Docstoc

Security If Start Up Business Fails

Document Sample
Security If Start Up Business Fails Powered By Docstoc
					                                                  Quick Start Guide




Cisco PIX 515E Security Appliance Quick Start Guide

1   Verifying the Package Contents
2   Installing the PIX 515E Security Appliance
3   Configuring the Security Appliance
4   Common Configuration Scenarios
5   Optional Maintenance and Upgrade Procedures
About the Cisco PIX 515E Security Appliance




                                                                             132235
                                                     PIX Firewall   SERIES
    POWER   ACT   NETWORK




The Cisco PIX 515E security appliance delivers enterprise-class security for small-to-medium
businesses and enterprise networks in a modular, purpose-built security appliance. Ranging from
compact, “plug-and-play” desktop appliances for small and home offices to carrier-class gigabit
appliances for the most demanding enterprise and service-provider environments, Cisco PIX security
appliances provide robust security, performance, and reliability for network environments of all sizes.
Part of the market-leading Cisco PIX 500 series, the Cisco PIX 515E security appliance provides a wide
range of integrated security services, hardware VPN acceleration, award-winning high-availability and
powerful remote management capabilities in an easy-to-deploy, high-performance solution.

About this document
This document describes how to install and configure the security appliance for use in a VPN or DMZ
deployment. When you have completed the procedures outlined in this document, the security
appliance will be running a basic VPN or DMZ configuration. The document provides only enough
information to get the security appliance up and running with a basic configuration.
For more information, refer to the following documentation:
    • Cisco PIX Security Appliance Release Notes
    • Cisco PIX Security Appliance Hardware Installation Guide
    • Cisco Security Appliance Command Line Configuration Guide
    • Cisco Security Appliance Command Reference
    • Cisco Security Appliance System Log Messages
You can find these documents online at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/index.htm




2
1 Verifying the Package Contents
Verify the contents of the packing box to ensure that you have received all items necessary to install
and configure your PIX 515E security appliance.




                                           DO NOT INSTALL INTERFACE
                                          CARDS WITH POWER APPLIED




                                                                                                                                    PIX-515E
                                                   100 Mbps Link
                                                                           FDX   100 Mbps Link                           FAILOVER
                                                                                                         FDX


                                                            10/100 ETHERNET 1
                                                                                           10/100 ETHERNET 0
                                                                                                               CONSOLE




                                                 PIX 515E


                                                                                                                                               Blue console cable
                                                                                                                                                  (72-1259-01)


          PC terminal adapter
             (74-0495-01)
                                                                                                                                       Yellow Ethernet cable
                                                                                                                                            (72-1482-01)




         Failover serial cable                                                                                    Mounting brackets
             (74-1213-01)                                                                                      (700-01170-02 AO SSI-3)



                                                                          7 flathead screws                                                        4 cap screws            4 spacers
                                                                             (69-0123-01)                                                          (69-0124-01)          (69-0125-01)

                  Power cable
                                                                                                                                                               E So
                                                                                                                                                                nd ft




                                                                                                                                                      Ge PI
                                                                                                                                                                  U a




                                                                                                                     CoSafe                             tti X
                                                                                                                                                                   se re




                                                                                                                                                       Gung S515E
                                                                                                                                                                      w

                                                                                                                                                                      r W
                                                S




                                                                                                                                                                        Li a




                                                                                                                       m t
                                                  ec Pr

                                                  C ity ct




                                                                                                                     Gu pliay an
                                                    is A C




                                                                                                                                                                          ce rr
                                                     ur od

                                                      co pp D




                                                                                                                                                           ide tart
                                                                                                                                                                            ns an
                                                        P lia




                                                                                                                       ide nc d
                                                         IX n




                                                                                                                                                                              e ty




                                                                                                                                                                    ed
                                                           u




                                                                                                                                                                               an




                                                                                                                               e
                                                                                                                                                                                  d
                                                              ce




                                                                                                                                                                                        97955




          Rubber feet                                                                                                       Documentation


                                                                                                                                                                                                3
2 Installing the PIX 515E Security Appliance
This section describes how to install your PIX 515E security appliance into your own network, which
might resemble the model in Figure 1.

Figure 1       Sample Network Layout

         DMZ server     Switch                      PIX 515E
                                    DMZ


                           Switch         Inside
                                                   Outside         Power
                                                                    cable

 Laptop                                               Router
computer
                                                       Internet




                                                                            97998
              Printer
                            Personal
                            computer


To install the PIX 515E security appliance, complete these steps:


Step 1     Mount the chassis in a rack by performing the following steps:
           a. Attach the brackets to the chassis with the supplied screws. The brackets attach to the holes
              near the front of the chassis.
           b. Attach the chassis to the equipment rack.
Step 2     Use one of the provided yellow Ethernet cables (72-1482-01) to connect the outside 10/100
           Ethernet interface, Ethernet 0, to a DSL modem, cable modem, router, or switch.
Step 3     Use the other provided yellow Ethernet cable (72-1482-01) to connect the inside 10/100
           Ethernet interface, Ethernet 1, to a switch or hub.
Step 4     Connect one end of the power cable to the rear of the PIX 515E security appliance and the
           other end to a power outlet.
Step 5     Power up the PIX 515E security appliance. The power switch is located at the rear of the
           chassis.




4
3 Configuring the Security Appliance
This section describes the initial security appliance configuration. You can perform the setup steps
using either the browser-based Adaptive Security Device Manager (ASDM) or the command-line
interface (CLI).


Note    To run the ASDM, you must have a DES license or a 3DES-AES license.



About the Factory Default Configuration
Cisco security appliances are shipped with a factory-default configuration that enables quick startup.
This configuration meets the needs of most small and medium business networking environments. By
default, the security appliance is configured as follows:
 • The inside interface is configured with a default DHCP address pool.
    This configuration enables a client on the inside network to obtain a DHCP address from the
    security appliance in order to connect to the appliance. Administrators can then configure and
    manage the security appliance using ASDM.
 • The outbound interface is configured to deny all inbound traffic through the outside interface.
    This configuration protects your inside network from unsolicited traffic.
Based on your network security policy, you should also consider configuring the security appliance to
deny all ICMP traffic through the outside interface or any other interface that is necessary. You can
configure this access control policy using the icmp command. For more information about the icmp
command, refer to the Cisco Security Appliance Command Reference.




                                                                                                       5
About the Adaptive Security Device Manager
The Adaptive Security Device Manager (ASDM) is a
feature-rich graphical interface that enables you to
manage and monitor the security appliance. Its secure,
web-based design provides secure access so that you can
connect to and manage the security appliance from any
location by using a web browser.
In addition to complete configuration and management
capability, ASDM features intelligent wizards to
simplify and accelerate security appliance deployment.
To run ASDM, you must have a DES license or a
3DES-AES license. Additionally, Java and JavaScript
must be enabled in your web browser.


About Configuration from the Command-Line Interface
In addition to the ASDM web configuration tool, you can configure the security appliance by using
the command-line interface. For more information, refer to the Cisco Security Appliance Command
Line Configuration Guide and the Cisco Security Appliance Command Reference.


Using the Startup Wizard
ASDM includes a Startup Wizard to simplify the initial configuration of your security appliance. With
a few steps, the Startup Wizard enables you to configure the security appliance so that it allows packets to
flow securely between the inside network and the outside network.
Before you launch the Startup Wizard, have the following information available:
    • A unique hostname to identify the security appliance on your network.
    • The IP addresses of your outside interface, inside interface, and other interfaces.
    • The IP addresses to use for NAT or PAT configuration.
    • The IP address range for the DHCP server.




6
To use the Startup Wizard to set up a simplified basic configuration on the security appliance, follow
these steps:


Step 1   If you have not already done so, connect the inside Ethernet 1 interface of the security
         appliance to a switch or hub by using the Ethernet cable. To this same switch, connect a PC
         for configuring the security appliance.
Step 2   Configure your PC to use DHCP (to receive an IP address automatically from the security
         appliance), or assign a static IP address to your PC by selecting an address out of the
         192.168.1.0 network. (Valid addresses are 192.168.1.2 through 192.168.1.254, with a mask of
         255.255.255.0 and default route of 192.168.1.1.)


         Note    The inside interface of the security appliance is assigned 192.168.1.1 by default, so
                 this address is unavailable.

Step 3   Check the LINK LED on the Ethernet 1 interface. When a connection is established, the LINK
         LED on the Ethernet 1 interface of the security appliance and the corresponding LINK LED on
         the switch or hub will become solid green.
Step 4   Launch the Startup Wizard.
         a. On the PC connected to the switch or hub, launch an Internet browser.
         b. In the address field of the browser, enter this URL: https://192.168.1.1/.


         Note    The security appliance ships with a default IP address of 192.168.1.1. Remember to
                 add the “s” in “https” or the connection fails. HTTPS (HTTP over SSL) provides a
                 secure connection between your browser and the security appliance.

Step 5   In the popup window that requires a username and password, leave both fields empty. Press
         Enter.
Step 6   Click Yes to accept certificates. Click Yes for any subsequent certificates or authentication
         requests.
Step 7   After ASDM starts, choose the Wizards menu, then choose Startup Wizard.
Step 8   Follow the instructions in the Startup Wizard to set up your security appliance.
         For information about any field in the Startup Wizard, click the Help button at the bottom of
         the window.




                                                                                                         7
4 Common Configuration Scenarios
This section provides configuration examples for two common security appliance configuration
scenarios:
    • Hosting a web server on a DMZ network
    • Establishing a site-to-site VPN connection with other business partners or remote offices
Use these scenarios as a guide when you set up your network. Substitute your own network addresses
and apply additional policies as needed.


Scenario 1: DMZ Configuration
A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private
(inside) network and a public (outside) network. This scenario is a sample network topology that is
common to most DMZ implementations that use the security appliance. The web server is on the DMZ
interface, and HTTP clients from both the inside and outside networks are able to access the web
server securely.
In the Figure 2, an HTTP client (10.10.10.10) on the inside network initiates HTTP communications
with the DMZ web server (30.30.30.30). HTTP access to the DMZ web server is provided for all
clients on the Internet; all other communications are denied. The network is configured to use an IP
pool of addresses between 30.30.30.50 and 30.30.30.60. (The IP pool is the range of IP addresses
available to the DMZ interface.)

Figure 2       Network Layout for DMZ Configuration Scenario


HTTP client
                               PIX 515E
                  Inside                      Outside                    HTTP client
                                                            Internet
                10.10.10.0                 209.165.156.10
10.10.10.10
                                 DMZ
                              30.30.30.0
                                                                         HTTP client
                                                                                 97999




                             Web server
                             30.30.30.30




8
Because the DMZ web server is located on a private DMZ network, it is necessary to translate its
private IP address to a public (routable) IP address. This public address allows external clients to have
HTTP access to the DMZ web server in the same way the clients would access any server on the
Internet.
This DMZ configuration scenario, shown in Figure 2, provides two routable IP addresses that are
publicly available: one for the outside interface (209.165.156.10) and one for the translated DMZ web
server (209.165.156.11). The following procedure describes how to use ASDM to configure the security
appliance for secure communications between HTTP clients and the web server.
In this DMZ scenario, the security appliance already has an outside interface configured, called dmz.
Set up the security appliance interface for your DMZ by using the Startup Wizard. Ensure that the
security level is set between 0 and 100. (A common choice is 50).

Information to Have Available
 • Internal IP addresses of the servers inside the DMZ that you want to make available to clients on
   the public network (in this scenario, a web server).
 • External IP addresses to be used for servers inside the DMZ. (Clients on the public network will
   use the external IP address to access the server inside the DMZ.)
 • Client IP address to substitute for internal IP addresses in outgoing traffic. (Outgoing client traffic
   will appear to come from this address so that the internal IP address is not exposed.)

Step 1: Configure IP Pools for Network Translations
For an inside HTTP client (10.10.10.10) to access the web server on the DMZ network (30.30.30.30),
it is necessary to define a pool of IP addresses (30.30.30.50–30.30.30.60) for the DMZ interface.
Similarly, an IP pool for the outside interface (209.165.156.10) is required for the inside HTTP client
to communicate with any device on the public network. Use ASDM to manage IP pools efficiently and
to facilitate secure communications between protected network clients and devices on the Internet.
1. Launch ASDM by entering this factory default IP address in the address field of a web browser:
   https://192.168.1.1.
2. Click the Configuration button at the top of the ASDM window.
3. Choose the NAT feature on the left side of the ASDM window.




                                                                                                         9
4. Click the Manage Pools button at the bottom of the ASDM window. The Manage Global Address
   Pools window appears, allowing you to add or edit global address pools.


     Note   For most configurations, global pools are added to the less secure, or public, interfaces.

5. In the Manage Global Address Pools window:
     a. Choose the dmz interface.
     b. Click the Add button.




     The Add Global Pool Item window appears.




10
6. In the Add Global Pool Item window:
    a. Choose dmz from the Interface drop-down menu.
    b. Click the Range radio button to enter the IP address range.
    c. Enter the range of IP addresses for the DMZ interface. In this scenario, the range is
       30.30.30.50 to 30.30.30.60.
    d. Enter a unique Pool ID. (For this scenario, the Pool ID is 200.)
    e. Click the OK button to go back to the Manage Global Address Pools window.


       Note    You can also choose Port Address Translation (PAT) or Port Address Translation
               (PAT) using the IP address of the interface if there are limited IP addresses available
               for the DMZ interface.




7. In the Manage Global Address Pools window:
    a. Choose the outside interface.
    b. Click the Add button.
   The Add Global Pool Item window appears.



                                                                                                    11
8. When the Add Global Pool Item window appears:
     a. Choose outside from the Interface drop-down menu.
     b. Click the Port Address Translation (PAT) using the IP address of the interface radio button.
     c. Assign the same Pool ID for this pool as you did in Step 6d above. (For this scenario, the Pool
        ID is 200.)
     d. Click the OK button. The configuration should be similar to the following:
9. Confirm that the configuration values are correct, then:
     a. Click the OK button.
     b. Click the Apply button in the main window.


        Note     Because there are only two public IP addresses available, with one reserved for the
                 DMZ server, all traffic initiated by the inside HTTP client exits the security appliance
                 using the outside interface IP address. This configuration allows traffic from the
                 inside client to be routed to and from the Internet.



12
Step 2: Configure Address Translations on Private Networks
Network Address Translation (NAT) replaces the source IP addresses of network traffic exchanged
between two security appliance interfaces. This translation prevents the private address spaces from
being exposed on public networks and permits routing through the public networks. Port Address
Translation (PAT) is an extension of the NAT function that allows several hosts on the private
networks to map into a single IP address on the public network. PAT is essential for small and medium
businesses that have a limited number of public IP addresses available to them.
To configure NAT between the inside interface and the DMZ interface for the inside HTTP client,
complete the following steps starting from the main ASDM page:
1. Click the Configuration button at the top of the ASDM window.
2. Choose the NAT feature on the left side of the ASDM window.
3. Click the Translation Rules radio button, and then click the Add button at the right side of the
   ASDM page. The Add Address Translation Rule window appears.
4. In the Add Address Translation Rule window, make sure that the Use NAT radio button is
   selected, and then choose the inside interface from the drop-down menu.




                                                                                                      13
5. Enter the IP address of the inside client. In this scenario, the IP address is 10.10.10.10.
6. Choose 255.255.255.255 from the Mask drop-down menu.
7. Choose the DMZ interface from the Translate Address on Interface drop-down menu.
8. Click the Dynamic radio button in the Translate Address To to section.
9. Choose 200 from the Address Pools drop-down menu for the appropriate Pool ID.
10. Click the OK button.
11. A pop-up window displays asking if you want to proceed. Click the Proceed button.
12. On the NAT Translation Rules page, verify that the displayed configuration is accurate.
13. Click the Apply button to complete the configuration changes.
The configuration should display as follows:




14
Step 3: Configure External Identity for the DMZ Web Server
The DMZ web server needs to be easily accessible by all hosts on the Internet. This configuration
requires translating the web server IP address so that it appears to be located on the Internet, enabling
outside HTTP clients to access it unaware of the security appliance. Complete the following steps to
map the web server IP address (30.30.30.30) statically to a public IP address (209.165.156.11):
1. Click the Configuration button at the top of the ASDM window. Then choose the NAT feature on
   the left side of the ASDM window.
2. Click the Translation Rules radio button. Then click the Add button at the right side of the page.
3. Choose the outside dmz interface from the drop-down menu of interfaces.
4. Enter the IP address (30.30.30.30) of the web server, or click the Browse button to select the server.
5. Choose 255.255.255.255 from the Mask drop-down menu. Then click the Static radio button.
6. Enter the external IP address (209.165.156.11) for the web server. The Advanced button allows
   you to configure features such as limiting the number of connections per static entry and DNS
   rewrites. Then click the OK button.
7. Verify the values that you entered. Then click the Apply button.
The configuration should display as follows:




                                                                                                       15
Step 4: Provide HTTP Access to the DMZ Web Server
By default, the security appliance denies all traffic coming in from the public network. You must create
access control rules on the security appliance to allow specific traffic types from the public network
through the security appliance to resources in the DMZ.
To configure an access control rule that allows HTTP traffic through the security appliance so that any
client on the Internet can access a web server inside the DMZ, complete the following steps:
1. In the ASDM window:
     c. Click the Configuration button.
     d. Choose the Security Policy button on the left side of the ASDM screen.
     e. In the table, choose Add.
2. In the Add Rule window:
     a. Under Action, choose permit from the drop-down menu to allow traffic through the security
        appliance.
     b. Under Source Host/Network, click the IP Address radio button.
     c. Choose outside from the Interface drop-down menu.
     d. Enter the IP address of the Source Host/Network information. (Use 0.0.0.0 to allow traffic
        originating from any host or network.)
     e. Under Destination Host/Network, click the IP Address radio button.
     f. Choose the dmz interface from the Interface drop-down menu.
     g. In the IP address field, enter the IP address of the destination host or network, such as a web
        server. (In this scenario, the IP address of the web server is 30.30.30.30.)
     h. Choose 255.255.255.255 from the Mask drop-down menu.


        Note     Alternatively, you can select the Hosts/Networks in both cases by clicking the
                 respective Browse buttons.




16
3. Specify the type of traffic that you want to permit:


   Note     HTTP traffic is always directed from any TCP source port number toward a fixed
            destination TCP port number 80.

    a. Click the TCP radio button under Protocol and Service.
    b. Under Source Port, choose “=” (equal to) from the Service drop-down menu.
    c. Click the button labeled with ellipses (...), scroll through the options, and choose Any.
    d. Under Destination Port, choose “=” (equal to) from the Service drop-down menu.
    e. Click the button labeled with ellipses (...), scroll through the options, and select HTTP.




                                                                                                    17
     f. Click the OK button.


        Note    For additional features, such as system log messages by ACL, click the More Options
                radio button at the top at the top of the screen. You can provide a name for the access
                rule in the window at the bottom.

     g. Verify that the information you entered is accurate, and click the OK button.


        Note    Although the destination address specified above is the private address of the DMZ
                web server (30.30.30.30), HTTP traffic from any host on the Internet destined for
                209.165.156.11 is permitted through the security appliance. The address translation
                (30.30.30.30 = 209.165.156.11) allows the traffic to be permitted.

     h. Click the Apply button in the main window.
The configurations should display as follows:




The HTTP clients on the private and public networks can now securely access the DMZ web server.


18
Scenario 2: Site-to-Site VPN Configuration
Site-to-site VPN (Virtual Private Networking) features provided by the security appliance enable
businesses to extend their networks across low-cost public Internet connections to business partners
and remote offices worldwide while maintaining their network security. A VPN connection enables
you to send data from one location to another over a secure connection, or “tunnel,” first by
authenticating both ends of the connection, and then by automatically encrypting all data sent between
the two sites.
Figure 3 shows an example VPN tunnel between two security appliances.

Figure 3     Network Layout for Site-to-Site VPN Configuration Scenario

  Site A                                                                                     Site B

                     PIX security                                PIX security
                     appliance 1                                 appliance 2




                                                                                                      132067
             Inside             Outside                   Outside                 Inside
                                              Internet
           10.10.10.0           1.1.1.1                   2.2.2.2               20.20.20.0


Creating a VPN connection such as the one in the above illustration requires you to configure two
security appliances, one on each side of the connection.
ASDM provides an easy-to-use configuration wizard to guide you quickly through the process of
configuring a site-to-site VPN in a few simple steps.

Step 1: Configure the PIX security appliance at the first site.
Configure the security appliance at the first site, which in this scenario is PIX security appliance 1
(from this point forward referred to as PIX 1).
1. Launch ASDM by entering the factory default IP address in the address field of a web browser:
   https://192.168.1.1/admin.
2. In the main ASDM page, choose the VPN Wizard option from the Wizards drop-down menu.
   ASDM opens the first VPN Wizard page.




                                                                                                               19
     In the first VPN Wizard page, do the following:
         a. Choose the Site-to-Site VPN option.


         Note    The Site-to-Site VPN option connects two IPSec security gateways, which can include
                 security appliances, VPN concentrators, or other devices that support site-to-site
                 IPSec connectivity.

         b. From the drop-down menu, choose outside as the enabled interface for the current VPN
            tunnel.
         c. Click the Next button to continue.




20
Step 2: Provide information about the VPN peer.
The VPN peer is the system on the other end of the connection, usually at a remote site.
Provide information about the VPN peer. In this scenario, the VPN peer is PIX security appliance 2
(from this point forward referred to as PIX 2).
1. Enter the Peer IP address (for PIX 2) and a tunnel group name.
2. Specify the type of authentication that you want to use by performing one of the following:
     – To use a pre-shared key for authentication (for example, “CisCo”), click the Pre-Shared Key
        radio button, and enter a pre-shared key, which is shared for IPSec negotiations between both
        security appliances.


        Note    When you configure the PIX 2 at the remote site, the VPN peer is PIX 1. Be sure to
                enter the same Pre-shared Key (CisCo) that you use here.

     – To use digital certificates for authentication, click the Certificate radio button, and then
        choose a Trustpoint Name from the drop-down menu.
3. Click the Next button to continue.




                                                                                                      21
Step 3: Configure the IKE Policy
IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy,
and an authentication method to ensure the identity of the peers. In most cases, the ASDM default
values are sufficient to establish secure VPN tunnels between two peers.
To specify the IKE policy, complete the following steps:
1. Select the Encryption (DES/3DES/AES), Authentication algorithms (MD5/SHA), and the
   Diffie-Hellman group (1/2/5) used by the security appliance during an IKE security association.


     Note   When configuring PIX 2, enter the exact values for each of the options that you chose for
            PIX 1. Encryption mismatches are a common cause of VPN tunnel failures and can slow
            down the process.

2. Click the Next button to continue.




22
Step 4: Configure IPSec Encryption and Authentication parameters
1. Choose the Encryption algorithm (DES/3DES/AES) and Authentication algorithm (MD5/SHA).
2. Click the Next button to continue.




Step 5: Specify Local Hosts and Networks
Identify hosts and networks at the local site to be allowed to use this IPSec tunnel to communicate with
the remote-site peers. (The remote-site peers will be specified in a later step.)
Add or remove hosts and networks dynamically from the Selected panel by clicking on the >> or <<
buttons respectively. In the current scenario, traffic from Network A (10.10.10.0) is encrypted by
SA 1 and transmitted through the VPN tunnel.




                                                                                                      23
To specify a local host or network to be allowed access to the IPSec tunnel, complete the following
steps:
1. Click IP Address.
2. Specify whether the interface is inside or outside by choosing one of the interfaces from the
   drop-down menu.
3. Enter the IP address and mask.
4. Click Add.
5. Repeat steps 1 through step 5 for each host or network that you want to have access to the tunnel.
6. Click the Next button to continue.




Step 6: Specify Remote Hosts and Networks
Identify hosts and networks at the remote site to be allowed to use this IPSec tunnel to communicate
with the local hosts and networks you identified in Step 5. Add or remove hosts and networks
dynamically from the Selected panel by clicking on the >> or << buttons respectively. In the current
scenario, for PIX 1, the remote network is Network B (20.20.20.0), so traffic encrypted from this
network is permitted through the tunnel.


24
To specify a remote host or network to be allowed access to the IPSec tunnel, complete the following
steps:
1. Click IP Address.
2. Specify whether the interface is inside or outside by choosing one location from the Interface
   drop-down menu.
3. Enter the IP address and mask.
4. Click Add.
5. Repeat step 1 through step 5 for each host or network that you want to have access to the tunnel.
6. Click the Next button to continue.


    Note    When configuring PIX 2, ensure that the values are correctly entered. The remote network
            for PIX 1 is the local network for PIX 2, and the reverse.




                                                                                                    25
Step 7: View VPN Attributes and Complete Wizard
Review the configuration list for the VPN tunnel you just created.
If you are satisfied with the configuration, click Finish to complete the Wizard and apply the
configuration changes to the security appliance.




Note    When configuring PIX 2, enter the same values for each of the options that you selected for
        PIX 1. Encryption and algorithm mismatches are a common cause of VPN tunnel failures and
        can slow down the process.

This concludes the configuration process for PIX 1.




26
What to Do Next
You have just configured the local security appliance. Now you need to configure the security
appliance at the remote site.
At the remote site, configure the second security appliance to serve as a VPN peer. Use the procedure
you used to configure the local security appliance, starting at Step 1: Configure the PIX security
appliance at the first site on page 19, and finishing with Step 7: View VPN Attributes and Complete
Wizard on page 26.


Note    When configuring PIX 2, enter the exact same values for each of the options that you selected
        for PIX 1. Mismatches are a common cause of VPN configuration failures.



5 Optional Maintenance and Upgrade Procedures
Obtaining DES and 3DES/AES Encryption Licenses
The security appliance offers the option to purchase a DES or 3DES-AES license to enable specific
features that provide encryption technology, such as secure remote management (SSH, ASDM, and so
on), site-to-site VPN, and remote access VPN. Enabling the license requires an encryption license key.
If you ordered your security appliance with a DES or 3DES-AES license, the encryption license key
comes with the security appliance.
If you did not order your security appliance with a DES or 3DES-AES license and would like to
purchase one now, the encryption licenses are available at no charge on Cisco.com.
If you are a registered user of Cisco.com and would like to obtain a DES or 3DES/AES encryption
license, go to the following website:
http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl
If you are not a registered user of Cisco.com, go to the following website:
http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl
Provide your name, e-mail address, and the serial number for the security appliance as it appears in
the show version command output.


Note    You will receive the new activation key for your security appliance within two hours (or less)
        on requesting the license upgrade.




                                                                                                    27
To use the activation key, follow these steps:


         Command                   Purpose
Step 1   pix# show version         Shows the software release, hardware configuration, license key,
                                   and related uptime data.
Step 2   pix# configure terminal Enters global configuration mode.
Step 3   pix(config)#              Updates the encryption activation key by replacing the
         activation-key            activation-4-tuple-key variable with the activation key obtained
         activation-5-tuple-key    with your new license. The activation-5-tuple-key variable is a
                                   five-element hexadecimal string with one space between each
                                   element. An example is 0xe02888da 0x4ba7bed6 0xf1c123ae
                                   0xffd8624e. The “0x” is optional; all values are assumed to be
                                   hexadecimal.
Step 4   pix(config)# exit         Exits global configuration mode.
Step 5   pix# copy                 Saves the configuration.
         running-config
         startup-config
Step 6   pix# reload               Reboots the security appliance and reloads the configuration.


Restoring the Default Configuration
You can restore your configuration back to the factory default values in one of the following ways:
 • You can start the Startup Wizard at this URL: https://192.168.1.1/.
 • Using the command line as specified in the following procedure.
To restore your default configuration back to the factory-default values, follow these steps:


         Command                                 Purpose
Step 1   hostname> enable                        Accesses privileged EXEC mode.
Step 2   Password:                               Enter password.
Step 3   hostname# configure terminal            Accesses global configuration mode.




28
         Command                                     Purpose
Step 4   hostname(config)# configure        Erases the running configuration and replaces it with
         factory-default [inside_ip_address the factory default configuration. Entering the
         [address_mask]]1                   configure factory-default command erases the current
                                            running configuration.
Step 5   hostname(config)# write memory Writes the factory default configuration to Flash
                                        memory.
         1.   If the optional inside IP address and address mask are specified, the factory-default configuration reflects
              that.



Alternative Ways to Access the Security Appliance
You can access the CLI for administration using the console port on the security appliance. To do so,
you must run a serial terminal emulator on a PC or workstation .
To set up your system so that you can administer the security appliance from the command line using
the console port, follow these steps:


Step 1   Connect the blue console cable so that you have a DB-9 connector on one end, as required by
         the serial port for your computer, and the RJ-45 connector on the other end.


         Note      Use the console port to connect to a computer to enter configuration commands.
                   Locate the blue console cable from the accessory kit. The blue console cable assembly
                   consists of a null-modem cable with RJ-45 connectors and a DB-9 connector.

Step 2   Connect the RJ-45 connector to the PIX 515E security appliance console port, and connect
         the other end to the serial port connector on your computer. (See Figure 4.)




                                                                                                                        29
Figure 4                Cisco PIX Security Appliance Back Panel




                                                                                             PIX-515
        100 Mbps Link                                                 FAILOVER
                                 FDX



                 10/100 ETHERNET 0/0
                                          CONSOLE




                                         Console
                                       port (RJ-45)
               RJ-45 to DB-9                                                                                                                    PC terminal adapter DB-9
               serial cable
               (null-modem)




                                                                                                                                                                       99547
                • If your PIX 515E security appliance has a four-port Ethernet circuit board already
                  installed, the Ethernet circuit boards are numbered as shown in Figure 5. The four-port
                  Ethernet circuit board is required to access the PIX 515E security appliance unrestricted
                  license.

Figure 5                Four-Port Ethernet Circuit Board

             Ethernet 5
        Ethernet 3


                                           DO NOT INSTALL INTERFACE
                                          CARDS WITH POWER APPLIED
                                                                                                                                      PIX-515




                                                   100 Mbps Link
                                                                            FDX   100 Mbps Link                            FAILOVER
                                                                                                           FDX


                                                           10/100 ETHERNET 0/0
                                                                                           10/100 ETHERNET 0/0
                                                                                                                 CONSOLE




     Ethernet 2
           Ethernet 4                     Ethernet 1
                                                                                                                                                               99544




                                                                         Ethernet 0


                • If your PIX 515E security appliance has one or two single-port Ethernet circuit boards
                  installed in the auxiliary assembly on the left of the unit at the rear, the circuit boards are
                  numbered top to bottom so that the top circuit board is Ethernet 2 and the bottom circuit
                  board is Ethernet 3.




30
Figure 6       Ethernet Circuit Boards Installed in Auxiliary Assembly

         Ethernet 2


                              DO NOT INSTALL INTERFACE
                             CARDS WITH POWER APPLIED




                                                                                                                         PIX-515
                                      100 Mbps Link
                                                               FDX   100 Mbps Link                            FAILOVER
                                                                                              FDX


                                              10/100 ETHERNET 0/0
                                                                              10/100 ETHERNET 0/0
                                                                                                    CONSOLE




           Ethernet 3        Ethernet 1




                                                                                                                                   99545
                                                            Ethernet 0



           Note     If you need to install an optional circuit board, refer to the “Installing a Circuit Board
                    in the PIX 515E” section in the Cisco PIX Security Appliance Hardware Installation
                    Guide.

           If you have a second PIX 515E security appliance to use as a failover unit, install the failover
           feature and cable as described in the “Installing Failover” section in the Cisco PIX Security
           Appliance Hardware Installation Guide.
Step 3     Connect the inside, outside, or perimeter network cables to the interface ports. Starting from
           the top left, the connectors are Ethernet 2, Ethernet 3, Ethernet 4, and Ethernet 5. The
           maximum number of allowed interfaces is six with an unrestricted license.


           Note     Do not add a single-port circuit board in the extra slot below the four-port circuit
                    board because the maximum number of allowed interfaces is six.

Step 4     Power on the unit from the switch at the rear to start the PIX 515E security appliance. Do not
           power on the failover units until the active unit is configured.




                                                                                                                                           31
Checking the LEDs



     POWER      ACT        NETWORK




                                                                       97779
Table 1           PIX 515E Security Appliance Front Panel LEDs

LED                    Color             State                     Description
POWER                  Green             On                        On when the unit has power.
ACT                    Green             On                        On when the unit is the active failover unit. If failover is present,
                                                                   the light is on when the unit is the active unit.
                                         Off                       Off when the unit is in standby mode. If failover is not enabled, this
                                                                   light is off.
NETWORK Green                            Flashing On when at least one network interface is passing traffic.


Figure 7          PIX 515E Security Appliance Front Panel LEDs

                100 Mbps                    100 Mbps
                  LED                         LED                                     USB
                     ACT                  LINK ACT                       LINK
                     LED                  LED LED                        LED
              DO NOT INSTALL INTERFACE
             CARDS WITH POWER APPLIED
                                                                                                                 PIX-515




                      100 Mbps ACT                                                                    FAILOVER
                                             LINK   100 Mbps ACT
                                                                               LINK


                              10/100 ETHERNET 1
                                                                                                                           97784




                                                             10/100 ETHERNET 0        USB   CONSOLE




                       10/100BaseTX                     10/100BaseTX Console Power switch
                       ETHERNET 1                       ETHERNET 0 port (RJ-45)
                           (RJ-45)                          (RJ-45)




32
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.

Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml




                                                                                                     33
Documentation DVD
Cisco documentation and additional literature are available in a Documentation DVD package, which
may have shipped with your product. The Documentation DVD is updated regularly and may be more
current than printed documentation. The Documentation DVD package is available as a single unit.
Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product
number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.
Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/
Cisco Marketplace:
http://www.cisco.com/go/marketplace/

Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
 • Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from
   the Ordering tool:
     http://www.cisco.com/en/US/partner/ordering/
 • Nonregistered Cisco.com users can order documentation through a local account representative
   by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or,
   elsewhere in North America, by calling 1 800 553-NETS (6387).


Documentation Feedback
You can send comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your
document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.




34
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you can perform these tasks:
 • Report security vulnerabilities in Cisco products.
 • Obtain assistance with security incidents that involve Cisco products.
 • Register to receive security information from Cisco.
A current list of security advisories and notices for Cisco products is available at this URL:
http://www.cisco.com/go/psirt
If you prefer to see advisories and notices as they are updated in real time, you can access a Product
Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we release
them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a
vulnerability in a Cisco product, contact PSIRT:
 • Emergencies — security-alert@cisco.com
 • Nonemergencies — psirt@cisco.com


Tip     We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any
        sensitive information that you send to Cisco. PSIRT can work from encrypted information
        that is compatible with PGP versions 2.x through 8.x.

        Never use a revoked or an expired encryption key. The correct public key to use in your
        correspondence with PSIRT is the one that has the most recent creation date in this public key
        server list:

        http://pgp.mit.edu:11371/pks/lookup?search=psirt%40cisco.com&op=index&exact=on

In an emergency, you can also reach PSIRT by telephone:
 • 1 877 228-7302
 • 1 408 525-6532




                                                                                                       35
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco
Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical
Support Website on Cisco.com features extensive online support resources. In addition, Cisco
Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid
Cisco service contract, contact your reseller.

Cisco Technical Support Website
The Cisco Technical Support Website provides online documents and tools for troubleshooting and
resolving technical issues with Cisco products and technologies. The website is available 24 hours a
day, 365 days a year, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password.
If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do


Note    Use the Cisco Product Identification (CPI) tool to locate your product serial number before
        submitting a web or phone request for service. You can access the CPI tool from the Cisco
        Technical Support Website by clicking the Tools & Resources link under Documentation &
        Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list,
        or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers
        three search options: by product ID or model name; by tree view; or for certain products, by
        copying and pasting show command output. Search results show an illustration of your
        product with the serial number label location highlighted. Locate the serial number label on
        your product and record the information before placing a service call.


Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3
and S4 service requests are those in which your network is minimally impaired or for which you
require product information.) After you describe your situation, the TAC Service Request Tool
provides recommended solutions. If your issue is not resolved using the recommended resources, your
service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this
URL:
http://www.cisco.com/techsupport/servicerequest




36
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone.
(S1 or S2 service requests are those in which your production network is down or severely degraded.)
Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business
operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity
definitions.
Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations.
You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your
business operation are negatively affected by inadequate performance of Cisco products. You and
Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations
remain functional. You and Cisco will commit resources during normal business hours to restore
service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or
configuration. There is little or no effect on your business operations.


Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various
online and printed sources.
 • Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise.
   Visit Cisco Marketplace, the company store, at this URL:
    http://www.cisco.com/go/marketplace/
 • Cisco Press publishes a wide range of general networking, training and certification titles. Both
   new and experienced users will benefit from these publications. For current Cisco Press titles and
   other information, go to Cisco Press at this URL:
    http://www.ciscopress.com



                                                                                                        37
 • Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and
   networking investments. Each quarter, Packet delivers coverage of the latest industry trends,
   technology breakthroughs, and Cisco products and solutions, as well as network deployment and
   troubleshooting tips, configuration examples, customer case studies, certification and training
   information, and links to scores of in-depth online resources. You can access Packet magazine at
   this URL:
     http://www.cisco.com/packet
 • iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies
   learn how they can use technology to increase revenue, streamline their business, and expand
   services. The publication identifies the challenges facing these companies and the technologies to
   help solve them, using real-world case studies and business strategies to help readers make sound
   technology investment decisions. You can access iQ Magazine at this URL:
     http://www.cisco.com/go/iqmagazine
 • Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
   professionals involved in designing, developing, and operating public and private internets and
   intranets. You can access the Internet Protocol Journal at this URL:
     http://www.cisco.com/ipj
 • World-class networking training is available from Cisco. You can view current offerings at
   this URL:
     http://www.cisco.com/en/US/learning/index.html




38
39
Corporate Headquarters                    European Headquarters                          Americas Headquarters                      Asia Pacific Headquarters
Cisco Systems, Inc.                       Cisco Systems International BV                 Cisco Systems, Inc.                        Cisco Systems, Inc.
170 West Tasman Drive                     Haarlerbergpark                                170 West Tasman Drive                      168 Robinson Road
San Jose, CA 95134-1706                   Haarlerbergweg 13-19                           San Jose, CA 95134-1706                    #28-01 Capital Tower
USA                                       1101 CH Amsterdam                              USA                                        Singapore 068912
www.cisco.com                             The Netherlands                                www.cisco.com                              www.cisco.com
Tel: 408 526-4000                         www-europe.cisco.com                           Tel: 408 526-7660                          Tel: +65 6317 7777
      800 553-NETS (6387)                 Tel: 31 0 20 357 1000                          Fax: 408 527-0883                          Fax: +65 6317 7799
Fax: 408 526-4100                         Fax: 31 0 20 357 1100

 Cisco Systems has more than 200 offices in the following countries. Addresses, phone numbers, and fax numbers are listed on the
                                           Cisco Website at www.cisco.com/go/offices
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Cyprus • Czech Republic • Denmark • Dubai, UAE
Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico
The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore
Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe




    Printed in the USA on recycled paper containing 10% postconsumer waste.




78-16824-01
DOC-7816824=
41
42

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:8
posted:8/12/2011
language:English
pages:42
Description: Security If Start Up Business Fails document sample