How to configure Pix 515 for connecting PDM

   June 22, 2009  Leave a comment

This is a quick guide for configuring Cisco PIX 515 which is discontinued model. Even though cisco_logo.gifCisco PIX 515 is kinds of old model, it provides GUI interface thru built-in software in the box. That is called PDM stands for PIX Device Manager. Definitely GUI is benefits for network admin.

First of all, here is a device I am configuring

Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)

Compiled on Fri 07-Jun-02 17:49 by morlee

pixfirewall up 1 min 9 secs

Hardware:   PIX-515, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0004.9ad0.d058, irq 11
1: ethernet1: address is 0004.9ad0.d059, irq 10
2: ethernet2: address is 0090.2710.3b1c, irq 9
Licensed Features:
Failover:           Disabled
VPN-DES:            Enabled
VPN-3DES:           Disabled
Maximum Interfaces: 3
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Unlimited
IKE peers:          Unlimited

Serial Number: 406080307 (0x18344b33)
Running Activation Key: 0x78118d39 0xf5e9f2bb 0xdb93e47e 0xd401763e
Configuration last modified by enable_15 at 02:28:10.920 UTC Mon Jun 22 2009
pixfirewall# 111009: User ‘enable_15’ executed cmd: show version
 

 

Here are the steps.

1. Need to console to assign IP address on Ethernet 0 port. I am using Putty.exe which is free utility you can download from Internet. From Putty configuration mode, choose Serial and Speed 9600(default). I hope you know the login info and enable password. If you don’t, you need to try password recovery procedure.

2. Check name of interfaces first.

PIX-515# show nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security0
nameif ethernet2 intf2 security10
 

While you are configuring PIX 515, you will get asked ‘‘. I thought it meant interface name such as ‘Ethernet 0’ or ‘Ethernet 1’. Actually that is hardware-id in PIX firewall world. It means ‘outside’ or ‘inside’ as above output. Personally, I don’t like the expression, but what I can do…

3. Configuring IP address on Ethernet1

As you can see the name of interface, which is ‘inside’. This port will be connected to probably your switch / your network.

PIX-515(config)# ip address inside 192.168.77.1 255.255.255.0

PIX-515# sh int ethernet1
interface ethernet1 "inside" is up, line protocol is down
  Hardware is i82559 ethernet, address is 0004.9ad0.d059
  IP address 192.168.77.1, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 10000 Kbit half duplex
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/0)
        output queue (curr/max blocks): hardware (0/0) software (0/0)
PIX-515#

4. Changing interface speed

It is very very important port to get proper performance. Especially, PIX 515 is connecting different vendors. Duplex mis-matching often causes performance issue.

Default setup is ‘auto’ (If line is not connected, it showed ‘shutdown’)

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown

If you want to make hard coded speed and duplex, specific interface can be configured like below

PIX-515(config)#interface ethernet1 100full

5. Allow your device to access PDM

PIX-515(config)#http 192.168.77.101 255.255.255.255 inside

**Important: 192.168.77.101 is your device which is attempting to access PDM.

If you are put a wrong IP address. You will see below on Cisco log

%PIX-6-605001: HTTP daemon interface int_name: connection denied from x.x.x.x

6. Enable HTTP server

PIX-515(config)#http server enable

7. Create user and password

When you access PDM, you will get asked login prompt. It is different from enable or login password for accessing PIX 515 box

PIX-515(config)# username cisco password  xxxxx

8. Access PDM from your browser

Even though we are enable http, when you browse PDM, you MUST use "HTTPS".

HTTPS://192.168.77.1

 

Extra configurations

Map address to name

name 192.168.77.22 InternetPHONE
name 192.168.77.31 Linux64
name 192.168.77.55 ipBalance_PC

 

NAT

global (outside) 1 10.1.1.51-10.1.1.100 netmask 255.255.255.0
global (outside) 1 10.1.1.50 netmask 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 1 100.1.1.0 255.255.255.0 0 0
nat (management) 1 100.2.2.0 255.255.255.0 0 0

 

Static route

static (dmz,outside) 1.1.1.22 10.3.3.22 netmask 255.255.255.255 0 0
static (inside,management) 10.1.1.13 10.1.1.13 netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

 

Access-list

access-list from-management-coming-in permit tcp host 192.168.1.1 host 172.16.1.1 eq 9100
access-group from-inside-coming-in in interface inside

 

Reference:

– PIX message index : http://www.cisco.com/en/US/docs/security/pix/pix61/system/message/pixemsgs.html#wp1032267

 

Leave a Reply