card in the extra slot below the four-port card.

Figure 2-4 Two Single-Port Ethernet Connectors in a PIX 515

As shown in , if your unit has one or two single-port Ethernet cards installed in the auxiliary assembly on the left of the unit at the rear, the cards are numbered top to bottom so that the top card is Ethernet 2 and the bottom card is Ethernet 3. (Additional interface cards require the PIX-515-UR license to be accessed.)

Step 5 Locate the serial cable from the accessory kit. The serial cable assembly consists of a null modem cable with RJ-45 connectors, and one DB-9 connector and a DB-25 connector.

Step 6 Connect one of the RJ-45 connectors to the Console port as shown in .

Step 7 Connect the other RJ-45 connector and either a DB-9 or DB-25 connector to the appropriate connector on your console computer.

Step 8 If you do not wish to rack mount the unit, attach the rubber feet to the bottom of the unit as shown in .

Figure 2-5 Attaching the Rubber Feet

to the PIX 515

If you want to install the PIX 515 in an equipment rack, two sets of brackets are provided in your accessory kit:

–Long brackets for installing the unit horizontally in a 24-inch wide rack, or vertically

–Shorter brackets for installing the unit horizontally in a 16-inch wide rack

Note   If you have a PIX-515-UR license and wish to install optional circuit boards, you can install the brackets on the unit for rack mounting, but do not put the PIX 515 in the equipment rack until you have installed the new boards. The top cover of the PIX 515 must be removed to properly attach or remove a circuit board. Refer to "" for more information on installing circuit boards in your PIX 515.

To install the unit horizontally in an equipment rack:

(a) Choose the correct bracket to install the PIX 515 in either a 16-inch or 24-inch wide rack.

(b) Attach the bracket to the unit using the supplied screws. You can attach the brackets to the holes near the front of the unit.

(c) Attach the unit to the equipment rack.

To install the unit vertically in an equipment rack:

(a) Attach the brackets to the unit as shown in .

Figure 2-6 Attaching a Bracket for Vertical Mounting

(b) Mount the unit vertically as shown in .

Figure 2-7 Installing the PIX 515 Vertically

Step 9 If your site downloads configuration images from a TFTP server, read "Downloading a PIX 515 Image over TFTP" for how you can access boot mode while the PIX 515 is starting up. The PIX 515 pauses for 10 seconds for you to press the Escape key or send a BREAK character.

Step 10 When you are ready to start the PIX 515, power on the unit with the power switch shown as the rightmost switch in .

What to Do Next

If you are installing a PIX 515 with the PIX-515-R restricted feature license, you can optionally install the PIX Firewall Syslog Server as described in "." All other chapters in this guide do not apply to the PIX 515 with a restricted license.

If you have a PIX-515-UR unrestricted feature license, the following options are available:

•If you have a second PIX 515 to use as a failover unit, install the failover feature and cable as described in "."

•If needed, install the PIX Firewall Syslog Server as described in "."

•If you need to install additional memory, refer to "."

•If you need to install an optional circuit board such as the Private Link VPN board, single-port Ethernet board, or the four-port Ethernet board, refer to "" for information about how to open the top cover of the chassis to install circuit boards.

Note   It is very important to open the top cover before installing circuit boards in the PIX 515. Even though it may appear possible to add or remove cards from the back panel, removing the top cover greatly simplifies the process.

When you are done, refer to the configuration guide for your respective software version listed in the section, "Related Documentation" in "About This Manual."

Downloading a PIX 515 Image over TFTP

The PIX 515 receives its boot image from either Flash memory or by downloading the image from a TFTP server. (You can obtain a TFTP server as an option from Cisco, you can use the TFTP server provided with UNIX, or you can use a TFTP server available for your computer.)

Because the PIX 515 does not have a diskette drive, you need to send a binary image to the PIX 515 using Trivial File Transfer Protocol (TFTP). The PIX 515 has a special mode called ROM monitor mode that lets you retrieve the binary image over the network.

Note   The PIX 515 is not shipped with an image on diskette. The initial image is stored in Flash memory. You can obtain the latest binary image from Cisco Connection Online (CCO) using a web browser or via FTP, storing the image on a TFTP server, and then downloading it to the PIX 515 with TFTP.

Note   Do not attempt to use a PIX Firewall diskette from a PIX 520 or earlier model to transfer the image to the TFTP server. This image will not install correctly. While the ROM monitor is protected from this boot method, the PIX 515 will not boot from the diskette image.

Note   Entering a new activation key or recovering a password requires that you access the ROM monitor, download an image, and then proceed on to the prompts that follow this activity. (For password recovery, contact Cisco's Customer Support organization as described in the section, "Cisco Connection Online" in "About This Manual.")

Note   When you enter the ROM monitor, PIX 515 applications will not be running; therefore, no traffic will pass in or out of your network while this operation is being performed.

TFTP Overview

After the PIX 515 restarts, it pauses 10 seconds. To start the ROM monitor, press the Escape key or send a BREAK character. If you are using Windows HyperTerminal, you can press the Esc (Escape) key or send a BREAK character by pressing the ctrl and break keys. From a Telnet session to a terminal server that has serial access to the PIX 515, use ctrl ] to get the Telnet command prompt, and then enter the send break command. If you do not want to enter boot mode when the PIX 515 restarts, press the space bar to start the normal boot immediately, or wait until the 10 seconds passes and the PIX 515 will boot normally from Flash memory.

From ROM monitor, you can enter a number of commands that let you specify the file and location of the configuration image, and then download it to the PIX 515. The ROM monitor also lets you ping the TFTP server to see if it is online and to specify the IP address of the nearest router if the image is not on a subnet shared with a PIX 515 interface.

Note   TFTP does not perform authentication when transferring files, so a username and password on the TFTP server are not required.

The TFTP server should be installed, but is not required to be, on the most secure part of the network, preferably on the inside interface.

After you download an image, use the write memory command to store the image in Flash memory.

The monitor feature only works on the PIX 515 and not with earlier models of the PIX Firewall.

The maximum length of a filename is 122 characters.

If the TFTP service stops receiving data requests during a file transfer, it waits four seconds and then closes the connection.

Downloading an Image

To download an image over TFTP:

Step 1 Immediately after you power on the PIX Firewall and the startup messages appear, send a BREAK character or press the Esc (Escape) key.

Note   If you are using HyperTerminal with Windows 95, you can press the ctrl and break keys simultaneously to activate a BREAK. Depending on which service pack is installed, Windows NT HyperTerminal may not be able to send a BREAK character. Refer to the Windows NT documentation for more information.

The monitor> prompt appears.

Step 2 If desired, enter a question mark (?) to list the available commands.

Step 3 Use the interface command to specify on which interface the ping traffic should use. If the PIX 515 has only two interfaces, the monitor command defaults to the inside interface.

Step 4 Use the address command to specify the IP address of the PIX Firewall unit's interface.

Step 5 Use the server command to specify the IP address of the remote server.

Step 6 Use the file command to specify the filename of the PIX Firewall image.

Step 7 If needed, enter the gateway command to specify the IP address of a router gateway through which the server is accessible.

Step 8 If needed, use the ping command to verify accessibility. If this command fails, fix access to the server before continuing.

Step 9 Use the tftp command to start the download.

An example follows:
Rebooting....
PIX BIOS (4.0) #47: Sat May 8 10:09:47 PDT 1999
Platform PIX-520
Flash=AT29C040A @ 0x300
Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Flash boot interrupted.
0: i8255X @ PCI(bus:0 dev:13 irq:11)
1: i8255X @ PCI(bus:0 dev:14 irq:10)
Using 1: i82558 @ PCI(bus:0 dev:14 irq:10), MAC: 0090.2722.f0b1
Use ? for help.
The example continues:
monitor> ?
?                 this help message
address   [addr]            set IP address
file      [name]            set boot file name
gateway   [addr]            set IP gateway
help              this help message
interface [num]   select TFTP interface
ping      <addr>            send ICMP echo
reload            halt and reload system
server    [addr]            set server IP address
tftp              TFTP download
timeout           TFTP timeout
trace             toggle packet tracing
monitor> addr 192.168.1.1
address 192.168.1.1
monitor> serv 192.168.1.2
server 192.168.1.2
monitor> file cdisk
file cdisk
monitor> ping 192.168.1.2
Sending 5, 100-byte 0x5b8d ICMP Echoes to 192.168.1.2, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor> tftp
tftp cdisk@192.168.1.2................................
Received 626688 bytes
PIX admin loader (3.0) #0: Tue May 11 10:43:02 PDT 1999
Flash=AT29C040A @ 0x300
Flash version 4.9.9.1, Install version 4.4.1
Installing to flash
...
Upgrading the PIX 515 Activation Key

Note The activation key can only be entered after downloading a new image—not from the command line or without first rebooting.

To upgrade an activation key on the PIX 515:

Step 1 Acquire a PIX 4.4(n) image from Cisco Connection Online (CCO).

Step 2 Set up a TFTP server and transfer the image to the proper directory.

Step 3 Reboot the PIX 515.

Step 4 Press Escape or send the BREAK character to enter the boot ROM monitor.

Step 5 Download a TFTP image as described in the previous section, "Downloading a PIX 515 Image over TFTP."

Step 6 When prompted to "install new image" enter y.

Step 7 When prompted to "enter new key" enter y.

Step 8 Enter the four-part activation key. If the key is correct, the system will boot and run correctly.

When done, refer to "After the Prompts" for additional prompts information that displays when a PIX Firewall starts up.

Installing a PIX 520 or Earlier Model

To install a PIX 520 or earlier model:

Step 1 Refer to for information on the features of the PIX 520 unit.

Figure 2-8 PIX 520 Front, Rear, and Side Panels.

lists the controls on earlier PIX Firewall models.

Figure 2-9 Earlier PIX Firewall Access

Step 2 Connect network cables to each of the PIX Firewall's network interfaces. On the PIX 520, connect the cables at the front of the unit; on earlier models, connect the cables at the rear.

If you are not installing a four-port Ethernet card, which is supported only with version 4.4(1) and later, add the cables as shown in . The outside interface card must be in slot 0 (zero), which is the leftmost slot in the unit. The inside interface card can be in slot 1 or you can skip a slot. The PIX Firewall assumes that the next card it finds will be the inside interface even if an empty slot is left between the outside and inside interfaces.

Figure 2-10 Up to Four Single-Port Interfaces in a PIX Firewall

PIX Firewall version 2 supports two interfaces, version 3 supports three interfaces, versions 4.0 and 4.1 support three interfaces, version 4.2 supports four interfaces, version 4.3 supports four interfaces, and version 4.4 supports six interfaces.

PIX Firewall with a Four-Port Interface Card

As of PIX Firewall version 4.4(1) and later, you can install one optional four-port Ethernet interface card in the PIX 520 and earlier hardware models.

Note Use of the four-port card changes the position of the outside and inside interfaces depending on the slot in which the card is installed. Four-port Ethernet card connectors are numbered from the top connector down sequentially.

The Cisco four-port Ethernet interface card provides four 10/100 Ethernet connections and has autosense capability. Connectors on the four-port card are numbered top to bottom sequentially; however, the actual device number depends on the slot in which the four-port card is installed. shows how the top connector is numbered

Table 2-1 Numbering Devices with a Four-Port Connector

Slot 0 Contains

Slot 1 Contains

Slot 2 Contains

Four-Port Top
Connector is:

4-Port

Any

Any

ethernet0

Ethernet

4-Port

Any

ethernet1

Ethernet

Ethernet

4-Port (required location on PIX 515)

ethernet2

Token Ring

4-Port

Any

ethernet0

Token Ring

Token Ring

4-Port

ethernet0

Token Ring

Ethernet

4-Port

ethernet1

Ethernet

Token Ring

4-Port

ethernet1

.

With the four-port card, having a card in slot 3 makes the number of interfaces greater than six; while the card in slot 3 cannot be accessed, its presence does not cause problems with the PIX Firewall.

shows the location of the interfaces if you install a four-port card in slot 0.

Figure 2-11 Four-Port Ethernet Interface Installed in Slot 0

From this figure you can see that because the four-port card is numbered from the top down, the outside interface, which must be the first interface, is associated with the topmost connector.

shows how the slots are numbered if a single-port interface card is inserted in slot 0.

Figure 2-12 Four-Port Ethernet Interface Installed in Slot 1

shows how the slots are numbered if single-port interface cards are installed in slot 0 and in slot 1.

Figure 2-13 Four-Port Ethernet Interface Installed in Slot 2

Step 3 Install the serial cable between the PIX Firewall and your console computer. Locate the serial cable. The serial cable assembly consists of a null modem cable with RJ-45 connectors, two separate DB-9 connectors, and a separate DB-25 connector as shown in .

Figure 2-14 PIX Firewall Serial Cable Assembly

Step 4 Connect one of the DB-9 serial connectors to the console connector on the front panel of the PIX Firewall.

Step 5 Connect one end of the RJ-45 null modem cable to the DB-9 connector.

Step 6 If you are installing an AC voltage PIX Firewall, connect the PIX Firewall unit's power cord to the power connector on the rear panel of the unit, and to a power outlet.

If you are installing a DC voltage PIX Firewall, refer to ""."

Step 7 The following options are available:

(a) If you have a second PIX Firewall to use as failover unit, install the failover feature and cable as described in "."

(b) If needed, install the PIX Firewall Syslog Server as described in "."

(c) If you need to install an optional circuit board such as the Private Link VPN board, single-port Ethernet board, or the four-port Ethernet board, refer to "" for information about how to open the top cover of the chassis to install circuit boards.

(d) If you need to install additional memory, refer to "."

(e) If you are ready to start configuring the PIX Firewall, power on the unit. When the unit is powered on, refer to the configuration guide for your respective software version listed in the section, "Related Documentation" in "About This Manual."

Startup Messages

When you reboot or power-on the PIX Firewall, messages appear similar to the following. The first messages to display are:
PIX Bios V2.7
Booting Floppy
...................................Execing flop
PIX Floppy loader (V2.0)
 Reading second stage loader.....
 Starting second stage loader.
PIX flash loader (V2.0)
Flash=AT29C040A
Reading floppy image..................................
Flash version 4.4, Floppy version 4.4
The Flash statement indicates the type of Flash memory. Version 4.3 and 4.4 require that the Flash be 2 MB, which has the "AT29C040A" code. If you had the previous version, the 512 KB, PIX Firewall would have displayed an error message and stopped the installation.

The last line in this example lists the software versions in Flash memory and what you are installing on diskette.

When a Diskette is Inserted
When a diskette is inserted in the PIX Firewall unit's drive, you are prompted with the following prompt:
Do you want me to install floppy version onto flash? [n]
If you have an existing configuration, enter n for no. Alternatively, you can ignore the prompt by waiting approximately 45 seconds and PIX Firewall will insert No for you.

The listing continues as follows:
Installing to flash
If you did not install the diskette version into Flash memory, proceed to "After the Prompts."

Installing for the First Time or Installing an Activation Key

If you are installing for the first time or you want to enter a new activation key, enter y for yes. PIX Firewall then displays:
Activation Key: aaaabbbb ccccddd eeeeffff 11112222
Do you want to enter a new activation key? [n]
If you do not wish to enter an activation key, enter n for no, or wait approximately 45 seconds and PIX Firewall will enter No for you. If you enter y to enter an activation key, you are prompted to enter each part of the activation key:
Enter Activation Key
                          Part 1 of 4:
Enter the first part of your new activation key. (In the previous example for the activation key listing, the first part is aaaabbbb.)

PIX Firewall then prompts you for the other 3 parts of the activation key. Enter each part.
                        Part 2 of 4:
                        Part 3 of 4:
                        Part 4 of 4:
After the Prompts

PIX Firewall then continues the startup messages as follows:
Using flash config
Erasing flash...
Writing image into flash...
Saving config...
16MB RAM
Flash=AT29C040A @ 0x300
To install version 4.4, you need to see at least 16 MB of RAM. If you had too little memory, a message would display indicating "insufficient memory."

PIX Firewall then lists each interface. Because PIX Firewall interface cards are polled instead of using interrupts, the IRQ (interrupt request lines) can have duplicate numbers:
mcwa i82557 Ethernet at irq 10         MAC: 00a0.c90a.eb4d
mcwa i82557 Ethernet at irq 9               MAC: 00a0.c986.8eea
mcwa i82557 Ethernet at irq 10        MAC: 00a0.c9e8.8caf
mcwa i82557 Ethernet at irq 11        MAC: 0090.2710.4aa4
In this example, the PIX Firewall has four Ethernet interfaces. The MAC address is a unique hardware identifier for each interface.

If a Private Link card is present, the following message appears:
CA9568 Encryption @ 0x3a0
The PIX Firewall symbol then displays followed by the version number and the number of connections.
            -----------------------------------------------------------------------
                               ||        ||
                               ||        ||
                              ||||      ||||
                          ..:||||||:..:||||||:..
                         c i s c o S y s t e m s
                        Private Internet eXchange
            -----------------------------------------------------------------------
                               PIX Firewall
PIX Version 4.4(x)
Note Write down the number of connections. PIX Firewall only provides this information at startup.

If a Private Link card is present, the following export statement appears:
           ****************************** Warning *******************************
                 An encryption device has been discovered.
            This product is not authorized for use by persons located outside the
            United States and Canada that do not have export license authority
            from Cisco Systems, Inc. and/or the U.S. Government.
            This product may not be exported outside the U.S. and Canada either by
            physical or electronic means without the prior written approval of
            Cisco Systems, Inc. and/or the U.S. Government.
            Persons outside the U.S. and Canada may not reexport, resell, or
            transfer this product by either physical or electronic means without
            prior written approval of Cisco Systems, Inc. and/or U.S. Government.
            ******************************* Warning *******************************
PIX Firewall then displays the following messages:
Copyright (c) 1996-1999 by Cisco Systems, Inc.
                Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706
Type help or '?' for a list of available commands.
pixfirewall> enable
Enter the enable command to start unprivileged mode. You are then prompted for the enable password as follows:
Password:
Unless you have assigned a value to the enable password, which you can do with the enable password command, press the Enter key to signify the default of no password. You are now in unprivileged mode.

Start configuration mode by entering the configure terminal command:
pixfirewall# configure terminal
pixfirewall(config)#
You are now ready to start configuring your PIX Firewall, which is described in the configuration guide for your version of the PIX Firewall. Refer to the section, "Related Documentation" in "About This Manual."