User Guide
Page 1
Figure 5-1 PIX 520 Front Panel 67852 RESET PIX FirewallSERIES 78-15170-02 Cisco PIX Security Appliance Hardware Installation Guide 5-1 Figure 5-1 shows the front view of the PIX 520, and includes the following sections: • PIX 520 Product Overview, page 5-1 • Installing the PIX 520, page 5-4 • PIX 520 Feature Licenses, page 5-6 • Installing Failover, page 5-7 • Installing LAN-Based Failover, page 5-8 • Removing and Replacing...
Figure 5-1 PIX 520 Front Panel 67852 RESET PIX FirewallSERIES 78-15170-02 Cisco PIX Security Appliance Hardware Installation Guide 5-1 Figure 5-1 shows the front view of the PIX 520, and includes the following sections: • PIX 520 Product Overview, page 5-1 • Installing the PIX 520, page 5-4 • PIX 520 Feature Licenses, page 5-6 • Installing Failover, page 5-7 • Installing LAN-Based Failover, page 5-8 • Removing and Replacing...
User Guide
Page 4
..., Rear, and Side Panels. Installing the PIX 520 Chapter 5 PIX 520 Installing the PIX 520 To install the PIX 520, perform the following steps: Step 1 Refer to each of the unit. Front RESET PIX FirewallSERIES Power connector Power switch Auto-Range Selection L:90-135V H:180-270V...connector DC power connector Ground lugs 1 To access, loosen screws counterclockwise 2 Set plate on the features of the PIX 520. On the PIX 520, connect the cables at the front of the PIX security appliance network interfaces. Cisco PIX Security Appliance Hardware Installation Guide 5-4 78-15170-02
..., Rear, and Side Panels. Installing the PIX 520 Chapter 5 PIX 520 Installing the PIX 520 To install the PIX 520, perform the following steps: Step 1 Refer to each of the unit. Front RESET PIX FirewallSERIES Power connector Power switch Auto-Range Selection L:90-135V H:180-270V...connector DC power connector Ground lugs 1 To access, loosen screws counterclockwise 2 Set plate on the features of the PIX 520. On the PIX 520, connect the cables at the front of the PIX security appliance network interfaces. Cisco PIX Security Appliance Hardware Installation Guide 5-4 78-15170-02
User Guide
Page 6
... board, refer to the "Installing a Circuit Board in the command reference online at : http://preview.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_notes_list.html PIX 520 Feature Licenses If you need to the "Installing a Memory Upgrade" section on page 5-12. You can find...described in the logging command page in the PIX 520" section on page 5-21. Cisco PIX Security Appliance Hardware Installation Guide 5-6 78-15170-02 If you have a second PIX security appliance to use as a failover unit, install the failover feature and cable as described in the "Installing ...
... board, refer to the "Installing a Circuit Board in the command reference online at : http://preview.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_notes_list.html PIX 520 Feature Licenses If you need to the "Installing a Memory Upgrade" section on page 5-12. You can find...described in the logging command page in the PIX 520" section on page 5-21. Cisco PIX Security Appliance Hardware Installation Guide 5-6 78-15170-02 If you have a second PIX security appliance to use as a failover unit, install the failover feature and cable as described in the "Installing ...
User Guide
Page 6
...(called distributed computing. Client/server computing-Term used to create mobile or portable programs. An ActiveX program is a web browser feature which transaction responsibilities are implemented by saving a small text file on what commands you to specify what type of Access Control ... to perform the tasks. ACL-Access Control List. Refer to the Configuration Guide for the Cisco Secure PIX Firewall Version x.x for address, and refers to name-to the PIX Firewall. The maximum size of information accumulated from the CLI. ASA-Adaptive Security Algorithm. CLI-Command...
...(called distributed computing. Client/server computing-Term used to create mobile or portable programs. An ActiveX program is a web browser feature which transaction responsibilities are implemented by saving a small text file on what commands you to specify what type of Access Control ... to perform the tasks. ACL-Access Control List. Refer to the Configuration Guide for the Cisco Secure PIX Firewall Version x.x for address, and refers to name-to the PIX Firewall. The maximum size of information accumulated from the CLI. ASA-Adaptive Security Algorithm. CLI-Command...
User Guide
Page 7
...Cisco security products including PIX firewalls, Cisco IOS firewalls, VPN routers and Intrusion Detection System (IDS) Sensors. Failover, Failover mode-The PIX Firewall feature which are routed through other management services including monitoring, notification and reporting. The PIX Firewall configuration may written to process certain application-level protocols. FragGuard feature-a Cisco feature...Properties>Failover. Allows security policies to the Configuration Guide for the Cisco Secure PIX Firewall Version x.x for the PIX, and it will vary by a menu item or . See ...
...Cisco security products including PIX firewalls, Cisco IOS firewalls, VPN routers and Intrusion Detection System (IDS) Sensors. Failover, Failover mode-The PIX Firewall feature which are routed through other management services including monitoring, notification and reporting. The PIX Firewall configuration may written to process certain application-level protocols. FragGuard feature-a Cisco feature...Properties>Failover. Allows security policies to the Configuration Guide for the Cisco Secure PIX Firewall Version x.x for the PIX, and it will vary by a menu item or . See ...
User Guide
Page 10
... appear to work with established protocols, such as Routing Table Protocol (RTP) and HTTP. This feature is not a very secure protocol and should be used . Primary, Primary unit-The PIX Firewall unit normally operating when two units are procedure calls that allows a user to execute commands on ...the network. Proxy-ARP-This feature enables the PIX Firewall to reply to an ARP request for encryption and authentication. (Acronym stands Rivest, Shamir, and Adelman, the inventors of access...
... appear to work with established protocols, such as Routing Table Protocol (RTP) and HTTP. This feature is not a very secure protocol and should be used . Primary, Primary unit-The PIX Firewall unit normally operating when two units are procedure calls that allows a user to execute commands on ...the network. Proxy-ARP-This feature enables the PIX Firewall to reply to an ARP request for encryption and authentication. (Acronym stands Rivest, Shamir, and Adelman, the inventors of access...
User Guide
Page 11
...web browser connected to a global IP address. See also dynamic PAT. Telnet is designed to create a powerful barrier to the PIX Firewall console. Provides remote access authentication and related services, such as guaranteed packet delivery, data sequencing, flow control, and transaction or ... statements that also maps a local port to implement the features of computer security threats. State information is being used to verify that provides strong authentication and encryption capabilities. PIX Firewalls inspect the state information in the form of a network connection...
...web browser connected to a global IP address. See also dynamic PAT. Telnet is designed to create a powerful barrier to the PIX Firewall console. Provides remote access authentication and related services, such as guaranteed packet delivery, data sequencing, flow control, and transaction or ... statements that also maps a local port to implement the features of computer security threats. State information is being used to verify that provides strong authentication and encryption capabilities. PIX Firewalls inspect the state information in the form of a network connection...
User Guide
Page 12
TCP Intercept-With the TCP intercept feature, once the optional embryonic connection limit is reached, and until the embryonic connection count falls below this three-way handshake completes, may the connection resume ... another . See www.websense.com. See also NAT, PAT, Address Translation, IP Address. Copyright © 2001 Cisco Systems, Inc. It runs on the company security policy. See also Fixup. U-Z UDP-User Datagram Protocol. The PIX Firewall performs a username lookup, and then the Websense server handles URL filtering and username logging. TFTP is performed...
TCP Intercept-With the TCP intercept feature, once the optional embryonic connection limit is reached, and until the embryonic connection count falls below this three-way handshake completes, may the connection resume ... another . See www.websense.com. See also NAT, PAT, Address Translation, IP Address. Copyright © 2001 Cisco Systems, Inc. It runs on the company security policy. See also Fixup. U-Z UDP-User Datagram Protocol. The PIX Firewall performs a username lookup, and then the Websense server handles URL filtering and username logging. TFTP is performed...
User Guide
Page 41
...recommended. The following fields: q Graph-The Graph tab at the top enables data to the Selected Graphs list for viewing only when the History Metrics feature is displayed, with a new data point every 10 seconds r Last 10 minutes, with a data point every 10 seconds r Last 60 minutes, with... 2 hours Note: Time horizons other applications. Up to four graphs can be bookmarked for use by other than Real-time are based on PIX Firewall time converted to your browser. r Real-time, starting when the graph is enabled using the System Properties>History Metrics panel. When you enable...
...recommended. The following fields: q Graph-The Graph tab at the top enables data to the Selected Graphs list for viewing only when the History Metrics feature is displayed, with a new data point every 10 seconds r Last 10 minutes, with a data point every 10 seconds r Last 60 minutes, with... 2 hours Note: Time horizons other applications. Up to four graphs can be bookmarked for use by other than Real-time are based on PIX Firewall time converted to your browser. r Real-time, starting when the graph is enabled using the System Properties>History Metrics panel. When you enable...
User Guide
Page 51
... per second processed by your brwoser, printed, and the data may also be changed using the PIX Firewall's internal URL cache. These graphs may be exported to monitor a wide variety of performance statistics for features of the PIX Firewall, including statistics for traffic that the number of packets per second made using the 'perfmon interval...
... per second processed by your brwoser, printed, and the data may also be changed using the PIX Firewall's internal URL cache. These graphs may be exported to monitor a wide variety of performance statistics for features of the PIX Firewall, including statistics for traffic that the number of packets per second made using the 'perfmon interval...
User Guide
Page 56
... Define a local address pool Configure Unicast RPF on established connections failover Enable/disable PIX failover feature to filter inbound traffic access-list Add an access list age This command is deprecated. debug Debug packets or ICMP tracings through the PIX Firewall. apply Apply outbound lists to source or destination IP addresses arp Change or...
... Define a local address pool Configure Unicast RPF on established connections failover Enable/disable PIX failover feature to filter inbound traffic access-list Add an access list age This command is deprecated. debug Debug packets or ICMP tracings through the PIX Firewall. apply Apply outbound lists to source or destination IP addresses arp Change or...
User Guide
Page 63
... ping response or echo of an interface on the PIX Firewall. Routers can respond with the PIX Firewall unit using the Internet Control Message Protocol (ICMP) protocol. Cisco recommends that permits or denies ICMP traffic terminating at the PIX Firewall unit. The following sections are added to test intermediate... exception is when an ICMP access-list command statement is assumed. Administrators also use pinging directly in this way. This feature is disabled, the PIX Firewall cannot be processed. If the first matched entry is a deny entry or an entry is a permit entry, the ...
... ping response or echo of an interface on the PIX Firewall. Routers can respond with the PIX Firewall unit using the Internet Control Message Protocol (ICMP) protocol. Cisco recommends that permits or denies ICMP traffic terminating at the PIX Firewall unit. The following sections are added to test intermediate... exception is when an ICMP access-list command statement is assumed. Administrators also use pinging directly in this way. This feature is disabled, the PIX Firewall cannot be processed. If the first matched entry is a deny entry or an entry is a permit entry, the ...
User Guide
Page 96
...NAT rule maps an external IP address to which the external address is rejected and the translation never occurs. Likewise, when the PIX Firewall unit receives a network packet destined for the file server. Thus, the internal file server processes the packet as though it were...trusted networks from the DNS servers that maps from the address hiding feature provided by translation rules. Copyright © 2001 Cisco Systems, Inc. In contrast to different external addresses on different interfaces. For this scenario, PIX Device Manager generates a rule similar to the following: static (...
...NAT rule maps an external IP address to which the external address is rejected and the translation never occurs. Likewise, when the PIX Firewall unit receives a network packet destined for the file server. Thus, the internal file server processes the packet as though it were...trusted networks from the DNS servers that maps from the address hiding feature provided by translation rules. Copyright © 2001 Cisco Systems, Inc. In contrast to different external addresses on different interfaces. For this scenario, PIX Device Manager generates a rule similar to the following: static (...
User Guide
Page 97
... the external and internal IP addresses is exceeded), your company. q Permits an almost unlimited number of each computer on a PIX Firewall unit). A discussion of a session or until the user-configured idle time-out value is temporary (it possible to use ...to an internal IP address by mapping the internal address to possibly malicious users. q As these limitations follows. Because this feature for a PIX Firewall unit, provides several limitations associated with a valid, registered IP address from the Internet Network Information Center (the American Registry...
... the external and internal IP addresses is exceeded), your company. q Permits an almost unlimited number of each computer on a PIX Firewall unit). A discussion of a session or until the user-configured idle time-out value is temporary (it possible to use ...to an internal IP address by mapping the internal address to possibly malicious users. q As these limitations follows. Because this feature for a PIX Firewall unit, provides several limitations associated with a valid, registered IP address from the Internet Network Information Center (the American Registry...
User Guide
Page 99
Because PAT automatically maps multiple sessions to the same registered IP address, you can concurrently share a single IP address. This feature also ensures that you do not need as many registered IP addresses. The many-to-one address translation. By using the port, up to 65,... in addition to the IP address. How Session Awareness and Port Mapping Affect Dynamic NAT In addition, to the one-to-one address translation, the PIX Firewall also provides many-to-one mapping is called Port Address Translation (PAT). Note: Because PAT requires port information, only TCP, UDP, and ICMP echo/echo...
Because PAT automatically maps multiple sessions to the same registered IP address, you can concurrently share a single IP address. This feature also ensures that you do not need as many registered IP addresses. The many-to-one address translation. By using the port, up to 65,... in addition to the IP address. How Session Awareness and Port Mapping Affect Dynamic NAT In addition, to the one-to-one address translation, the PIX Firewall also provides many-to-one mapping is called Port Address Translation (PAT). Note: Because PAT requires port information, only TCP, UDP, and ICMP echo/echo...
User Guide
Page 102
...configuration, but will not cause PDM to understand this usage and forces PDM into a limited state where you are displayed in the PIX Firewall configuration and handles them transparently. sysopt nodnsalias outbound Disable outbound DNS A record replies. q Access lists not applied to any q A...apply (perim) 13 outgoing_src Unsupported Unparsed Commands, Ignored The following commands are using this command for both VPN and with other PIX Firewall configuration features, PDM is not able to enter Monitor Only mode. or an informational message button which case you can only access the...
...configuration, but will not cause PDM to understand this usage and forces PDM into a limited state where you are displayed in the PIX Firewall configuration and handles them transparently. sysopt nodnsalias outbound Disable outbound DNS A record replies. q Access lists not applied to any q A...apply (perim) 13 outgoing_src Unsupported Unparsed Commands, Ignored The following commands are using this command for both VPN and with other PIX Firewall configuration features, PDM is not able to enter Monitor Only mode. or an informational message button which case you can only access the...
User Guide
Page 104
... resetinbound snmp-server ssh static Implement the DHCP server feature. Configure IDS signature use. Associate a name with the conduit and/or outbound command. Specify name and security level for PIX Firewall console access via Secure Shell (SSH). q Combining ... a pool of global IP addresses. Reset inbound connections. Specify the PIX Firewall domain. Create an access list to the optional failover feature. Change, enable, disable, or list a PIX Firewall application protocol feature. Change or view access to control outbound connections. Associate a network with...
... resetinbound snmp-server ssh static Implement the DHCP server feature. Configure IDS signature use. Associate a name with the conduit and/or outbound command. Specify name and security level for PIX Firewall console access via Secure Shell (SSH). q Combining ... a pool of global IP addresses. Reset inbound connections. Specify the PIX Firewall domain. Create an access list to the optional failover feature. Change, enable, disable, or list a PIX Firewall application protocol feature. Change or view access to control outbound connections. Associate a network with...
User Guide
Page 111
... 0 access-list" configuration is invoked by PDM. 2. This dialog allows you to PDM q Do not ignore "nat 0 access-list" configuration. q Preview commands before sending to PIX-Enables viewing of CLI commands generated by selecting Options>Preferences... from the top menu. Preview Commands Before Sending to...
... 0 access-list" configuration is invoked by PDM. 2. This dialog allows you to PDM q Do not ignore "nat 0 access-list" configuration. q Preview commands before sending to PIX-Enables viewing of CLI commands generated by selecting Options>Preferences... from the top menu. Preview Commands Before Sending to...
User Guide
Page 112
... if cookies are disabled as this feature will not be controlled by the browser's preferences. q ·Cookies are stored on your stored settings on the other PC will not work. There is no way to make a global change for one PIX firewall do not carry over to another.... q Browser cookies must be enabled or this setting can be used. Copyright © 2001 Cisco Systems, Inc. This means the preferences made for all PIXen. If cookies are disabled, the settings apply only for the Save Preferences feature. Limitations These are the following limitations for the current session.
... if cookies are disabled as this feature will not be controlled by the browser's preferences. q ·Cookies are stored on your stored settings on the other PC will not work. There is no way to make a global change for one PIX firewall do not carry over to another.... q Browser cookies must be enabled or this setting can be used. Copyright © 2001 Cisco Systems, Inc. This means the preferences made for all PIXen. If cookies are disabled, the settings apply only for the Save Preferences feature. Limitations These are the following limitations for the current session.
User Guide
Page 124
... Translation Rules Important Notes q Before you must first define each outbound host session, and the Port Address Translation (PAT) feature, which a rule will apply. The PIX Firewall supports both the Network Address Translation (NAT) feature, which provides a globally unique address for each host or server for which provides a single, unique global address for NAT...
... Translation Rules Important Notes q Before you must first define each outbound host session, and the Port Address Translation (PAT) feature, which a rule will apply. The PIX Firewall supports both the Network Address Translation (NAT) feature, which provides a globally unique address for each host or server for which provides a single, unique global address for NAT...