Dell SonicWALL Secure Mobile Access 8.5
Administration Guide
439
Management Considerations for the Cisco Pix
Both deployment methods described in the sections that follow use the PIX’s WAN interface IP address as the
means of external connectivity to the internal SMA/SRA appliance. The PIX has the ability to be managed
through HTTP/S, but cannot have their default management ports (80,443) reassigned in the recommended PIX
OS version. Because of this, the HTTP/S management interface must be deactivated. To deactivate the HTTP/S
management interface, issue the command ‘clear http’.
Method One – SMA/SRA Appliance on LAN
Interface
1 From a management system, log in to the SMA/SRA appliance’s Secure Mobile Access management
interface. By default the management interface is X0 and the default IP address is 192.168.200.1.
2 Navigate to the
Network > Interfaces
page and click on the configure icon for the X0 interface. On the
pop-up that appears, change the X0 address to
192.168.100.2
with a mask of
255.255.255.0
. When
done, click
OK
to save and activate the change.
3 Navigate to the
Network > Routes
page and change the Default Gateway to
192.168.100.1
When
done, click
Accept
in the upper-right corner to save and activate the change.
4 Navigate to the
NetExtender > Client Addresses
page. You need to enter a range of IP addresses for
the 192.168.100.0/24 network that are not in use on your internal LAN network; if your network has an
existing DHCP server or the PIX is running a DHCP server on its internal interface, you need to make sure
not to conflict with these addresses. For example: enter
192.168.100.201
in the field next to
Client
Address Range Begin:
, and enter
192.168.100.249
in the field next to
Client Address Range End:
.
When done, click
Accept
in the upper-right corner to save and activate the change.
5 Navigate to the
NetExtender > Client Routes
page. Add a client route for
192.168.100.0
. If there is
an entry for
192.168.200.0
, delete it.
6 Navigate to the
Network > DNS
page and enter your internal network’s DNS addresses, internal domain
name, and WINS server addresses. These are critical for NetExtender to function correctly. When done,
click
Accept
in the upper-right corner to save and activate the change.
7 Navigate to the
System > Restart
page and click
Restart…
8 Install the SMA/SRA appliance’s X0 interface on the LAN network of the PIX. Do not hook any of the
appliance’s other interfaces up.
9 Connect to the PIX’s management CLI by way of the console port, telnet, or SSH and enter configure
mode.
10 Issue the command
‘clear http’
to shut off the PIX’s HTTP/S management interface.
11 Issue the command ‘
access-list sslvpn permit tcp any host x.x.x.x eq www’
(replace x.x.x.x with the
WAN IP address of your PIX)
12 Issue the command
‘access-list sslvpn permit tcp any host x.x.x.x eq https’
(replace x.x.x.x with the
WAN IP address of your PIX)
13 Issue the command ‘
static (inside,outside) tcp x.x.x.x www 192.168.100.2 www netmask
255.255.255.255 0 0’
(replace x.x.x.x with the WAN IP address of your PIX)
14 Issue the command
‘static (inside,outside) tcp x.x.x.x https 192.168.100.2 https netmask
255.255.255.255 0 0’
(replace x.x.x.x with the WAN IP address of your PIX)
15 Issue the command
‘access-group sslvpn in interface outside’
16 Exit config mode and issue the command
‘wr mem’
to save and activate the changes.
17 From an external system, attempt to connect to the SMA/SRA appliance using both HTTP and HTTPS. If
you cannot access the SMA/SRA appliance, check all previous steps and test again.
NOTE:
If you have a separate static WAN IP address to assign to the SMA/SRA appliance, you do not have
to deactivate the HTTP/S management interface on the PIX.
