Preparing to Install PDM [Cisco PIX Device Manager]

Table Of Contents

Preparing to Install PDM

Notes and Cautions

Caution

Installation Checklist

Preparing to Install PDM

Determining the IP Address of Your Server

Windows NT, Windows 2000, or Windows XP

Windows 98 or Windows ME

Sun Solaris

Linux

Preparing to Install PDM

If your firewall unit is new and shipped with minimum firewall software version, the PDM software is already loaded in the firewall Flash memory for you.

If you are upgrading from a previous version, you need to use TFTP from the firewall to copy the PDM image to your firewall. For instructions on how to do this, refer to Appendix A, "Using a TFTP Server".

This section includes the following topics:

•Notes and Cautions

•Installation Checklist

•Preparing to Install PDM

•Determining the IP Address of Your Server

Notes and Cautions

•CLI Command Support—PDM Version 3.0 uses the PIX Firewall CLI command syntax, which is very similar to Cisco IOS software, but not identical. Most PIX Firewall CLI commands are fully supported by PDM. If you are using PDM with an existing firewall configuration, refer to PDM Support for PIX Firewall CLI Commands for more information.

•Multiple PDM Sessions—PDM allows multiple PCs or workstations to each have one browser session open with the same firewall. However, only one session per browser per PC or workstation is supported for a particular firewall.

•Minimum Version for PIX—PDM 3.0 does not run with PIX Firewall software versions earlier than Version 6.3. PDM Version 3.0 is a single image which supports only PIX Firewall Version 6.3.

•Java Plug-in Supported—PDM Version 3.0 supports the Java plug-in for browsers. See PDM online Help (Browser Requirements>JDK) for more information.

•JVM Bug with Solaris, Netscape 4.7—Some actions, such as clicking a button to go to a dialog, may be delayed unless the mouse is moved after the action. This JVM bug affects all versions of PDM on Solaris. Workaround: Move mouse after clicking buttons, window controls, or other actions.

•Caveats—Please use Bug Navigator II on cisco.com to view current caveat information. Bug Navigator II may be accessed at the following website: http://www.cisco.com/support/bugtools

Caution

When you have a corrupted certificate database and run PDM with Netscape version 4.73, the Netscape browser may crash after you click Grant in the grant privileges dialog box. (The certificate database is a file called cert7.db, located in the your Netscape directory.)

Netscape version 4.73 can corrupt the certificate database if you do the following before you click Grant:

1. Run an applet that uses a digital certificate.

2. Renew the certificate.

3. Run the new applet with the updated certificate.

This occurs on Windows, Sun Solaris, and Linux platforms with the Netscape Java Virtual Machine (JVM).

A workaround is to remove the corrupted cert7.db file from your Netscape directory. A new cert7.db file is created when you run Netscape again. However, this removes all of the certificates that you have previously accepted as trusted. (This includes certificates that you accepted from other sites as well as certificates that you entered manually.)

Installation Checklist

Confirm the following before you install PDM:

•Verify that all system requirements have been met. See the requirements listed in Chapter 1, "Overview." For example, the PIX Firewall unit must be running PIX Firewall software Version 6.3 and have a DES, 3DES, or AES activation key to use PDM Version 3.0.

•Confirm that you are running PIX Firewall software Version 6.3. (If you have command line access to your PIX Firewall, you can use the CLI show version command to display the version currently running on your PIX Firewall.)

•If you are not running PIX Firewall software Version 6.3, see the instructions for installing PIX Firewall software in the Cisco PIX Firewall and VPN Configuration Guide. (After installing a PIX Firewall image, reboot your PIX Firewall to begin running the new image on the PIX Firewall.)

If your PIX Firewall is new, it shipped with PIX Firewall software Version 6.3, and PDM Version 3.0.

•Verify that you have a TFTP or FTP server installed. See Appendix A, "Using a TFTP Server." to install a TFTP server.

•Confirm that you are a registered Cisco user. If you are not a registered user, go to http://tools.cisco.com/RPF/register/register.do, and complete the form to register.

Preparing to Install PDM

Before installing PDM, be aware of the following:

•Save or print your PIX Firewall configuration. (You can save a copy of your configuration by using the PIX Firewall CLI write terminal command to display your configuration. You can cut and paste the displayed configuration into a text file.)

•Write down your activation key. (View your activation key by using the PIX Firewall CLI show version command.)

•If you are upgrading from a previous version of the PIX Firewall software, obtain the PDM software from Cisco in the same way that you do PIX Firewall software (see http://www.cisco.com/pcgi-bin/tablebuild.pl/pix), and download the image onto your PIX Firewall unit, using HTTP protocol or a TFTP server. For instructions on how to use a TFTP server, refer to Appendix A, "Using a TFTP Server."

Note For additional information on upgrading software for the PIX Firewall, see Upgrading Software for the Cisco Secure PIX Firewall at the following URL: http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml

•If you plan to upgrade a PIX Firewall failover pair to use PIX Firewall software Version 6.3 and PDM Version 3.0, both the PIX Firewall image and the PDM image must be installed on your failover units.

•If you are using PDM with an existing PIX Firewall configuration, refer to the appropriate version of the Cisco PIX Device Manager Release Notes for information on which commands are supported and which are not.

•PDM works with any configuration, whether created with the PIX Firewall command-line interface (CLI) or Cisco Secure Policy Manager (CSPM). Subsequent changes to the PIX Firewall configuration are not communicated automatically to PDM. If you are using PDM, and make changes to your PIX Firewall configuration outside PDM, click Refresh in PDM to update PDM with the current PIX Firewall configuration.

•A DES (free), or 3DES/AES license is required. PDM only supports encrypted communication.

–Registered Cisco.com users can request a DES (free), 3DES/AES activation key from the following URL:

http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324

–New Cisco.com users can complete the form at this URL before requesting a DES (free), 3DES/AES activation key:

http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl

3DES/AES activation keys are available as part of a feature license upgrade and are not free.

Caution If you are using CSPM, use PDM for monitoring only. All changes made using PDM will be overwritten the next time CSPM synchronizes with the PIX Firewall.

Determining the IP Address of Your Server

Loading a PIX Firewall or PDM image requires you to use TFTP server or FTP.

Note The Microsoft Windows-based TFTP server previously provided by Cisco Systems has been discontinued and is no longer supported by Cisco Systems. Persons still using the server should consider replacing it with any high quality freeware and shareware TFTP server. TFTP servers can be found by searching for "tftp server" on the Web. We do not specifically recommend any particular TFTP implementation.

Note that recent versions of Cisco IOS software support the use of FTP instead of TFTP for loading of images or configuration files. Use of FTP overcomes a number of inherent limitations of TFTP, including a lack of security and a 16 MB file size limitation.

Before using TFTP, determine the IP address of your server.

This section provides the information required to determine your IP address, and includes the following topics:

•Windows NT, Windows 2000, or Windows XP

•Windows 98 or Windows ME

•Sun Solaris

•Linux

Windows NT, Windows 2000, or Windows XP

On a Windows workstation, click Start>Accessories>Command Prompt to launch the Windows command-line interface and then enter the ipconfig command as shown in the following example:
C:\> ipconfig
Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 209.165.200.225
        Subnet Mask . . . . . . . . . . . : 255.255.255.224
        Default Gateway . . . . . . . . . : 10.21.196.33
C:\>
In this example, the server's IP address is 209.165.200.225 with a network mask of 255.255.255.224.

Windows 98 or Windows ME

From a Windows 98 or Windows ME computer, you can view the IP address by clicking Start>Run and entering the winipcfg command. Windows then displays a graphical user interface (GUI) listing the IP address information.

Sun Solaris

Enter the /sbin/ifconfig -a command to view your IP address, as shown in the following example:
% /sbin/ifconfig -a
lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
        inet 127.0.0.1 netmask ff000000 
hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
        inet 209.165.200.225 netmask ffffffe0 broadcast 209.165.200.255
In this example, the IP address of the host is 209.165.200.225 with a netmask of 255.255.255.224. (ffffffe0 is the hexadecimal equivalent to 255.255.255.224.)

Linux

Enter the /sbin/ifconfig command to view your IP address, as shown in the following example:
% /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 00:D0:B7:5D:C0:56
          inet addr:209.165.200.225 Bcast:209.165.200.255 
Mask:255.255.255.224
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:189576 errors:0 dropped:0 overruns:0 frame:0
          TX packets:414837371 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          Interrupt:10 Base address:0x3000 
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:3924  Metric:1
          RX packets:75397725 errors:0 dropped:0 overruns:0 frame:0
          TX packets:75397725 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
In this example, the IP address of the computer is 209.165.200.225 with a netmask of 255.255.255.224. The remainder of the display provides information on the status of data transmission through the server.


	Preparing to Install PDM
	Download this chapter Preparing to Install PDM Feedback Table Of Contents Preparing to Install PDM Notes and Cautions Caution Installation Checklist Preparing to Install PDM Determining the IP Address of Your Server Windows NT, Windows 2000, or Windows XP Windows 98 or Windows ME Sun Solaris Linux Preparing to Install PDM If your firewall unit is new and shipped with minimum firewall software version, the PDM software is already loaded in the firewall Flash memory for you. If you are upgrading from a previous version, you need to use TFTP from the firewall to copy the PDM image to your firewall. For instructions on how to do this, refer to Appendix A, "Using a TFTP Server". This section includes the following topics: •Notes and Cautions •Installation Checklist •Preparing to Install PDM •Determining the IP Address of Your Server Notes and Cautions •CLI Command Support—PDM Version 3.0 uses the PIX Firewall CLI command syntax, which is very similar to Cisco IOS software, but not identical. Most PIX Firewall CLI commands are fully supported by PDM. If you are using PDM with an existing firewall configuration, refer to PDM Support for PIX Firewall CLI Commands for more information. •Multiple PDM Sessions—PDM allows multiple PCs or workstations to each have one browser session open with the same firewall. However, only one session per browser per PC or workstation is supported for a particular firewall. •Minimum Version for PIX—PDM 3.0 does not run with PIX Firewall software versions earlier than Version 6.3. PDM Version 3.0 is a single image which supports only PIX Firewall Version 6.3. •Java Plug-in Supported—PDM Version 3.0 supports the Java plug-in for browsers. See PDM online Help (Browser Requirements>JDK) for more information. •JVM Bug with Solaris, Netscape 4.7—Some actions, such as clicking a button to go to a dialog, may be delayed unless the mouse is moved after the action. This JVM bug affects all versions of PDM on Solaris. Workaround: Move mouse after clicking buttons, window controls, or other actions. •Caveats—Please use Bug Navigator II on cisco.com to view current caveat information. Bug Navigator II may be accessed at the following website: http://www.cisco.com/support/bugtools Caution When you have a corrupted certificate database and run PDM with Netscape version 4.73, the Netscape browser may crash after you click Grant in the grant privileges dialog box. (The certificate database is a file called cert7.db, located in the your Netscape directory.) Netscape version 4.73 can corrupt the certificate database if you do the following before you click Grant: 1. Run an applet that uses a digital certificate. 2. Renew the certificate. 3. Run the new applet with the updated certificate. This occurs on Windows, Sun Solaris, and Linux platforms with the Netscape Java Virtual Machine (JVM). A workaround is to remove the corrupted cert7.db file from your Netscape directory. A new cert7.db file is created when you run Netscape again. However, this removes all of the certificates that you have previously accepted as trusted. (This includes certificates that you accepted from other sites as well as certificates that you entered manually.) Installation Checklist Confirm the following before you install PDM: •Verify that all system requirements have been met. See the requirements listed in Chapter 1, "Overview." For example, the PIX Firewall unit must be running PIX Firewall software Version 6.3 and have a DES, 3DES, or AES activation key to use PDM Version 3.0. •Confirm that you are running PIX Firewall software Version 6.3. (If you have command line access to your PIX Firewall, you can use the CLI show version command to display the version currently running on your PIX Firewall.) •If you are not running PIX Firewall software Version 6.3, see the instructions for installing PIX Firewall software in the Cisco PIX Firewall and VPN Configuration Guide. (After installing a PIX Firewall image, reboot your PIX Firewall to begin running the new image on the PIX Firewall.) If your PIX Firewall is new, it shipped with PIX Firewall software Version 6.3, and PDM Version 3.0. •Verify that you have a TFTP or FTP server installed. See Appendix A, "Using a TFTP Server." to install a TFTP server. •Confirm that you are a registered Cisco user. If you are not a registered user, go to http://tools.cisco.com/RPF/register/register.do, and complete the form to register. Preparing to Install PDM Before installing PDM, be aware of the following: •Save or print your PIX Firewall configuration. (You can save a copy of your configuration by using the PIX Firewall CLI write terminal command to display your configuration. You can cut and paste the displayed configuration into a text file.) •Write down your activation key. (View your activation key by using the PIX Firewall CLI show version command.) •If you are upgrading from a previous version of the PIX Firewall software, obtain the PDM software from Cisco in the same way that you do PIX Firewall software (see http://www.cisco.com/pcgi-bin/tablebuild.pl/pix), and download the image onto your PIX Firewall unit, using HTTP protocol or a TFTP server. For instructions on how to use a TFTP server, refer to Appendix A, "Using a TFTP Server." Note For additional information on upgrading software for the PIX Firewall, see Upgrading Software for the Cisco Secure PIX Firewall at the following URL: http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml •If you plan to upgrade a PIX Firewall failover pair to use PIX Firewall software Version 6.3 and PDM Version 3.0, both the PIX Firewall image and the PDM image must be installed on your failover units. •If you are using PDM with an existing PIX Firewall configuration, refer to the appropriate version of the Cisco PIX Device Manager Release Notes for information on which commands are supported and which are not. •PDM works with any configuration, whether created with the PIX Firewall command-line interface (CLI) or Cisco Secure Policy Manager (CSPM). Subsequent changes to the PIX Firewall configuration are not communicated automatically to PDM. If you are using PDM, and make changes to your PIX Firewall configuration outside PDM, click Refresh in PDM to update PDM with the current PIX Firewall configuration. •A DES (free), or 3DES/AES license is required. PDM only supports encrypted communication. –Registered Cisco.com users can request a DES (free), 3DES/AES activation key from the following URL: http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324 –New Cisco.com users can complete the form at this URL before requesting a DES (free), 3DES/AES activation key: http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl 3DES/AES activation keys are available as part of a feature license upgrade and are not free. Caution If you are using CSPM, use PDM for monitoring only. All changes made using PDM will be overwritten the next time CSPM synchronizes with the PIX Firewall. Determining the IP Address of Your Server Loading a PIX Firewall or PDM image requires you to use TFTP server or FTP. Note The Microsoft Windows-based TFTP server previously provided by Cisco Systems has been discontinued and is no longer supported by Cisco Systems. Persons still using the server should consider replacing it with any high quality freeware and shareware TFTP server. TFTP servers can be found by searching for "tftp server" on the Web. We do not specifically recommend any particular TFTP implementation. Note that recent versions of Cisco IOS software support the use of FTP instead of TFTP for loading of images or configuration files. Use of FTP overcomes a number of inherent limitations of TFTP, including a lack of security and a 16 MB file size limitation. Before using TFTP, determine the IP address of your server. This section provides the information required to determine your IP address, and includes the following topics: •Windows NT, Windows 2000, or Windows XP •Windows 98 or Windows ME •Sun Solaris •Linux Windows NT, Windows 2000, or Windows XP On a Windows workstation, click Start>Accessories>Command Prompt to launch the Windows command-line interface and then enter the ipconfig command as shown in the following example: C:\> ipconfig Windows 2000 IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 209.165.200.225 Subnet Mask . . . . . . . . . . . : 255.255.255.224 Default Gateway . . . . . . . . . : 10.21.196.33 C:\> In this example, the server's IP address is 209.165.200.225 with a network mask of 255.255.255.224. Windows 98 or Windows ME From a Windows 98 or Windows ME computer, you can view the IP address by clicking Start>Run and entering the winipcfg command. Windows then displays a graphical user interface (GUI) listing the IP address information. Sun Solaris Enter the /sbin/ifconfig -a command to view your IP address, as shown in the following example: % /sbin/ifconfig -a lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232 inet 127.0.0.1 netmask ff000000 hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500 inet 209.165.200.225 netmask ffffffe0 broadcast 209.165.200.255 In this example, the IP address of the host is 209.165.200.225 with a netmask of 255.255.255.224. (ffffffe0 is the hexadecimal equivalent to 255.255.255.224.) Linux Enter the /sbin/ifconfig command to view your IP address, as shown in the following example: % /sbin/ifconfig eth0 Link encap:Ethernet HWaddr 00:D0:B7:5D:C0:56 inet addr:209.165.200.225 Bcast:209.165.200.255 Mask:255.255.255.224 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:189576 errors:0 dropped:0 overruns:0 frame:0 TX packets:414837371 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:10 Base address:0x3000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:75397725 errors:0 dropped:0 overruns:0 frame:0 TX packets:75397725 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 In this example, the IP address of the computer is 209.165.200.225 with a netmask of 255.255.255.224. The remainder of the display provides information on the status of data transmission through the server.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks