background image

1-2

Cisco PIX Device Manager Installation Guide

78-15483-01

Chapter 1      Overview

  Data Encryption Overview

Connection graphs: Tracks real-time session and performance monitoring data for connections, 
address translations, authentication, authorization, and accounting (AAA) transactions, URL 
filtering requests, and more on a per-second basis. 

Intrusion Detection System (IDS): Provides 16 different graphs to display potentially malicious 
activity. IDS-based signature information displays activity such as IP attacks, Internet Control 
Message Protocol (ICMP) requests, and Portmap requests.

Interface graphs: Provides real-time monitoring of your bandwidth usage for each interface. 
Bandwidth usage is displayed for incoming and outgoing communications, such as packet rates, 
counts, and errors, as well as bit, byte, and collision counts.

Syslog Viewer—Lets you view specific syslog message types by selecting the desired logging level.

Embedded Architecture—Lets you manage the Cisco PIX Firewall from almost any computer, 
regardless of the operating system, and works with most browsers, including Microsoft Internet 
Explorer and Netscape Navigator. There is no application to install and no plug-in required. 

Secure Communication—Supports the Secure Sockets Layer (SSL) protocol to provide high-grade 
encryption from the PIX Firewall to a browser. PDM to PIX Firewall communication is securely 
encrypted according to these encryption standards: 56-bit Data Encryption Standard (DES), 168-bit 
Triple DES (3DES), or 128-bit Advanced Encryption Standard (AES). You can protect access with 
a valid username and password, either on the PIX Firewall or through an authentication server.

Data Encryption Overview

This section describes data encryption, including the IPSec, IKE, and certification authority (CA) 
interoperability features.

Note

For additional information on these features, refer to the “IP Security and Encryption” chapter in the 
appropriate Security Configuration Guide and Security Command Reference publications for your 
specific PIX Firewall.

IPSec is a network level open standards framework, developed by the Internet Engineering Task Force 
(IETF) that provides secure transmission of sensitive information over unprotected networks such as the 
Internet. IPSec includes data authentication, antireplay services and data confidentiality services. 

Cisco follows these data encryption standards:

IPSec—IPSec is an IP layer open standards framework that provides data confidentiality, data 
integrity, and data authentication between participating peers. IKE handles negotiation of protocols 
and algorithms based on local policy, and generates the encryption and authentication keys to be 
used by IPSec. IPSec protects one or more data flows between a pair of hosts, between a pair of 
security systems, or between a security system and a host.

IKE—Internet Key Exchange (IKE) is a hybrid security protocol that implements Oakley and Skeme 
key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP) 
framework. IKE can be used with IPSec and other protocols. IKE authenticates the IPSec peers, 
negotiates IPSec security associations, and establishes IPSec keys. IPSec can be configured with or 
without IKE. 

Содержание PIX 520 - PIX Firewall 520

Страница 1: ... Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Cisco PIX Device Manager Installation Guide Version 3 0 Text Part Number 78 15483 01 ...

Страница 2: ...T LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES This document is to be used in conjunction with the appropriate documentation for your Cisco PIX Firewall system CCIP CCSP the Cisco Arrow logo the Cisco Powered Network mark Cisco Unity Follow Me Browsing For...

Страница 3: ...n xv Documentation Feedback xvi Obtaining Technical Assistance xvi Cisco TAC Website xvi Opening a TAC Case xvi TAC Case Priority Definitions xvii Obtaining Additional Publications and Information xvii Overview 1 1 Introduction 1 1 Data Encryption Overview 1 2 PIX Firewall System Requirements 1 4 PIX Firewall System Interoperability with PDM 1 4 Flash Memory Requirements 1 5 Maximum Configuration ...

Страница 4: ...1 Downloading PDM Using FTP 3 2 Installing PDM 3 2 Loading the PDM Image 3 4 Configuring PDM 4 1 Starting PDM with Internet Explorer 4 1 Starting PDM with Netscape Navigator 4 2 PDM Home Page 4 3 Using the PDM Startup Wizard 4 4 VPN Wizard 4 5 Site to Site VPN 4 5 Remote Access VPN 4 5 Select Interface 4 6 Configuring VPN Tunnels 4 6 Configuration Recommendations 4 6 Tips and Troubleshooting 5 1 C...

Страница 5: ...Contents v Cisco PIX Device Manager Installation Guide Version 3 0 78 15483 01 Enabling TFTP Access on a Linux System A 2 TFTP Download Error Codes A 3 I N D E X ...

Страница 6: ...Contents vi Cisco PIX Device Manager Installation Guide Version 3 0 78 15483 01 ...

Страница 7: ...ument Conventions page xiii Terms and Acronyms page xiv Related Documentation page xv Obtaining Documentation page xv Obtaining Technical Assistance page xvi Obtaining Additional Publications and Information page xvii Document Objectives This guide describes how to install and access the Cisco PIX Device Manager PDM software Audience This guide is for network administrators who perform the followi...

Страница 8: ...tés Warnung Das Installieren Ersetzen oder Bedienen dieser Ausrüstung sollte nur geschultem qualifiziertem Personal gestattet werden Figyelem A berendezést csak szakképzett személyek helyezhetik üzembe cserélhetik és tarthatják karban Avvertenza Questo apparato può essere installato sostituito o mantenuto unicamente da un personale competente Advarsel Bare opplært og kvalifisert personell skal for...

Страница 9: ... bij elektrische schakelingen betrokken risico s en dient u op de hoogte te zijn van de standaard praktijken om ongelukken te voorkomen Voor een vertaling van de waarschuwingen die in deze publicatie verschijnen dient u de vertaalde veiligheidswaarschuwingen te raadplegen die bij dit apparaat worden geleverd Opmerking BEWAAR DEZE INSTRUCTIES Opmerking Deze documentatie dient gebruikt te worden in ...

Страница 10: ...brauch in Verbindung mit dem Installationshandbuch für Ihr Gerät bestimmt das dem Gerät beiliegt Entnehmen Sie bitte alle weiteren Informationen dem Handbuch Installations oder Konfigurationshandbuch o Ä für Ihr spezifisches Gerät Figyelem FONTOS BIZTONSÁGI ELÕÍRÁSOK Ez a figyelmezetõ jel veszélyre utal Sérülésveszélyt rejtõ helyzetben van Mielõtt bármely berendezésen munkát végezte legyen figyele...

Страница 11: ...ção destina se a ser utilizada em conjunto com o manual de instalação incluído com o produto específico Consulte o manual de instalação o manual de configuração ou outra documentação adicional inclusa para obter mais informações Advertencia INSTRUCCIONES IMPORTANTES DE SEGURIDAD Este símbolo de aviso indica peligro Existe riesgo para su integridad física Antes de manipular cualquier equipo conside...

Страница 12: ...xii Cisco PIX Device Manager Installation Guide 78 15483 01 Preface Safety Warning Description ...

Страница 13: ...menu items Selecting a menu item or screen is indicated by the following convention Click Start Settings Control Panel Notes cautionary statements and safety warnings use these conventions Note Means reader take note Notes contain helpful suggestions or references to materials not contained in this manual Caution Means reader be careful You are capable of doing something that might result in equip...

Страница 14: ...cit IV Explicit Initialization Vector Gb Gigabit Gbps Gigabits per second ICMP Internet Control Message Protocol IKE Internet Key Exchange ISAKMP Internet Security Association and Key Management Protocol IDS Intrusion Detection System JVM Java Virtual Machine MB Megabyte Mbps Megabits per second MD5 Message Digest 5 MD5 PCI Peripheral Component Interconnect PDM PIX Device Manager PIX PIX Firewall ...

Страница 15: ...Documentation CD ROM Cisco documentation and additional literature are available in a Cisco Documentation CD ROM package which may have shipped with your product The Documentation CD ROM is updated regularly and may be more current than printed documentation The CD ROM package is available as a single unit or through an annual or quarterly subscription Registered Cisco com users can order a single...

Страница 16: ...com features the Cisco TAC website as an online starting point for technical assistance Cisco TAC Website The Cisco TAC website http www cisco com tac provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies The Cisco TAC website is available 24 hours a day 365 days a year Accessing all the tools on the Cisco TAC website requires a...

Страница 17: ...effect on your business operations Obtaining Additional Publications and Information Information about Cisco products technologies and network solutions is available from various online and printed sources The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as ordering and customer support services Access the Cisco Product Catalog at this URL http www cisco...

Страница 18: ...g professionals involved in designing developing and operating public and private internets and intranets You can access the Internet Protocol Journal at this URL http www cisco com en US about ac123 ac147 about_cisco_the_internet_protocol_journal html Training Cisco offers world class networking training Current offerings in network training are listed at this URL http www cisco com en US learnin...

Страница 19: ...configure manage and monitor security policies across a network PDM Startup Wizard Creates a basic configuration that allows packets to flow securely through the PIX Firewall from the inside to the outside network VPN Wizard Creates a basic configuration that lets you easily set up a remote access VPN or site to site VPN Monitoring and Reporting Tools Provides real time and historical data summari...

Страница 20: ...vanced Encryption Standard AES You can protect access with a valid username and password either on the PIX Firewall or through an authentication server Data Encryption Overview This section describes data encryption including the IPSec IKE and certification authority CA interoperability features Note For additional information on these features refer to the IP Security and Encryption chapter in th...

Страница 21: ...H Authentication Header is a security protocol that provides data authentication and optional antireplay services The AH protocol uses various authentication algorithms PIX Firewall software has implemented the mandatory MD5 and SHA HMAC variants authentication algorithms The AH protocol provides antireplay services Explicit IV Explicit Initialization Vector is a sequence of random bytes appended ...

Страница 22: ...netmgtsw ps2032 products_installation_guides_books_list h tml This section includes the following topics PIX Firewall System Interoperability with PDM page 4 Flash Memory Requirements page 5 Maximum Configuration File Size page 5 Software Requirements page 6 Upgrading to a New Software Release page 6 PIX Firewall System Interoperability with PDM Table 1 1 lists the PIX Firewall System requirements...

Страница 23: ...nchronization time During a system reload To determine the size of your configuration file enter the show flashfs command at the PIX Firewall CLI prompt View the output which begins with file 1 The number labeled length on the same line is the configuration file size in bytes For example pixfirewall show flashfs flash file system version 3 magic 0x12345679 file 0 origin 0 length 1925176 file 1 ori...

Страница 24: ...at http www cisco com cgi bin Software FormManager formgenerator pl pid 221 fid 324 Use the show version command to verify the software version of your PIX Firewall unit Upgrading to a New Software Release If you registered Cisco user refer to the Upgrading Software for the Cisco Secure PIX Firewall document at the following URL http www cisco com en US products hw vpndevc ps2030 products_tech_not...

Страница 25: ...ailable if you are using the Java Plug in 1 3 1 1 4 0 and 1 4 1 and not a beta version a Click Tools Internet Options b Click the Advanced tab c In the Java Sun section clear the Use Java 2 check box HTTP 1 1 Settings for Internet Options Advanced HTTP 1 1 settings should use HTTP 1 1 for both proxy and non proxy connections Secure Sockets Layer SSL Browser support for SSL must be enabled The supp...

Страница 26: ...emory 256 MB Display Resolution and Colors 1024 x 768 pixels and 256 colors Network Connection Connection speed 56 Kbps 384 Kbps DSL or cable recommended Table 1 5 Supported and Recommended Windows Platforms for PDM 3 0 Operating System Browser JVM Supported Windows Platforms Windows 98 Windows NT 4 0 Service Pack 4 and higher Windows 2000 Service Pack 3 Windows ME Windows XP Internet Explorer 5 5...

Страница 27: ... or cable recommended Table 1 7 Supported and Recommended Sun Solaris Platforms for PDM 3 0 Operating System Browser JVM Supported Sun Solaris Platforms Sun Solaris 2 8 or 2 9 running CDE window manager Netscape 4 781 1 Netscape Communicator 4 79 is not supported Native2 JVM 2 Native refers to the built in JVM that ships with the browser Recommended Sun Solaris Platforms Sun Solaris 2 8 running CD...

Страница 28: ... PDM 3 0 Operating System Browser JVM Supported Red Hat Linux Platforms Red Hat Linux 7 0 7 1 7 2 7 3 or 8 0 running GNOME or KDE Netscape 4 7x on Red Hat 7 x Native1 JVM 1 Native refers to the built in JVM that ships with the browser Mozilla 1 0 1 on Red Hat 8 0 Java Plug in 1 4 1 Recommended Red Hat Linux Platforms Red Hat Linux 8 0 Mozilla 1 0 1 Java Plug in 1 4 1_02 ...

Страница 29: ...ntical Most PIX Firewall CLI commands are fully supported by PDM If you are using PDM with an existing firewall configuration refer to PDM Support for PIX Firewall CLI Commands for more information Multiple PDM Sessions PDM allows multiple PCs or workstations to each have one browser session open with the same firewall However only one session per browser per PC or workstation is supported for a p...

Страница 30: ...ificates that you entered manually Installation Checklist Confirm the following before you install PDM Verify that all system requirements have been met See the requirements listed in Chapter 1 Overview For example the PIX Firewall unit must be running PIX Firewall software Version 6 3 and have a DES 3DES or AES activation key to use PDM Version 3 0 Confirm that you are running PIX Firewall softwa...

Страница 31: ...e PIX Firewall software Version 6 3 and PDM Version 3 0 both the PIX Firewall image and the PDM image must be installed on your failover units If you are using PDM with an existing PIX Firewall configuration refer to the appropriate version of the Cisco PIX Device Manager Release Notes for information on which commands are supported and which are not PDM works with any configuration whether create...

Страница 32: ...rity and a 16 MB file size limitation Before using TFTP determine the IP address of your server This section provides the information required to determine your IP address and includes the following topics Windows NT Windows 2000 or Windows XP page 2 4 Windows 98 or Windows ME page 2 4 Sun Solaris page 2 5 Linux page 2 5 Windows NT Windows 2000 or Windows XP On a Windows workstation click Start Ac...

Страница 33: ...o view your IP address as shown in the following example sbin ifconfig eth0 Link encap Ethernet HWaddr 00 D0 B7 5D C0 56 inet addr 209 165 200 225 Bcast 209 165 200 255 Mask 255 255 255 224 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 189576 errors 0 dropped 0 overruns 0 frame 0 TX packets 414837371 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 100 Interrupt 10 Bas...

Страница 34: ...2 6 Cisco PIX Device Manager Installation Guide 78 15483 01 Chapter 2 Preparing to Install PDM Determining the IP Address of Your Server ...

Страница 35: ...the Web Step 1 Go to http www cisco com using a web browser Step 2 On the menu bar click LOGIN Step 3 Enter your Cisco com username and password and click OK Note To register as a Cisco com user and obtain a username and password go to this URL http tools cisco com RPF register register do Step 4 Enter http www cisco com cgi bin tablebuild pl pix in the web address area of your web browser and pre...

Страница 36: ...at Reader which is free and available at http www adobe com products acrobat readstep2 html Step 7 Enter quit to exit Installing PDM Perform the following steps to install PDM Step 1 Follow these steps to set up a console connection from a Microsoft Windows workstation to your PIX Firewall unit unless you already have a console connection a Power off your PIX Firewall unit b Connect the serial por...

Страница 37: ...ash 64MB RAM Flash i28F640J5 0x300 BIOS Flash AT29C257 0xfffd8000 mcwa i82559 Ethernet at irq 10 MAC 0050 54ff 3772 mcwa i82559 Ethernet at irq 7 MAC 0050 54ff 3773 mcwa i82559 Ethernet at irq 11 MAC 00d0 b792 409d c i s c o S y s t e m s Private Internet eXchange Cisco PIX Firewall Cisco PIX Firewall Version 6 3 Licensed Features Failover Enabled VPN DES Enabled VPN 3DES Enabled Maximum Interface...

Страница 38: ...paring to Install PDM Loading the PDM Image Perform the following steps to load the PDM image file onto the PIX Firewall Step 1 Enter the following at the command prompt to load the PDM image file pixfirewall copy tftp Your_TFTP_Server_IP_Address Your_pdmfile_name flash pdm Or you can enter the generic command and follow the prompts pixfirewall copy tftp flash pdm Step 2 Enter the following comman...

Страница 39: ...hentication every time you launch PDM unless you configured your PIX Firewall to use another AAA server for authentication in which case the AAA server provides the authentication Step 2 Clock UTC Year 2001 Month Aug Day 27 Time 22 47 37 Set the PIX Firewall clock to Universal Coordinated Time UTC also known as Greenwich Mean Time or GMT For example if you are in the Pacific Daylight Savings time ...

Страница 40: ...3 6 Cisco PIX Device Manager Installation Guide 78 15483 01 Chapter 3 Installing PDM Loading the PDM Image Step 7 Click Exit Step 8 Click Yes to exit HyperTerminal ...

Страница 41: ...rface_ip_address where pix_inside_interface_ip_address is the IP address of the inside interface of your PIX Firewall entered in standard number format For the PIX 501 and PIX 506 506E the factory default inside interface address is as follows inside IP address to 192 168 1 1 Enter https 192 168 1 1 for the PIX 501 and PIX 506 506E platforms This launches PDM Note Ensure that you add the s to http...

Страница 42: ...or more information on how to use PDM see the online Help at http www cisco com univercd cc td doc product iaabu pix pdm v_30 pdm30olh pdf Starting PDM with Netscape Navigator Perform the following steps to start PDM with Netscape Navigator Step 1 On a Netscape Navigator browser running on a workstation connected to the PIX Firewall unit enter the following https 172 23 59 230 This launches PDM St...

Страница 43: ... Home page is updated every ten seconds except for the Device Information You can access the Home page any time by clicking Home on the main toolbar Note If the interface is configured to use DHCP or PPPoE to obtain an IP address and running PIX Firewall Version 6 3 or higher your IP address will be displayed in the Interface Status table If you are running an earlier version of the PIX Firewall s...

Страница 44: ...the link status of the interface A red icon is displayed if the physical status of the link is down and a green icon is displayed if the physical status of the link is up Note that on a PIX 501 the inside interface link will always be displayed as up because this interface acts as a built in switch Be sure to check for physical connectivity on the inside interface of a PIX 501 Current Kbps Display...

Страница 45: ...N configuration before running this wizard and identify the interface to use for each remote IPSec peer with which you need to establish secure connectivity To set up your PIX Firewall as a remote access client in relation to another PIX Firewall or Cisco VPN Concentrator select the Startup Wizard from the Wizards menu You can configure the VPN Wizard as follows Site to Site VPN page 4 5 Remote Ac...

Страница 46: ...a plug in or with the Java Plug in but not as the default JVM PDM Version 3 0 supports the Java plug in for browsers When using Windows 2000 or later fastest loading of PDM can be achieved by editing the Windows configuration file hosts Step 1 Locate the hosts file Under Windows 2000 the location of the hosts file is C WINNT system32 drivers etc hosts Step 2 Select the file right click and select ...

Страница 47: ...interface inside at the console command prompt to check that the IP address you typed into your web browser is the same IP address that you assigned to the inside interface of your PIX Firewall these IP addresses must be the same to make a connection Step 2 Check the networking setup of your console workstation to see how it is connected to the PIX Firewall Step 3 Check that your network cabling i...

Страница 48: ...t Step 7 If you still cannot access PDM from your browser refer to the Preface Tips on Using PDM For ease when using PDM follow these tips You can view the size of your configuration from the PIX Firewall console Either connect a computer to the PIX Firewall unit or use Telnet to access the console After entering the enable mode password use the show flashfs command to view the configuration size ...

Страница 49: ...Once the PDM applet is loaded on your workstation the link speed impact on PDM operation is negligible If your workstation s resources are running low you should close and reopen your browser before launching PDM For information on PDM caveats refer to the Caveats section of the Cisco PIX Device Manager Release Notes Version 3 0 Troubleshooting For information on PDM caveats refer to the caveats s...

Страница 50: ... the show version command to check that you have the proper activation key to use DES or 3DES If you do not obtain an activation key that supports this requirement before continuing If after confirming that your activation key supports using DES or 3DES you still cannot connect refer to Checking Your Connection to the PIX Firewall Clicking Grant causes PDM to crash If you are using PDM with Netsca...

Страница 51: ...ult Java Virtual Machine JVM Do the following to ensure that the Java Plug in is your default JVM In Internet Explorer click Tools Internet Options Click the Advanced tab Scroll down Look for a Java Sun section If there is one confirm that Use Java 2 is checked In Netscape click Edit Preferences Click Advanced Make sure the Enable Java Plugin check box is checked User cannot access PDM If more tha...

Страница 52: ...ing your PIX Firewall using an IP address instead of a host name the performance of PDM is dramatically slower This occurs if the PIX Firewall host name is not in DNS or in the local hosts file Assure that the PIX Firewall host name is in DNS If you are running Windows and there is no DNS in your network or your DNS does not have the PIX Firewall entry modify the hosts file On Windows NT 2000 and ...

Страница 53: ...ning a Windows TFTP Server The Microsoft Windows based TFTP server previously provided by Cisco Systems has been discontinued and is no longer supported by Cisco Systems This software suffers from a security bug described in http online securityfocus com bid 2886 Persons still using the server should consider replacing it with any of the high quality freeware and shareware TFTP servers As a histor...

Страница 54: ... you append s directory in the previous step View the in tftpd man page for more information Step 4 Either reboot your system or use the following commands to find the inetd process and send it the SIGHUP signal to force it to reread the inetd conf file bin ps ef grep inetd kill 1 inetd_process_ID Enabling TFTP Access on a Linux System Follow these steps to enable TFTP access on a Linux system Not...

Страница 55: ... stop Table A 1 TFTP Error Code Numeric Values Error Code Description 1 Timeout between the PIX Firewall and TFTP server 2 The packet length as received from the Ethernet device was not big enough to be a valid TFTP packet 3 The received packet was not from the server specified in the server command 4 The IP header length was not big enough to be a valid TFTP packet 5 The IP protocol type on the r...

Страница 56: ...A 4 Cisco PIX Device Manager Installation Guide 78 15483 01 Appendix A Using a TFTP Server TFTP Download Error Codes ...

Страница 57: ...e 3 4 configure terminal command 3 4 connection checking 5 1 pinging 5 1 copy tftp flash command 3 4 D Data 1 2 Data Encryption Standard DES A 1 F failover preparation 2 3 H Home Page 4 3 https 4 1 5 2 5 4 I IP address administrator 5 5 TFTP server 2 4 workstation 2 4 J JDK version 1 7 K key activation A 1 license 2 3 L license key 2 3 M maximum number of PDM sessions 5 5 module VPN acceleration s...

Страница 58: ... command 3 4 prompts 3 5 show flashfs command 5 2 show ip interface inside command 5 1 show version command 2 2 startup wizard 4 4 T terms list of xiv terms and acronyms xiv TFTP error codes A 3 Linux 2 5 server 2 2 A 1 Sun Solaris A 2 UNIX A 2 using A 1 Windows 2 4 troubleshooting accessing PDM 5 4 5 5 common symptoms 5 3 launching PDM 5 6 matrix 5 3 starting PDM 5 3 V VPN Acceleration Module see...

Отзывы: