This is a quick guide for configuring Cisco PIX 515 which is discontinued model. Even though Cisco PIX 515 is kinds of old model, it provides GUI interface thru built-in software in the box. That is called PDM stands for PIX Device Manager. Definitely GUI is benefits for network admin.
First of all, here is a device I am configuring
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)
Compiled on Fri 07-Jun-02 17:49 by morlee
pixfirewall up 1 min 9 secs
Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
0: ethernet0: address is 0004.9ad0.d058, irq 11
1: ethernet1: address is 0004.9ad0.d059, irq 10
2: ethernet2: address is 0090.2710.3b1c, irq 9
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES: Disabled
Maximum Interfaces: 3
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
Serial Number: 406080307 (0x18344b33)
Running Activation Key: 0x78118d39 0xf5e9f2bb 0xdb93e47e 0xd401763e
Configuration last modified by enable_15 at 02:28:10.920 UTC Mon Jun 22 2009
pixfirewall# 111009: User ‘enable_15’ executed cmd: show version
Here are the steps.
1. Need to console to assign IP address on Ethernet 0 port. I am using Putty.exe which is free utility you can download from Internet. From Putty configuration mode, choose Serial and Speed 9600(default). I hope you know the login info and enable password. If you don’t, you need to try password recovery procedure.
2. Check name of interfaces first.
PIX-515# show nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security0
nameif ethernet2 intf2 security10
While you are configuring PIX 515, you will get asked ‘
3. Configuring IP address on Ethernet1
As you can see the name of interface, which is ‘inside’. This port will be connected to probably your switch / your network.
PIX-515(config)# ip address inside 192.168.77.1 255.255.255.0
PIX-515# sh int ethernet1
interface ethernet1 "inside" is up, line protocol is down
Hardware is i82559 ethernet, address is 0004.9ad0.d059
IP address 192.168.77.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
PIX-515#
4. Changing interface speed
It is very very important port to get proper performance. Especially, PIX 515 is connecting different vendors. Duplex mis-matching often causes performance issue.
Default setup is ‘auto’ (If line is not connected, it showed ‘shutdown’)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
If you want to make hard coded speed and duplex, specific interface can be configured like below
PIX-515(config)#interface ethernet1 100full
5. Allow your device to access PDM
PIX-515(config)#http 192.168.77.101 255.255.255.255 inside
**Important: 192.168.77.101 is your device which is attempting to access PDM.
If you are put a wrong IP address. You will see below on Cisco log
%PIX-6-605001: HTTP daemon interface int_name: connection denied from x.x.x.x
6. Enable HTTP server
PIX-515(config)#http server enable
7. Create user and password
When you access PDM, you will get asked login prompt. It is different from enable or login password for accessing PIX 515 box
PIX-515(config)# username cisco password xxxxx
8. Access PDM from your browser
Even though we are enable http, when you browse PDM, you MUST use "HTTPS".
HTTPS://192.168.77.1
Extra configurations
Map address to name
name 192.168.77.22 InternetPHONE
name 192.168.77.31 Linux64
name 192.168.77.55 ipBalance_PC
NAT
global (outside) 1 10.1.1.51-10.1.1.100 netmask 255.255.255.0
global (outside) 1 10.1.1.50 netmask 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 1 100.1.1.0 255.255.255.0 0 0
nat (management) 1 100.2.2.0 255.255.255.0 0 0
Static route
static (dmz,outside) 1.1.1.22 10.3.3.22 netmask 255.255.255.255 0 0
static (inside,management) 10.1.1.13 10.1.1.13 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
Access-list
access-list from-management-coming-in permit tcp host 192.168.1.1 host 172.16.1.1 eq 9100
access-group from-inside-coming-in in interface inside
Reference:
– PIX message index : http://www.cisco.com/en/US/docs/security/pix/pix61/system/message/pixemsgs.html#wp1032267