Summary of Contents for Cisco 515E - PIX Restricted Bundle
Page 1
Cisco PIX 515E Security Appliance Getting Started Guide Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7817654= Text Part Number: 78-17645-01...
Page 2
DAMAGES. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP,...
C O N T E N T S Installing and Setting Up the PIX 515E Security Appliance C H A P T E R Verifying the Package Contents Installing the PIX 515E Security Appliance Front and Back Panel Components Setting Up the Security Appliance About the Factory-Default Configuration About the Adaptive Security Device Manager Using the Startup Wizard...
Page 4
Contents Scenario: IPsec Remote-Access VPN Configuration C H A P T E R Example IPsec Remote-Access VPN Network Topology Implementing the IPsec Remote-Access VPN Scenario Information to Have Available Starting ASDM Configuring the PIX 515E for an IPsec Remote-Access VPN Selecting VPN Client Types Specifying the VPN Tunnel Group Name and Authentication Method Specifying a User Authentication Method...
Page 5
Contents Viewing VPN Attributes and Completing the Wizard 4-11 Configuring the Other Side of the VPN Connection 4-13 What to Do Next 4-13 Obtaining a DES License or a 3DES-AES License A P P E N D I X PIX 515E Security Appliance Getting Started Guide 78-17645-01...
Page 7
C H A P T E R Installing and Setting Up the PIX 515E Security Appliance This chapter describes how to install and perform the initial configuration of the security appliance. This chapter includes the following sections: Verifying the Package Contents, page 1-2 •...
Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Verifying the Package Contents Verifying the Package Contents Verify the contents of the packing box, shown in Figure 1-1, to ensure that you have received all items necessary to install your PIX 515E security appliance. Figure 1-1 Contents of PIX 515E Package 100 Mbps...
Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Installing the PIX 515E Security Appliance Installing the PIX 515E Security Appliance This section describes how to install your PIX 515E security appliance into your own network, which might resemble the example network in Figure 1-2.
Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Front and Back Panel Components Power up the PIX 515E security appliance. The power switch is located at the rear Step 5 of the chassis. Front and Back Panel Components Figure 1-3 illustrates the LEDs on the front panel of the PIX515E Security Appliance.
Setting Up the Security Appliance This section describes the initial configuration of the security appliance. You can perform the configuration steps using either the browser-based Cisco Adaptive Security Device Manager (ASDM) or the command-line interface (CLI). However, the procedures in this chapter refer to the method using ASDM.
Setting Up the Security Appliance About the Factory-Default Configuration Cisco security appliances are shipped with a factory-default configuration that enables quick startup. The factory-default configuration automatically configures an interface for management so you can quickly connect to the device and use ASDM to complete your configuration.
In addition to the ASDM web configuration tool, you can configure the security appliance by using the command-line interface. For more information, see the Cisco Security Appliance Command Line Configuration Guide and the Cisco Security Appliance Command Reference.
Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Setting Up the Security Appliance Gather the following information: Step 3 A unique hostname to identify the security appliance on your network. • The IP addresses of your outside interface, inside interface, and any other •...
ICMP traffic through the outside interface or any other interface that is necessary. You can configure this access control policy using the icmp command. For more information about the icmp command, see the Cisco Security Appliance Command Reference. What to Do Next...
Page 16
Chapter 1 Installing and Setting Up the PIX 515E Security Appliance What to Do Next PIX 515E Security Appliance Getting Started Guide 1-10 78-17645-01...
Page 17
C H A P T E R Scenario: DMZ Configuration This chapter describes a configuration scenario in which the security appliance is used to protect network resources located in a demilitarized zone (DMZ). A DMZ is a separate network located in the neutral zone between a private (inside) network and a public (outside) network.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Figure 2-3 Incoming HTTP Traffic Flow From the Internet Incoming request HTTP request sent to public address destined for public Security of DMZ web server. address of DMZ web Appliance server intercepted.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment This configuration procedure assumes that the security appliance already has interfaces configured for the inside interface, the DMZ interface, and the outside interface. Set up interfaces of the security appliance by using the Startup Wizard in ASDM.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment To accomplish this task, you should configure a PAT translation rule (port address translation rule, sometimes called an interface NAT) for the internal interface that translates internal IP addresses to the external IP address of the security appliance.
Page 23
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Creating IP Pools for Network Address Translation The security appliance uses Network Address Translation (NAT) and Port Address Translation (PAT) to prevent internal IP addresses from being exposed externally.
Page 24
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment To configure a pool of IP addresses that can be used for network address translation, perform the following steps: In the ASDM window, click the Configuration tool. Step 1 In the Features pane, click NAT.
Page 25
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment From the Interfaces drop-down list, choose DMZ. To create a new IP pool, enter a unique Pool ID. In this scenario, the Pool ID is 200. In the IP Addresses to Add area, specify the range of IP addresses to be used by the DMZ interface: Click the Range radio button.
Page 26
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Click Add to add this range of IP addresses to the Address Pool. The Add Global Pool dialog box configuration should be similar to the following: Click OK to return to the Configuration > NAT window. Add addresses to the IP pool to be used by the outside interface.
Page 27
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment You can add these addresses to the same IP pool that contains the address pool used by the DMZ interface (in this scenario, the Pool ID is 200). Click the Port Address Translation (PAT) using the IP address of the interface radio button.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment The displayed configuration should be similar to the following: Confirm that the configuration values are correct. Step 3 Click Apply in the main ASDM window. Step 4 Configuring NAT for Inside Clients to Communicate with the DMZ Web Server In the previous procedure, you created a pool of IP addresses that could be used...
Page 29
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment In this procedure, you configure a Network Address Translation (NAT) rule that associates IP addresses from this pool with the inside clients so they can communicate securely with the DMZ web server. To configure NAT between the inside interface and the DMZ interface, perform the following steps starting from the main ASDM window: In the main ASDM window, click the Configuration tool.
Page 30
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window. Review the configuration screen to verify that the translation rule appears as you expected.
Page 31
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment The displayed configuration should be similar to the following: Step 6 Click Apply to complete the security appliance configuration changes. Configuring NAT for Inside Clients to Communicate with Devices on the Internet In the previous procedure, you configured a Network Address Translation (NAT) rule that associates IP addresses from the IP pool with the inside clients so they...
Page 32
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment For many configurations, you would also need to create a NAT rule between the inside interface and the outside interface to enable inside clients to communicate with the Internet. However, in this scenario you do not need to create this rule explicitly.
Page 33
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment In the Static Translation area, specify the public IP address to be used for the web Step 5 server: From the Interface drop-down list, choose Outside. From the IP Address drop-down list, choose the public IP address of the DMZ web server.
Page 34
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment The displayed configuration should be similar to the following: Click Apply to complete the security appliance configuration changes. Step 7 Providing Public HTTP Access to the DMZ Web Server By default, the security appliance denies all traffic coming in from the public network.
Page 35
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment processes the traffic, whether the traffic is incoming or outgoing, the origin and destination of the traffic, and the type of traffic protocol and service to be permitted.
Page 36
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment In the Interface and Action area: Step 2 From the Interface drop-down list, choose Outside. From the Direction drop-down list, choose Incoming. From the Action drop-down list, choose Permit. In the Source area: Step 3 From the Type drop-down list, choose IP Address.
Page 37
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Alternatively, if the address of the source host or network is preconfigured, choose the source IP address from the IP Address drop-down list. Enter the netmask for the source IP address or select one from the Netmask drop-down list.
Page 38
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment At this point, the entries in the Add Access Rule dialog box should be similar to the following: Click OK. The displayed configuration should be similar to the following. Verify that the Step 6 information you entered is accurate.
Page 39
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Click Apply to save the configuration changes to the configuration that the Step 7 security appliance is currently running. Clients on both the private and public networks can now resolve HTTP requests for content from the DMZ web server, while keeping the private network secure.
Page 40
You may want to consider performing some of the following additional steps: To Do This ... See ... Refine configuration and configure Cisco Security Appliance Command optional and advanced features Line Configuration Guide Learn about daily operations Cisco Security Appliance Command...
Page 41
Chapter 2 Scenario: DMZ Configuration What to Do Next To Do This ... See ... Configure a remote-access VPN Chapter 3, “Scenario: IPsec Remote-Access VPN Configuration” Configure a site-to-site VPN Chapter 4, “Scenario: Site-to-Site VPN Configuration” PIX 515E Security Appliance Getting Started Guide 2-25 78-17645-01...
Page 42
Chapter 2 Scenario: DMZ Configuration What to Do Next PIX 515E Security Appliance Getting Started Guide 2-26 78-17645-01...
Page 43
Example IPsec Remote-Access VPN Network Topology Figure 3-1 shows an security appliance configured to accept requests from and establish IPsec connections with VPN clients, such as a Cisco Easy VPN hardware client, over the Internet. PIX 515E Security Appliance Getting Started Guide 78-17645-01...
Page 44
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Figure 3-1 Network Layout for Remote Access VPN Scenario DNS Server 10.10.10.163 VPN client Security (user 1) Appliance Internal Inside Outside Internet network 10.10.10.0 VPN client (user 2) WINS Server 10.10.10.133 VPN client...
Page 45
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Specifying the VPN Tunnel Group Name and Authentication Method, • page 3-7 Specifying a User Authentication Method, page 3-8 • (Optional) Configuring User Accounts, page 3-10 • Configuring Address Pools, page 3-11 •...
Page 46
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Remember to add the “s” in “https” or the connection fails. HTTPS Note (HTTP over SSL) provides a secure connection between your browser and the security appliance. The Main ASDM window appears.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Configuring the PIX 515E for an IPsec Remote-Access VPN To begin the process for configuring a remote-access VPN, perform the following steps: In the main ASDM window, choose VPN Wizard from the Wizards drop-down Step 1 menu.
Specify the type of VPN client that will enable remote users to connect to this Step 1 security appliance. For this scenario, click the Cisco VPN Client radio button. You can also use any other Cisco Easy VPN remote product.
To use a static preshared key for authentication, click the Pre-Shared Key • radio button and enter a preshared key (for example, “Cisco”). This key is used for IPsec negotiations between the security appliances. To use digital certificates for authentication, click the Certificate radio •...
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Enter a Tunnel Group Name (such as “Cisco”) for the set of users that use Step 2 common connection parameters and client attributes to connect to this security appliance.
Page 51
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario In Step 4 of the VPN Wizard, perform the following steps: If you want to authenticate users by creating a user database on the security Step 1 appliance, click the Authenticate Using the Local User Database radio button.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario (Optional) Configuring User Accounts If you have chosen to authenticate users with the local user database, you can create new user accounts here. You can also add users later using the ASDM configuration interface.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Configuring Address Pools For remote clients to gain access to your network, you must configure a pool of IP addresses that can be assigned to remote VPN clients as they are successfully connected.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Click Next to continue. Step 3 Configuring Client Attributes To access your network, each remote access client needs basic network configuration information, such as which DNS and WINS servers to use and the default domain name.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario In Step 7 of the VPN Wizard, perform the following steps: Enter the network configuration information to be pushed to remote clients. Step 1 Click Next to continue. Step 2 Configuring the IKE Policy IKE is a negotiation protocol that includes an encryption method to protect data...
Page 56
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario To specify the IKE policy in Step 8 of the VPN Wizard, perform the following steps: Click the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA), Step 1 and the Diffie-Hellman group (1/2/5/7) used by the security appliance during an IKE security association.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Configuring IPsec Encryption and Authentication Parameters In Step 9 of the VPN Wizard, perform the following steps: Click the Encryption algorithm (DES/3DES/AES) and authentication algorithm Step 1 (MD5/SHA).
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Specifying Address Translation Exception and Split Tunneling Split tunneling lets a remote-access IPsec client conditionally direct packets over an IPsec tunnel in encrypted form or to a network interface in clear text form. The security appliance uses Network Address Translation (NAT) to prevent internal IP addresses from being exposed externally.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Enable split tunneling by checking the Enable Split Tunneling check Note box at the bottom of the screen. Split tunneling allows traffic outside the configured networks to be sent out directly to the Internet instead of over the encrypted VPN tunnel.
In addition, you may want to consider performing some of the following steps: To Do This ... See ... Refine configuration and configure Cisco Security Appliance Command optional and advanced features Line Configuration Guide Learn about daily operations Cisco Security Appliance Command...
Page 61
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration What to Do Next To Do This ... See ... Configure the security appliance to Chapter 2, “Scenario: DMZ protect a Web server in a DMZ Configuration” Configure a site-to-site VPN Chapter 4, “Scenario: Site-to-Site VPN Configuration”...
Page 62
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration What to Do Next PIX 515E Security Appliance Getting Started Guide 3-20 78-17645-01...
C H A P T E R Scenario: Site-to-Site VPN Configuration This chapter describes how to use the security appliance to create a site-to-site VPN. Site-to-site VPN features provided by the security appliance enable businesses to extend their networks across low-cost public Internet connections to business partners and remote offices worldwide while maintaining their network security.
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Figure 4-1 Network Layout for Site-to-Site VPN Configuration Scenario Site A Site B Security Security Appliance 1 Appliance 2 Outside Outside Inside Inside Internet 209.165.200.226 209.165.200.236 10.20.20.0 10.10.10.0 Creating a VPN site-to-site deployment such as the one in Figure 4-1 requires you to configure two security appliances, one on each side of the connection.
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Configuring the Site-to-Site VPN This section describes how to use the ASDM VPN Wizard to configure the security appliance for a site-to-site VPN. This section includes the following topics: • Starting ASDM, page 4-3 Configuring the Security Appliance at the Local Site, page 4-4 •...
Page 66
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Configuring the Security Appliance at the Local Site The security appliance at the first site is referred to as Security Appliance 1 from Note this point forward. To configure the Security Appliance 1, perform the following steps: In the main ASDM window, choose the VPN Wizard option from the Wizards Step 1 drop-down menu.
Page 67
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario In Step 1 of the VPN Wizard, perform the following steps: Click the Site-to-Site VPN radio button. The Site-to-Site VPN option connects two IPsec security gateways, Note which can include security appliances, VPN concentrators, or other devices that support site-to-site IPsec connectivity.
Page 68
To use a static preshared key for authentication, click the Pre-Shared Key • radio button and enter a preshared key (for example, “Cisco”). This key is used for IPsec negotiations between the security appliances. When you configure Security Appliance 2 at the remote site, the VPN Note peer is Security Appliance 1.
Page 69
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Click Next to continue. Step 3 Configuring the IKE Policy IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it is also an authentication method to ensure the identity of the peers.
Page 70
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario When configuring Security Appliance 2, enter the exact values for each Note of the options that you chose for Security Appliance 1. Encryption mismatches are a common cause of VPN tunnel failures and can slow down the process.
Page 71
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Configuring IPsec Encryption and Authentication Parameters In Step 4 of the VPN Wizard, perform the following steps: Choose the Encryption algorithm (DES/3DES/AES) and authentication algorithm Step 1 (MD5/SHA) from the drop-down lists. Click Next to continue.
Page 72
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Specifying Hosts and Networks Identify hosts and networks at the local site that are permitted to use this IPsec tunnel to communicate with the remote-site peer. Add or remove hosts and networks dynamically by clicking Add or Delete, respectively.
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Step 5 Click Next to continue. Viewing VPN Attributes and Completing the Wizard In Step 6 of the VPN Wizard, review the configuration list for the VPN tunnel you just created. If you are satisfied with the configuration, click Finish to apply the changes to the security appliance.
Page 74
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario If you want the configuration changes to be saved to the startup configuration so Step 6 that they are applied the next time the device starts, from the File menu, click Save.
In addition, you may want to consider performing some of the following steps: To Do This ... See ... Refine configuration and configure Cisco Security Appliance Command optional and advanced features Line Configuration Guide Learn about daily operations Cisco Security Appliance Command...
Page 76
Chapter 4 Scenario: Site-to-Site VPN Configuration What to Do Next You can configure the security appliance for more than one application. The following sections provide configuration procedures for other common applications of the security appliance. To Do This ... See ... Configure the security appliance to Chapter 2, “Scenario: DMZ protect a web server in a DMZ...
Page 77
If you ordered your security appliance with a DES or 3DES-AES license, the encryption license key comes with the adaptive security appliance. If you are a registered user of Cisco.com and would like to obtain a 3DES/AES encryption license, go to the following website: http://www.cisco.com/go/license...
Page 78
Chapter A Obtaining a DES License or a 3DES-AES License To use the activation key, perform the following steps: Command Purpose Step 1 Shows the software release, hardware hostname# show version configuration, license key, and related uptime data. Step 2 Enters global configuration mode.