Page 1 Help Topics by Location Access Rules Translation Rules Hosts/Networks System Properties Monitoring Menus Additional Resources Top Security Resources PIX Firewall Documentation Cisco Technical Assistance Center>PIX Firewall PIX Firewall Top Issues PIX Firewall Product Literature Copyright © 2001 Cisco Systems, Inc.
Page 2 System Requirements Introduction Cisco PIX Device Manager (PDM) is the graphical user interface (GUI) for configuring and monitoring the Cisco PIX Firewall. PDM is available on all PIX 501, PIX 506, PIX 515, PIX 520, PIX 525, and PIX 535 platforms that are running PIX Firewall software version 6.0 or higher.
Page 3: System Requirements
Verify that your PIX Firewall meets all PIX Firewall software version 6.0 requirements listed in the Release Notes for the Cisco Secure PIX Firewall Version 6.0(1) or higher. You must have version 6.0 installed on the PIX Firewall unit before using PDM. You can download version 6.0 and the PDM software from the following website: http://www.cisco.com/cgi-bin/tablebuild.pl/pix...
Page 4: Pc/Workstation Requirements
Browser support for Secure Socket Layer (SSL) must be enabled. The supported versions of Internet Explorer and Netscape Navigator support SSL without requiring additional configuration. Note PIX Firewall software version 6.0 supports SSL 2.0, SSL 3.0, and TLS 1.0 in web browsers. PIX Firewall supports all browser encryption levels.
Page 5: Linux Requirements
Supported browser: Netscape Communicator 4.75 or later version. At least 64 MB of random-access memory (RAM). An 800 x 600 pixel display with at least 256 colors. We recommend a 1024 x 768 pixel display and at least 16-bit colors. Copyright © 2001 Cisco Systems, Inc.
Page 6 CLI—Command Line Interface. The primary interface for entering configuration and monitoring commands to the PIX Firewall. Refer to the Configuration Guide for the Cisco Secure PIX Firewall Version x.x for information on what commands you can enter from the CLI.
Page 7 CSPM—Cisco Secure Policy Manager (CSPM) is a multi-device management tool for Cisco security products including PIX firewalls, Cisco IOS firewalls, VPN routers and Intrusion Detection System (IDS) Sensors. CSPM also provides other management services including monitoring, notification and reporting. For more information, http://wwwin.cisco.com/cmc/cc/pd/sqsw/sqppmn/prodlit/csp22_rg.htm...
Page 8 Firewall. FTP—File Transfer Protocol. Part of the TCP/IP protocol stack, used for transferring files between hosts. See also Fixup. H.323—A standard that enables video conferencing over local-area networks (LANs) and other packet-swiched networks, as well as video over the Internet. See also Fixup. Host—A computer, such as a PC, or other computing device, such as a server, associated with an individual address and optionally a name.
Page 9 the outside interface. See PAT. Internet—The global network which uses IP, Internet protocols. Not a LAN. See also intranet. Intranet—Intranetwork. A which uses IP, Internet protocols. See also network, Internet. IP—Internet Protocol. The Internet protocols are the world's most popular open-system (nonproprietary) protocol suite because they can be used to communicate across any set of interconnected networks and are equally well suited for LAN and WAN communications.
Page 10 Outside—See Interface. PAT, Dynamic—Port Address Translation. Dynamic PAT lets multiple outbound sessions appear to originate from a single address. With PAT enabled, the PIX Firewall unit chooses a unique port number from the PAT IP address for each outbound translation slot (xlate). This feature is valuable when an Internet service provider cannot allocate enough unique IP addresses for your outbound connections.
Page 11 See also Fixup. Rule—Information added to the configuration to define your security policy in the form of conditional statements that instruct the PIX Firewall how to react to a particular situation. See also, address translation access control rules. Serial transmission—Method of data transmission in which the bits of a data character are transmitted sequentially over a single channel.
Page 12 Xlate—An xlate, also referred to as a translation entry, represents a mapping of one IP address to another, or a mapping of one IP address/port pair to another. See also NAT, PAT, Address Translation, Address. Copyright © 2001 Cisco Systems, Inc.
Page 13 Mail Server, Wizard, SMTP FixUp Authentication Mask, Netmask Server Groups Menu Servers Miscellaneous Help About PDM Monitor, Monitoring, Monitoring Graphs Access Rules NAT, Wizard Address, IP Navigation Contents, Getting Started, Administration Glossary, About PDM Antispoof Netmask Apply, Applying Config Changes Options, Preferences, Unparsed Commands...
Page 14 TFTP Server Admin, Write TFTP Server Timeout, System Properties Topics, Help Topics by Location Translation Rules, Edit Translation Rules Unparsed Configuration Commands Unsupported Configuration Commands Filtering, System Properties Server, Wizard Wizard Write TFTP Server Copyright © 2001 Cisco Systems, Inc.
Page 15 Menu Tabs Wizard Miscellaneous Menu Help Files File Rules Search Options Tools Help Write to TFTP... Add... By field... Show Unparsed Legend... Edit... By Host/Net... Preferences Ping Tab Help Files Access Translation System Hosts/Networks Monitoring Rules Rules Properties Access Rules Translation Rules Hosts/Networks Interfaces PDM Log...
Page 16 ICMP Connection Graphs TFTP Server Xlates Logging Perfmon Logging Setup Miscellaneous PDM Logging Syslog Interface Graphs Others AAA Server Groups AAA Servers Auth. Prompt URL Filtering Intrusion Detection IDS Policy IDS Signatures Advanced FixUp H.323 HTTP RTSP Skinny SMTP SQL*Net Anti-Spoofing Fragment TCP Options...
Page 17 Static Routes Address Translation Mailserver Check Boxes Web Server Miscellaneous Print PDM Icon Legend Applying Changes Refresh More about Internet Protocol (IP) Unsupported Copyright © 2001 Cisco Systems, Inc.
Page 18 File>Write Configuration to TFTP Server The Write Configuration to TFTP Server panel lets you write the current running configuration to a Trivial File Transfer Protocol (TFTP) server. The following sections are included in this Help topic: Important Notes Field Descriptions Defining a TFTP Server and Configuration File Name Important Notes If you have already set up a TFTP server in...
Page 19 Enter the TFTP server Path/filename, beginning with "/" (forward slash) and ending in the file name, to which the running configuration file will be written. Note: The path must begin with a forward slash, "/". Example TFTP server path: /tftpboot/pixfirewall/config3 Click Apply to PIX. Copyright © 2001 Cisco Systems, Inc.
Page 20 The show tftp-server command lists the tftp-server command statements in the current configuration. The no tftp server command disables access to the server. For more information on the PIX Firewall and TFTP, refer to the "Advanced Configurations" chapter of the Cisco Secure PIX Firewall Configuration Guide for your respective software version.
Page 21 PIX Firewall unit. See Notes on Applying Configuration Changes. Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 22 File Menu Refresh Refresh—Loads a fresh copy of the running configuration into your PDM by File>Refresh Configuration from PIX or Write Configuration to Flash Write Configuration to Flash—Writes a copy of the running configuration to Flash memory in the PIX Firewall unit. Use File>Write Configuration to Flash...
Page 23 Standby Unit—A copy of the running configuration file on the primary unit becomes the running configuration of a failover standby unit by File>Write Configuration to Standby Unit. For more information, refer to System Properties>Failover. Copyright © 2001 Cisco Systems, Inc.
Page 24 Refresh Refresh PDM with current configuration from PIX by selecting or File>Refresh PDM with Current Configuration from PIX.Refer to Notes on Applying Configuration Changes. Copyright © 2001 Cisco Systems, Inc.
Page 25: Applying Configuration Changes
How and When Changes to Configuration Files are Applied CLI console sessions Multiple PDM and CLI Console Sessions Cisco Secure Policy Manager (CSPM) and PDM When deployed for operation in your network, there are multiple copies of a PIX Firewall running configuration file. Internal...
Page 26 Default configuration—The configuration file which shipped with the PIX Firewall unit in Flash memory. This file is loaded into RAM at boot and becomes the running configuration. Flash memory file—A running configuration copy, written by File>Write Configuration to Flash nonvolatile storage.
Page 27 If any other PDM sessions are in operation, when you make changes using your PDM CLI tool, your changes will affect all the other PDM sessions when they click Refresh. Refer also to Serial, Telnet, PDM/HTTPS, SSH, Password, Authentication. CSPM (Cisco Secure Policy Manager) and PDM Caution: If you are using both CSPM and PDM to manage the same PIX Firewall unit, changes made by PDM can be lost.
Page 28 System Properties>Failover The Failover dialog box allows you to configure two PIX Firewall units so that one will take over operation should the other fail. The following sections are included in this Help topic: Field Descriptions Enabling Failover Editing Failover IP Addresses Setting the Failover Poll Time Enabling Stateful Failover Failover configures two PIX Firewall units so that a secondary or secondary unit can take over processing...
Page 29: Enabling Failover
edit the IP address of the interface that you selected from the Failover dialog box. Stateful Failover: Enable Stateful Failover—Enables the Stateful Failover interface. HTTP Replication—Enables Stateful Failover to copy active HTTP sessions to the standby PIX Firewall. Interface where a fast LAN link is available for Stateful Failover—Choose which interface has the fastest LAN link.
Page 30 3 seconds, and the maximum is 15 seconds. Enabling Stateful Failover Follow these steps to enable Stateful Failover: Select the checkbox for Enable Stateful Failover. Select an interface where a fast LAN link is available from the drop down menu. Copyright © 2001 Cisco Systems, Inc.
Page 31 System Properties>Interfaces The Interfaces panel allows you to enable, disable, and/or edit the configuration of network interfaces. The following sections are included in this Help topic: Field Descriptions Enable, Disable, and Edit Interfaces Applying Changes to the PIX Firewall The PIX Firewall requires that you configure and then enable each interface which will be active. Inactive interfaces can be disabled.
Page 32 Hardware is i82559 ethernet, address is 0050.54ff.3773 IP address 10.1.1.1, subnet mask 255.255.255.0 MTU 1500 bytes, BW 10000 Kbit full duplex 279855 packets input, 26155384 bytes, 0 no buffer Received 274299 broadcasts, 0 runts, 0 giants 1 input errors, 0 CRC, 1 frame, 0 overrun, 0 ignored, 0 abort 70405 packets output, 11885724 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred...
Page 33 PIX Firewall unit. See Notes on Applying Configuration Changes. Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 34: Important Note
Monitoring>Interface Graphs The Interface Graphs panel allows you to monitor per-interface statistics, such as packet counts and bit rates, for each enabled interface on the PIX Firewall. These graphs may be bookmarked for quick opening by your browser, printed, and the data may also be exported to other applications. The following sections are included in this Help topic: Important Notes Interface Graph Types...
Page 35 PIX Firewall was rebooted. Input Queue—Displays the instantaneous hardware and software input queue depths, in blocks, on the interface. Output Queue—Displays the instantaneous hardware and software output queue depths, in blocks, on the interface. Copyright © 2001 Cisco Systems, Inc.
Page 36 Monitoring>Building Graph Windows This main help topic for the Graph function of the Monitoring tab provides information about building Graph Windows which is common to all the Graph Categories and Graph Types. The following sections are included in this Help topic: Overview of PDM Graphs Field Descriptions Building a New Graph Window...
Page 37 Available Graphs for—Displays the list of individual graphs available for each Interface. Graph Window—Allows you to give the Graph Window a name. If unspecified, the graph window name will be "Unnamed (n)" where n increments as each unnamed graph window is created. Selected Graph(s)—Displays up to four graphs you have selected from the Available Graphs for list and added to the Graph Window.
Page 38 Optionally, you can name the Graph Window in Graph Window box or select previous Graph Windows by clicking on the drop down. Displaying a Graph Window Click to open a new Graph Window and display the graph(s) which can be bookmarked, printed and exported. Copyright © 2001 Cisco Systems, Inc.
Page 39: Important Notes
Monitoring>Miscellaneous>IDS The IDS panel allows you to monitor Intrusion Detection statistics, including packet counts for each Intrusion Detection System IDS signature supported by the PIX Firewall. These graphs may be bookmarked for quick opening by your brwoser, printed, and the data may also be exported to other applications. The following sections are included in this Help topic: Important Notes IDS Graph Types...
Page 40 ICMP Attacks TCP Attacks UDP Attacks DNS Attacks FTP Attacks RPC Requests to Target Hosts YP Daemon Portmap Requests Miscellaneous Portmap Requests Miscellaneous RPC Calls RPC Attacks Copyright © 2001 Cisco Systems, Inc.
Page 41 Monitoring>Graph Windows Graph Windows display up to four graphs which were added to the Selected Graphs list for that Graph Window. Graph Windows can be bookmarked for later recall in your browser, printed, and their data may be exported for use by other applications.
Page 42: Printing Graphs
Print—Opens Print dialog for printing of the Graph or Table. Help—Provides more information. Bookmarking Graph Windows Note: Bookmarking is available with PIX Firewall version 6.1 or later. While in the Graph Window, click the Bookmark button. Select the appropriate URLs for the graphs you want to bookmark in the Bookmark Graphs dialog box that appears.
Page 43: Exporting Graph Data
When the operating system standard File dialog box appears, enter a filename for the data. Note: Similar to printing, if PDM is running in Netscape Navigator, it may bring up a security dialog requesting additional privileges be granted. Click the Grant button to continue. Copyright © 2001 Cisco Systems, Inc.
Page 44 Printing To begin printing, select File>Print..., the Print icon on the button bar or Print from a dialog. Note: Java Print Permissions PDM is running in Netscape Communicator and the user has not yet granted "Print" privileges to the Java applet, a security dialog will appear requesting the granting of Print privileges.
Page 46 PIX Firewall supports both inbound and outbound auditing. For a complete list of supported Cisco Secure IDS signatures, their wording, and whether they are attack or informational messages, refer to...
Page 47 Delete—Deletes the selected item. Policy-to-Interface Mappings table Interface—Lists the interfaces on which your IDS policy can be enabled. Attack Policy—Displays the specific attack policy, if any, for that interface. Info Policy—Displays the specific info policy, if any, for that interface. Apply to PIX—Sends changes made in PDM to the PIX Firewall unit and applies them to the running configuration.
Page 48 Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 49 PIX Firewall supports both inbound and outbound auditing. For a complete list of supported Cisco Secure IDS signatures, their wording, and whether they are attack or informational messages, refer to...
Page 50 Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 51 Monitoring>Connection Graphs The Connection Graphs panel allows you to monitor a wide variety of performance statistics for features of the PIX Firewall, including statistics for xlates, connections, AAA, Fixups, URL filtering and TCP Intercept. These graphs may be bookmarked for quick opening by your brwoser, printed, and the data may also be exported to other applications.
Page 53 Refresh. Before configuring your PIX Firewall from the PDM CLI tool, we recommend that you review the Configuration Guide for the Cisco Secure PIX Firewall, "Command Reference" for your respective version. Refer to Multiple PDM and CLI Console Sessions for more information.
Page 54: Entering Command Lines
Field Descriptions The Command Line Interface(CLI) panel provides the following fields: Command—Allows you to enter commands. Response—Allows you to view the results of the commands you enter in the Command box. If you would like help on any command, enter the command "?" to display a brief description of Help for that command in the Response pane.
Page 55: Command Syntax
send the command to the PIX Firewall, since it must be used to terminate the line and return to the left margin for the next line. Type the first command in the Multiple Line Command box and use the keyboard Enter key to return to the left margin. Type the next command, Enter. Repeat until all the commands are entered into the command list.
Page 56 aaa Enable, disable, or view TACACS+ or RADIUS user authentication, authorization and accounting access-group Bind an access-list to an interface to filter inbound traffic access-list Add an access list age This command is deprecated. See ipsec, isakmp, map, ca commands alias Administer overlapping addresses with dual NAT.
Page 57 Enable URL caching url-server Specify a URL filter server virtual Set address for authentication virtual servers who Show active administration sessions on PIX write Write config to net, flash, floppy, or terminal, or erase flash Copyright © 2001 Cisco Systems, Inc.
Page 58 Monitoring>System Graphs The System Graphs panel allows you to build New Graph window which monitor the system resources of the PIX Firewall, including Block utilization, CPU utilization, Failover statistics, and Memory utilization. These graphs may be bookmarked for quick opening by your brwoser, printed, and the data may also be exported to other applications.
Page 59 Note: If Failover is not enabled using the Failover panel under System Properties, no failover graphs will be available for viewing. Memory graphs: Memory Utilization—Displays the number of physical memory bytes free and bytes used Copyright © 2001 Cisco Systems, Inc.
Page 60 Tools>Ping This panel provides a ping tool which is useful for verifying the configuration and operation of a PIX Firewall unit and surrounding communications links, as well as basic testing of other network devices. The following sections are included in this Help topic: Field Descriptions Using the PDM Ping tool Troubleshooting operation of the PDM Ping tool...
Page 61 different routes or activity levels, for example. Response received—When an echo reply is received, the timer stops and its value is displayed. NO response received—If an echo reply is not received before the timeout value is reached, the timeout value is displayed. Example Ping Output 10.1.1.2 NO response received -- 1000ms 10.1.1.2 NO response received -- 1000ms...
Page 62 To enable internal hosts to ping external hosts, ICMP access must be configured correctly for both the inside and outside interfaces in Access Rules. Refer to the Cisco Secure PIX Firewall Configuration Guide for more information on pinging through the PIX Firewall.
Page 63 ICMP access-list command statement is not configured; then, permit is assumed. Cisco recommends that you grant permission for ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic. See RFC...
Page 64 Field Descriptions The Internet Control Message Protocol (ICMP) panel displays the following fields in a rule table: Interface—Displays an interface which has been added to the ICMP rule table (access list). Action—Permit or deny ICMP traffic terminating at the PIX Firewall unit through this interface. IP Address—Displays the IP address of each host or network added to the ICMP rule table (access list) for this interface.
Page 65 Adding to the table Follow these steps to add to the rule table: Click Add to open the Add dialog box. Select the ICMP Type. Select an Interface. Enter or edit the IP address which will be permitted or denied ICMP access through this interface. If the IP address is a host, not a network, then select Host.
Page 66 PIX Firewall unit. See Notes on Applying Configuration Changes. Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 67: Important Notes
Monitoring>PDM Users The PDM Users panel allows you to monitor connections made to the PIX Firewall using PIX Device Manager (PDM). A snapshot of the current PDM user sessions to the PIX Firewall is displayed. The display is not automatically updated as new PDM user sessions are created. To view new PDM user sessions, you must click Refresh.
Page 69 System Properties>PIX Administration>Telnet The Telnet panel allows configuration of rules which permit only specific hosts or networks running the PIX Firewall Device Manager (PDM) to connect to the PIX Firewall unit using the Telnet protocol. The following sections are included in this Help topic: Field Descriptions Adding Rules Editing Rules...
Page 70 Adding Telnet Rules Follow these steps to add a rule to the Telnet rule table: Click on the Add button to open the Telnet>Add dialog box. Click on Interface to add a PIX Firewall interface to the rule table. In the IP Address box, enter the IP address of the host running PDM which will be permitted Telnet access through this PIX Firewall interface.
Page 71 PIX Firewall unit. See Notes on Applying Configuration Changes. Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 72 System Properties>PIX Administration>Authentication The Authentication panel allows you to enable or disable required authentication, authorizations, and accounting (AAA) verifications. The following sections are included in this Help topic: Field Descriptions Enabling Forced AAA Authentication Enabling AAA Authentication for Specific Connections Applying Changes to the PIX Firewall The Authentication panel allows you to enable or disable AAA access to the PIX Firewall via the serial console or different types of network connections, and set other administrative access policies, such as specifying that...
Page 73 password before the first command line prompt on the SSH console console. You can monitor SSH sessions using Monitoring>Secure Shell. Telnet—Requires AAA authentication when you start a Telnet connection to the PIX Firewall console. You are required to authenticate before you can enter a Telnet command. You can monitor telnet sessions using Monitoring>Telnet Sessions.
Page 75 PIX Administrative AAA Authentication is not defined for the SSH protocol. The default password is cisco. To gain access to the PIX Firewall console via SSH, at the SSH client, enter the username as pix and enter the Telnet password. Note: SSH permits up to 100 characters in a username and up to 50 characters in a password.
Page 76 Important Notes About PIX Passwords It is important to set the passwords on each PIX you deploy. PIX passwords may be a maximum of 16 characters in length. SSH permits up to 100 characters in a username and up to 50 characters in a password. PIX password characters can consist of alphanumeric or special characters except for the question mark or space.
Page 77 Apply to PIX—Sends changes made in PDM to the PIX Firewall unit and applies them to the running configuration. Use the File menu to write a copy the running configuration to Flash, a TFTP server, or a failover standby PIX Firewall unit. See Notes on Applying Configuration Changes. Copyright © 2001 Cisco Systems, Inc.
Page 78 System Properties>PIX Administration>PDM/HTTPS The System Properties>PIX Administration>PDM/HTTPS panel allows configuration of rules which permit only specific hosts or networks running the PIX Device Manager (PDM) to connect to the PIX Firewall unit using HTTPS (Hypertext Transfer Protocol, Secure). The following sections are included in this Help topic: Field Descriptions Adding Rules Editing Rules...
Page 79 time Refresh was clicked while open. Add and Edit provide these buttons: OK—Accepts changes and returns to the previous panel. Cancel—Discards changes and returns to the previous panel. Help—Provides more information. Adding PDM/HTTPS Rules Follow these steps to add a rule to the PDM/HTTPS rule table: Click on Add to open the PDM/HTTPS>Add dialog box.
Page 80 PIX Firewall unit. See Notes on Applying Configuration Changes. Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. System Properties>PIX Administration >PDM/HTTPS Copyright © 2001 Cisco Systems, Inc.
Page 81 System Properties>PIX Administration >Secure Shell The System Properties>PIX Administration>Secure Shell panel allows configuration of rules which permit only specific hosts or networks to connect to the PIX Firewall unit for administrative access using the Secure Shell (SSH) protocol. The following sections are included in this Help topic: Field Descriptions Adding Rules Editing Rules...
Page 82 Add and Edit provide these buttons: OK—Accepts changes and returns to the previous panel. Cancel—Discards changes and returns to the previous panel. Help—Provides more information. Adding Secure Shell Rules Follow these steps to add a rule to the Secure Shell rule table: Click on the Add button to open the Add dialog box.
Page 83 PIX Firewall unit. See Notes on Applying Configuration Changes. Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 84 Monitoring>Secure Shell Sessions The Secure Shell Sessions panel allows you to monitor connections made to the PIX Firewall using Secure Shell (SSH). When the Secure Shell panel is displayed, a snapshot of the current Secure Shell sessions to the PIX Firewall is available .
Page 85 Refresh—Refreshes the information on the current panel. Disconnecting Secure Shell Sessions Follow these steps to disconnect an existing SSH session: Select an SSH session from the table. Click Disconnect. Click Refresh to verify that the SSH session has been disconnected. Copyright © 2001 Cisco Systems, Inc.
Page 86 Monitoring>Telnet Console Sessions The Telnet Console Sessions panel allows you to monitor connections made to the PIX Firewall using Telnet. A snapshot of current Telnet sessions to the PIX Firewall is displayed. The display is not automatically updated as new Telnet sessions are created. To view new Telnet sessions, you must click Refresh. The following sections are included in this Help topic: Field Descriptions Showing Sessions by IP Address...
Page 88 Access Rules>Add, Edit, Insert or Paste Rule The Add, Edit, Insert, or Paste Rule screen lets you create a new rule, or modify an existing rule. The following sections are included in this help topic: Screen Element Descriptions Creating a Rule Resetting to Last Applied Settings Field Descriptions The Add, Edit, Insert, or Paste Rule dialog boxes display the following fields:...
Page 89 for the rule. Source Host/Network—Defines the source host or network of the rule by name, or by interface, IP address and netmask. Name—The name of the source host or network. Interface—The interface on which the source host or network resides. IP address—The IP address of source host or network.
Page 90 TCP—Lets you select the TCP service/protocol. Authentication Service—Lets you specify the TCP service that the PIX Firewall will use to authenticate a user. Select Application—Lets you select a TCP protocol, such as ftp, http, or telnet from the Select Application list. AAA Server Group—Lets you specify the server group on which to run the selected AAA service.
Page 91: Creating A Rule
Creating a Rule Follow these steps to add a new rule or to modify and existing rule: Under Action, select an action from the Select an action list. Define the source host or network. Click Name, and type the name of the source host or network in the Name box. Click Interface.
Page 93: Important Notes
Search>Search by Field The Search by Field panel lets you find the rules that are displayed on the Access Rules or Translation Rules tab based on a selected criteria. The following sections are included in this Help topic: Important Notes Field Descriptions Access Rules Translation Rules...
Page 94 Source Name Destination Address Destination Name Action Service These let you select a data type on which the search will be performed. On the right side are list boxes in which the actual pattern to be matched can be entered. For each field Browse (...) will display a list of items that are appropriate for the selected data type.
Page 95 Complete the following steps to search for a translation: Select the method by which you wish to search, such as Type or Original Interface. Click the Browse to browse for selectable options. Click Search. Copyright © 2001 Cisco Systems, Inc.
Page 96 (assuming that the active security policy permits the communication). If the active security policy does not permit a specific communication, the session request is rejected and the translation never occurs. Copyright © 2001 Cisco Systems, Inc.
Page 97 Understanding Dynamic NAT Dynamic NAT, commonly referred to as Network Address Translation (NAT), is the process of converting between IP addresses used within an intranet or other private network (called a subdomain) and Internet IP addresses (or external IP addresses on a PIX Firewall unit). This approach makes it possible to use a large number of addresses within the subdomain without depleting the limited number of available numeric Internet IP addresses.
Page 98 Requires Fewer Registered IP Addresses. To connect to the Internet, a company must purchase IP addresses from the American Registry for Internet Numbers (ARIN), which is the organization responsible for registering and assigning IP addresses to those who wish to connect to the Internet. Currently, IP addresses are allocated based on the size of the company that is requesting IP addresses.
Page 99 Because PAT automatically maps multiple sessions to the same registered IP address, you do not need as many registered IP addresses. This feature also ensures that you can dynamically grow your network. Note: Because PAT requires port information, only TCP, UDP, and ICMP echo/echo-reply operate with PAT. Copyright © 2001 Cisco Systems, Inc.
Page 100 Informational Message>Unsupported The Cisco PIX Device Manager (PDM) does not support the complete command set of the Command Line Interface (CLI). PDM cannot function normally when unsupported commands are in the running configuration. This has important implications when using PDM.
Page 101 Administer overlapping addresses with dual NAT. Also permits inside interface access to a DNS server alias on a perimeter interface. Permit return connections on ports other than those used for the originating connection based on an establish established connection. outbound id except Create an access list to control outbound connections.
Page 102 outbound 13 deny 0.0.0.0 0.0.0.0 0 0 outbound 13 permit 0.0.0.0 0.0.0.0 389 tcp outbound 13 permit 0.0.0.0 0.0.0.0 30303 tcp outbound 13 permit 0.0.0.0 0.0.0.0 53 udp apply (inside) 13 outgoing_src apply (perim) 13 outgoing_src Unsupported Unparsed Commands, Ignored The following commands are unsupported, but will not cause PDM to enter Monitor Only mode.
Page 103 For all exceptions, refer to the Cisco PIX Device Manager Installation Guide for your respective version, "Understanding PDM Access, Handling Configuration Limitations" for information on how to correct each problem. Commands that PDM cannot parse stay in the configuration, their values cannot be changed with PDM, and they appear in the list of unparseable commands.
Page 104 dhcp Implement the DHCP server feature. domain-name Specify the PIX Firewall domain. enable password Set the privileged mode password. failover Change or view access to the optional failover feature. filter Enable or disable outbound URL or HTML object filtering. fixup protocol Change, enable, disable, or list a PIX Firewall application protocol feature.
Page 105 Designate a server running Websense for use with the filter url command. For more information about currently unsupported command combinations, see the Cisco PIX Device Manager Installation Guide for your respective version. Before configuring your PIX Firewall from the...
Page 106: Field Descriptions
This is followed by a list of the commands which are not parsed for that version of PDM. Refer to the Cisco PIX Device Manager Installation Guide for your respective version, "Understanding PDM Access, Handling Configuration Limitations" for information on possible corrections.
Page 109: Important Notes
Search>Search by Host/Network The Search panel lets you search for an access rule by host or network. The following sections are included in this Help topic: Important Notes Field Descriptions Searching by Host / Network Important Notes Unlike the Search>Search by Field dialog box, which does a plain text comparison search, Search>Search by Host/Network menu item uses a more complex, applicability heuristic search.
Page 110 Click an Interface in the Interface list. In the Network tree, browse to select the host or network you wish to search. Click Search. Results will be highlighted in yellow on the Access Rules tab. Copyright © 2001 Cisco Systems, Inc.
Page 111 Options>Preferences The Preferences dialog is invoked by selecting Options>Preferences... from the top menu. This dialog allows you to select and save options for the behaviour of certain PDM functions between sessions using your web browser's cookie feature. The following sections are included in this Help topic: Preference Items Saved Field Descriptions Changing Preferences...
Page 112 Cookies are stored on a per site basis. This means the preferences made for one PIX firewall do not carry over to another PIX. There is no way to make a global change for all PIXen. Copyright © 2001 Cisco Systems, Inc.
Page 113: Access Rules
For more information, refer to the section "Adaptive Security Algorithm" in Chapter 1 "Using PIX Firewall" in the Cisco PIX Firewall and VPN Configuration Guide Version 6.1. You must have access to the Internet for this link to work.
Page 114 Print Preparing to set up access rules Before you can designate access and translation rules for your network in the Access Rules tab, you must first define each host or server for which a rule will apply in the Hosts/Networks tab. Important Notes It is important to remember that you cannot define any access rules until static or dynamic NAT has been configured for the hosts or networks on which you want to permit or deny traffic.
Page 115: Implicit Rules
should permit or block a connection from a network or host on one interface to another network or host on a different interface. Access rules are grouped by the interface on which they are configured and enforced. Within each group, access rules are evaluated in the same order as you configured them. This is the default method the PIX Device Manager will use to permit or block traffic.
Page 116 global pool allows hosts on high security interfaces to initiate connections with hosts on lower security interfaces. The PIX Firewall will map the inside host's address to an address that the PIX Firewall has selected from the pool. Once a host has created an outbound connection, the PIX Firewall will maintain a structure in memory that contains the information describing this address mapping.
Page 117 authenticate, will have AAA server-based authorization rules applied, or will be subject to accounting when connecting to hosts specified in the Source Name/Address column. Interface—Specifies the interface on which an AAA rule is configured and enforced. This column always contains the name of an interface on your PIX Firewall, such as "inside," which means this AAA rule is applied to traffic the PIX Firewall receives from interface "inside."...
Page 118 Rules are organized sequentially in the order they are applied to each interface. This is the order in which they will be evaluated by the PIX Firewall. Organization of Access Lists If you configure the PIX Firewall using PDM, the PIX Firewall will use access control lists (ACLs). Access rules are grouped by the interface on which they are configured and enforced.
Page 119 that the PIX Firewall will use. In the following table, assume that the PIX Firewall in use is configured with conduit commands and outbound lists. Source Destination # Action Interface Service Description Name/Address Name/Address outside(inbound) ftp/tcp outside(inbound) http/tcp inside(outbound) http/tcp inside(outbound) dns/udp inside(outbound)
Page 120 The first three rules are Authentication rules using the authentication server group named portal. The fourth and fifth are Authentication rules using TACACS+ as the authentication server group. The sixth and seventh rules are Authorization rules, and the last two are Accounting rules. Note that if you select a rule and try to Insert Before or Insert After, you will only be allowed to create a rule of the same type as the type of rule selected.
Page 121: Adding A New Rule
This example shows the detailed view of the same access rule. It shows the source and destination interface names and IP addresses. Adding a New Rule Follow these steps to add a new rule: Click Add on the Rules menu. Optionally, you can click Add on the PDM toolbar, or right-click over the rule and click Add.
Page 122 Pasting Filter Rules When you copy or cut a Filter rule and then try to paste it before or after a rule with a different action, a dialog box will open, letting you edit the rule. For example, if you copy or cut an filter ActiveX rule and then attempt to paste it before or after a filter URL rule, you will only be able to select filter URL or do not filter URL as the action.
Page 123: Deleting A Rule
Delete. Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 124 Translation Rules [Static NAT information] [Dynamic NAT information] The Translation Rules tab lets you view all the address translation rules applied to your network. The PIX Firewall supports both the Network Address Translation (NAT) feature, which provides a globally unique address for each outbound host session, and the Port Address Translation (PAT) feature, which provides a single, unique global address for up to 64,000 simultaneous outbound host sessions.
Page 125 When you are working in either the Access Rules or the Translation Rules tabs, you can access the task menu three ways: From the PDM toolbar, the Rules menu, or by right-clicking anywhere in the rules table. You cannot use unavailable translation commands until you define networks or hosts. Unavailable commands appear dimmed on the menu.
Page 126 Interface—The interface on which the translated addresses reside. Address—The translated addresses. Apply to PIX—Sends changes made in PDM to the PIX Firewall unit and applies them to the running configuration. Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.
Page 127 Click Apply to PIX. Adding Translation Rules Using the Copy and Paste Commands Follow these steps to modify an address translation rule using the Copy and Paste commands. In the Translation Rules tab, select the rule you want to move. Click Copy Rule.
Page 128 Example of a Dynamic Rule In this example translation rule, the Outside interface has an address of 209.165.200.225. Before you begin, you must configure your address pool for in the Manage Pools dialog box. For an example of how to configure this rule see Translation Rules properties.
Page 129: Definition Of Terms
Example of a Static PAT Rule The NAT table displays all static PAT rules first, followed by the normal static NAT rules, and then the dynamic NAT rules. No new column is introduced in the table. The contents of "Original Address" and "Translated Address"...
Page 130 configured. I. Between same pair of local/global interfaces. A. Static NAT A-1 overlap between siblings static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255 static (inside,outside) 1.1.1.1 1.1.1.2 netmask 255.255.255.255 PIX: reject PDM: reject A-2 redundant/overlap between child and parent A-2-1 redundant, child first static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255 static (inside,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.0 PIX: warn...
Page 131 PIX: accept PDM: warn A-4 overlap with interface address ip address outside 192.168.1.1 255.255.255.0 static (inside,outside) 192.168.1.0 1.1.1.0 netmask 255.255.255.0 PIX: accept PDM: accept A-5 overlap with global pool global (outside) 1 192.168.1.1-192.168.1.10 static (inside,outside) 192.168.1.2 1.1.1.2 netmask 255.255.255.255 PIX: accept PDM: accept B.
Page 132 PDM: warn B-2-4 overlap, parent first static (inside,outside) tcp 1.1.1.0 80 1.1.1.0 80 netmask 255.255.255.0 static (inside,outside) tcp 1.1.1.1 80 1.1.1.1 8080 netmask 255.255.255.255 PIX: accept PDM: warn B-3 overlap with interface IP ip address outside 192.168.1.1 255.255.255.0 static (inside,outside) tcp 192.168.1.0 80 1.1.1.0 8080 netmask 255.255.255.0 PIX: accept PDM: accept B-4 overlap with global pool...
Page 133 (inside,outside) tcp 2.2.2.101 80 1.1.1.1 8080 netmask 255.255.255.255 PIX: accept PDM: warn E. Between different pairs of local/global interfaces. static (inside,outside) 3.3.3.1 3.3.3.1 netmask 255.255.255.255 0 0 static (intf2,outside) 3.3.3.1 2.2.2.1 netmask 255.255.255.255 0 0 PIX: accept PDM: reject Copyright © 2001 Cisco Systems, Inc.
Page 134 Hosts/Networks On the Hosts/Networks tab, you can view, edit, add to, or delete from the list of hosts and networks defined for the selected interface. The PIX Device Manager requires that you define any host or network that you intend to use in access rules and translation rules.
Page 135 Click Delete. A message box appears prompting you to verify the delete operation. To delete the selected host or network from the selected interface, click OK. Copyright © 2001 Cisco Systems, Inc.
Page 136 Manage Global Address Pools In the Manage Global Address Pools dialog box, you can view, define new, or delete existing global address pools used in dynamic NAT rules. For more information on dynamic NAT rules and its uses, refer to Understanding Dynamic NAT.
Page 137 Follow these steps to delete a global address pool: Select an address pool in the Global Address Pools table. Click Delete. To accept your changes and close the Manage Global Address Pools dialog box, click Done. Copyright © 2001 Cisco Systems, Inc.
Page 138 Translation Rules>Address Translation Rule The Translation Rule Properties dialog box lets you add, edit, and paste translation rules for your PIX Firewall, which are viewed in the main table of the Translation Rules tab. Depending upon which command you selected in the Translation Rules menu, the title for this dialog box will appear as Add Address Translation Rule, Edit Address Translation Rule, or Paste Address Translation Rule.
Page 139 zero, the number of connections are unlimited. Embryonic Limit—The number of embryonic connections allowed to form before the PIX Firewall begins to deny these connections. Set this limit to prevent attack by a flood of embryonic connections. An embryonic connection is one that has has been started but has not yet established, such as a three-way TCP handshake state.
Page 140 To see an example of what this completed Translation Rule would look like, see the Translation Rules help. Resetting to Last Applied Settings Click the Cancel button to discard your changes without applying them. Copyright © 2001 Cisco Systems, Inc.
Page 141 View—Retrieves and displays the syslog messages currently in the PDM Log buffer on the PIX Firewall. Viewing the PDM Log Follow these steps to view the PDM Log: Click the desired logging level in the Logging Level list. Click View. Copyright © 2001 Cisco Systems, Inc.
Page 142 Edit host/network>Basic Information In the Edit host/network>Basic Information dialog box, you can modify you specify values for the IP address, netmask, interface, and name of a host or network. This information provides the basic identification information for that host or network. PIX Device Manager uses the name and IP address/netmask pair to resolve references to this host or network in the source and destination conditions of access rules and in translation rules.
Page 143 Click Apply to PIX to activate your changes on the PIX Firewall. Use the File menu to write a copy the running configuration to Flash, a TFTP server, or a failover standby PIX Firewall unit. See Notes on Applying Configuration Changes. Copyright © 2001 Cisco Systems, Inc.
Page 144 Time—Displays the PIX date and time when the syslog message was generated. Message ID: Description—Displays the unique syslog message ID and message description. Refer to the System Log Messages for the Cisco Secure PIX Firewall for more information about syslog messages.
Page 145 Follow these steps to sort the syslog messages in the display: Click one of the table column headings: Severity, Time or Message ID:Description. The table will be sorted in ascending or descending order each time you click on the column heading. Copyright © 2001 Cisco Systems, Inc.
Page 146 Hosts/Networks>Add>Basic Information In the Create host/network>Basic Information dialog box, you specify values for the IP address, netmask, interface, and name of a host or network. This information provides the basic identification information for that host or network. PIX Device Manager uses the name and IP address/netmask pair to resolve references to this host or network in the source and destination conditions of access rules and in translation rules.
Page 147 To define the static routing rule for this host or network, click Next. If the selected interface is not the inside interface, the Create host/network>Static Route dialog box appears. Otherwise, the Create host/network>NAT (Network Address Translation) dialog box appears. Copyright © 2001 Cisco Systems, Inc.
Page 148 Hosts/Networks>Add>Static Route Unless one of the following criteria is met (in which case, click Next to skip this dialog box), you should define a static route to ensure that the PIX Firewall unit correctly forwards network packets destined to the host or network: The network or host you are defining is connected directly to the selected interface Dynamic routing is enabled for the interface to discover the routes...
Page 149: Defining Static Routes
If you do not want to be prompted to define static routes for the remainder of this administrative session, select the Never ask me this question again check box. To continue defining the settings for this host or network, click Next. The Create host/network>NAT (Network Address Translation) dialog box appears. Copyright © 2001 Cisco Systems, Inc.
Page 150 System Properties>Routing>RIP The RIP panel lets you display and edit the Routing Information Protocol (RIP) settings displayed in the RIP Table. The following sections are included in this Help topic: Field Descriptions Adding a RIP Interface Editing a RIP Interface Deleting RIP Interface Applying Changes to the PIX Firewall The default configuration enables IP routing table updates from RIP broadcast packets received from routers and...
Page 151 Version—The version of RIP, 1 or 2, enabled for this interface. Version 2 is recommended. Use version 1 when backward compatibility is required. Auth Type—The type of authentication, clear text or MD5, to use when RIP version 2 is enabled. We recommend using MD5.
Page 152 PIX Firewall unit. See Notes on Applying Configuration Changes. Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 153 Hosts/Networks>Add>NAT In the Create host/network>NAT (Network Address Translation) dialog box, you can define two types of address translation rules enforced by a PIX Firewall when network packets destined to or originating from the selected host or network are transferred between two interfaces attached to the PIX Firewall unit (inter-interface communications).
Page 154: Important Notes
However, the PIX Firewall does allow the hosts on high security interfaces to initiate connections using their actual, untranslated addresses. This type of rule is different form a static rule because the address is not exposed to the lower security interface. This type of rule also differs from the No NAT type because No NAT prevents the affected hosts from initiating connections, and they have no visible address on the lower security interface.
Page 155 Field Descriptions The Create host/network>NAT (Network Address Translation) dialog box displays a set of rows, one for each higher security interface, containing the following fields: Static—Selecting this option defines a permanent map between the internal IP address and a valid IP address on the lower security interface.
Page 156 Alternatively, you can define dynamic NAT rules for an interface. To create the host or network that you have defined, click Finish. To commit your changes and activate the new host or networks, click Apply to PIX. Copyright © 2001 Cisco Systems, Inc.
Page 157 Hosts/Networks>Add> Static NAT Options In the Static NAT Options dialog box, you can configure the advanced features associated with the selected static NAT rule. The following sections are included in this Help topic: Field Descriptions Configuring Advanced Static NAT Rule Options Field Descriptions The Static NAT Options dialog box displays the following fields: Maximum Connection—Identifies the maximum number of simultaneous TCP connections that are...
Page 158 PIX Firewall unit. You should only clear this check box if you are using another inline firewall that randomizes TCP sequence numbers. To retain your changes and close the Static NAT Options dialog box, click OK. Copyright © 2001 Cisco Systems, Inc.
Page 159 System Properties>Routing>Static Route The Static Route panel allows you to enter a static route for a specified interface. The following sections are included in this Help topic: Screen Element Descriptions Adding static routes Editing static routes Deleting static routes Applying Changes to the PIX Firewall The Static Route panel allows you to create static routes that will access networks connected to a router on any interface.
Page 160: Adding Static Routes
time Refresh was clicked while open. Adding Static Routes Follow these steps to add static routes: Click Add to open the Add Static Route dialog box. Choose the interface name. Choose the mast IP address associated with the interface name you have chosen. Enter the IP address of the gateway router in Gateway IP.
Page 161 PIX Firewall unit. See Notes on Applying Configuration Changes. Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 162 System Properties>Proxy ARPs The Proxy ARPs pane allows you to enable or disable Proxy ARPs on each PIX Firewall network interface. The following sections are included in this Help topic: PIX Firewall and Proxy ARPs Field Descriptions Applying Changes to the PIX Firewall ARP (Address Resolution Protocol) is a layer two protocol that resolves an IP address to an physical address, also called a Media Access Controller (MAC) address.
Page 163 PIX Firewall unit. See Notes on Applying Configuration Changes. Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 164 DHCP Client Lease Information—Displays the parameters of the DHCP lease for the outside interface, including the assigned IP address, subnet mask, DHCP server IP address, lease time information, default gateway IP address, and other DHCP-related information. Copyright © 2001 Cisco Systems, Inc.
Page 165 System Properties>DHCP Server The DHCP Server panel allows you to configure the PIX Firewall as a DHCP (Dynamic Host Configuration Protocol) server for hosts connected to its inside interface. The following sections are included in this Help topic: Field Descriptions Configuring DHCP Viewing DHCP Statistics Resetting to Last Applied Settings...
Page 166: Configuring Dhcp
You can do so by issuing the show dhcpd statistics and show dhcpd binding CLI commands. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 167 Edit host/network>NAT In the Edit host/network>NAT dialog box, you can modify the address translation rules enforced by a PIX Firewall when network packets destined to or originating from the selected host or network are transferred between two interfaces attached to the PIX Firewall unit (inter-interface communications). In this dialog box, you can only modify translation rules between the selected interface and interfaces of lower security levels.
Page 168 However, the PIX Firewall does allow the hosts on high security interfaces to initiate connections using their actual, untranslated addresses. This type of rule is different form a static rule because the address is not exposed to the lower security interface. This type of rule also differs from the No NAT type because No NAT prevents the affected hosts from initiating connections, and they have no visible address on the lower security interface.
Page 169 existing dynamic NAT rule covers the selected address (such as one for the network to which a host address belongs) or the selected interfaces is the outside interface, this option does not appear. If there is an existing rule, you can edit that rule on the Translation Rules tab. same address—...
Page 170 Alternatively, you can modify dynamic NAT rules for an interface. To retain your changes and close the Edit host/network dialog box, click OK. Click Apply to PIX to activate your changes on the PIX Firewall. Copyright © 2001 Cisco Systems, Inc.
Page 171 Edit host/network>Static Route In the Edit host/network>Static Route dialog box, you can edit a static route to ensure that the PIX Firewall unit correctly forwards network packets destined to the host or network. You can also use a static route to override any dynamic routes that are discovered for this host or network by specifying a static route with a lower metric than the discovered dynamic routes.
Page 173: Snmp Terminology
System Properties>PIX Administration>SNMP The SNMP panel allows you to configure the PIX Firewall unit for monitoring by Simple Network Management Protocol (SNMP) management stations. SNMP defines a standard way for network management stations running or PCs on workstations to monitor the health and status of many types of devices, including switches, routers, and the PIX Firewall.
Page 174 PIX Firewall supports a maximum of 32 management stations. The command snmp-server host lists the IP addresses of all management stations (clients) to the PIX Firewall agent (server). For more information on the PIX Firewall and SNMP, refer to "Advanced Configurations" in the Cisco Secure PIX Firewall Configuration Guide for your respective software version.
Page 175 when sending requests to the PIX Firewall unit. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The PIX Firewall uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive value up to 32 characters in length.
Page 176 Cancel—Discards changes and returns to the previous panel. Help—Provides more information. For more information on PIX Firewall and SNMP, refer to the Cisco Secure PIX Firewall Configuration Guide, "SNMP Traps" in "Advanced Configurations" for your respective software version. Adding SNMP Management Stations Follow these steps to add SNMP Management Stations: Click Add to open the SNMP >...
Page 177 PIX Firewall unit. See Notes on Applying Configuration Changes. Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 178: Enabling System Logging
System Properties>Logging>Logging Setup The Logging Setup panel allows you to enable system logging on the PIX Firewall, with optional suppression of specified messages. The following sections are included in this Help topic: Field Descriptions Enabling System Logging Disabling System Logging Suppressing or Restoring a Message Type Resetting to Last Applied Settings Field Descriptions...
Page 179: Disabling System Logging
To remove a message from the IDs of Suppressed Messages list, select it and click Restore. Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 180 System Properties>Logging>PDM Logging The PDM Logging panel allows you to set the level of logging used on the PIX Firewall and the size of the logging buffer. The following sections are included in this Help topic: Field Descriptions Changing PDM Logging Level Changing PDM Logging Buffer Size Resetting to Last Applied Settings Field Descriptions...
Page 181 Enter the desired size of the buffer into the Logging Buffer box. Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 182 System Properties>Logging>Syslog The Syslog panel allows you to specify the syslog servers to which the PIX Firewall will send syslog messages. To make use of the syslog server(s) you define on this panel, you must also enable logging using the Logging Setup panel.
Page 183: Adding A Syslog Server
Click Delete. Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 185 System Properties>Logging>Others The Others panel allows you to define where syslog messages are sent for debugging purposes. You must have logging enabled in the Logging Setup panel to use these options. The following sections are included in this Help topic: Field Descriptions Displaying Syslog Messages Resetting to Last Applied Settings...
Page 186 Firewall console, all Telnet sessions, and/or an internal buffer, as desired. Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 187 System Properties>AAA>AAA Server Groups The AAA Server Groups panel allows you to specify up to 14 authentication, authorization, and accounting (AAA) server groups for your network. Each AAA server group directs different types of traffic to the authentication servers in its group. If the first authentication server listed in the group fails, the PIX Firewall seeks authentication from the next server in the group.
Page 188: Adding A Server Group
Click Delete. The group is deleted. Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 189 System Properties>AAA>AAA Servers The AAA Servers panel allows you to specify which servers handle the authentication, authorization, and accounting (AAA) services for your network. The AAA Servers panel displays a list of current AAA servers. The following sections are included in this Help topic: Important Notes Field Descriptions Adding an AAA Server...
Page 190 Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 191 System Properties>AAA>Authentication Prompt The Authentication Prompt panel allows you to provide challenge text for access to the PIX Firewall. If you do not use this command, challenge text does not appear for Telnet access. Use the options to display different authentication prompts if the authentication attempt is accepted or rejected by the authentication server. The Authentication Prompt panel lets you change the AAA challenge text for HTTP, FTP, and Telnet access.
Page 192 To clear this text, select the user rejected check box a second time to clear it. Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 193 System Properties>URL Filtering The URL Filtering panel lets you prevent internal users from accessing external World Wide Web URLs that you designate using the Websense URL filtering server. Once you have defined your URL Filtering server(s) and related parameters on this panel, use the Filter Rules panel to define the rules that will be used to enforce URL filtering.
Page 194 TCP1 and TCP4, which are TCP-based, and UDP4, which is UDP-based. Version 4 of these protocols provides functionality beyond version 1. Specifically, when PIX AAA filtering is enabled to perform user authentication, the username information is passed to the Websense server so that it may perform URL filtering and log URL activity by username.
Page 195 Source Address. Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 196 SMTP (smtp) port 25 SQL*Net (sqlnet) port 1521 For more information about the protocols used in the FixUp panels, refer to the Configuration Guide for the Cisco Secure PIX Firewall Version x.x. Field Descriptions The FixUp Summary panel displays the following fields: FixUp Summary table Protocol—Displays the services or protocols assigned for FixUp.
Page 198 If you disable FTP FixUp, internal users can FTP to external servers only in passive mode. For more information about the protocols used in the FixUp panels, refer to the Configuration Guide for the Cisco Secure PIX Firewall Version x.x. Field Descriptions...
Page 199 Click Add. Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 201 H.323 version 2. The H.323 FixUp feature provides support for Intel InternetPhone, CU-SeeMe, CU-SeeMe Pro, MeetingPoint, and MS NetMeeting. For more information about the protocols used in the FixUp panels, refer to the Configuration Guide for the Cisco Secure PIX Firewall Version x.x. Field Descriptions The H.323 panel displays the following fields: H.323 table...
Page 202 Click Add. Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 203 Resetting to Last Applied Settings Important Notes For more information about the protocols used in the FixUp panels, refer to the Configuration Guide for the Cisco Secure PIX Firewall Version x.x. Field Descriptions The HTTP panel displays the following fields: HTTP table Low Port—Displays the port number or lower port number range for the HTTP fixups.
Page 204 Click Add. The port or port range appears in the HTTP table. Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 205 Resetting to Last Applied Settings Important Notes For more information about the protocols used in the FixUp panels, refer to the Configuration Guide for the Cisco Secure PIX Firewall Version x.x. Field Descriptions The RSH panel displays the following fields: Enable—Enables RSH FixUp for a PIX Firewall unit.
Page 206 In the RSH panel, click the Enable check box. Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 207 Resetting to Last Applied Settings Important Notes RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. PIX Firewall does not support multicast RTSP. For more information about the protocols used in the FixUp panels, refer to the...
Page 208 Click Add. The port appears in the RTSP table. Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 209 The PIX Firewall uses SIP to support Voice over IP (VoIP) gateways and VoIP proxy servers. For more information about the protocols used in the FixUp panels, refer to the Configuration Guide for the Cisco Secure PIX Firewall Version x.x. Field Descriptions The SIP panel displays the following fields: Enable—Enables SIP FixUp for a PIX Firewall.
Page 210 In the SIP panel, select the SIP check box. Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 211 Resetting to Last Applied Settings Important Notes For more information about the protocols used in the FixUp panels, refer to the Configuration Guide for the Cisco Secure PIX Firewall Version x.x. Field Descriptions The Skinny panel displays the following fields: Skinny table Low Port—Displays the port number or lower port number range for the Skinny FixUp.
Page 212 Click Add. The port or port number range appears in the Skinny table. Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 213 RSET, NOOP, and QUIT commands. All other commands are rejected. For more information about the protocols used in the FixUp panels, refer to the Configuration Guide for the Cisco Secure PIX Firewall Version x.x. Field Descriptions The SMTP panel displays the following fields: SMTP table Low Port—Displays the port number or lower port number range for the SMTP FixUp.
Page 214 Click Add. The port or port range appears in the SMTP table. Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 215 Resetting to Last Applied Settings Important Notes For more information about the protocols used in the FixUp panels, refer to the Configuration Guide for the Cisco Secure PIX Firewall Version x.x. Field Descriptions The SQL*Net panel displays the following fields: SQL*Net table Low Port—Displays the port number or lower port number range for the SQL*Net FixUp.
Page 216 Click Add. The port or port number range appears in the SQL*Net table. Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 217 System Properties>Advanced>Anti-Spoofing The Anti-Spoofing panel allows you to specify which interfaces to protect from an IP spoofing attack using network ingress and egress filtering. The following sections are included in this Help topic: Important Notes Field Descriptions Enabling or Disabling Anti-Spoofing on an interface Resetting to Last Applied Settings Important Notes This feature provides Unicast...
Page 218 Select the check box again to clear anti-spoofing on the interface. Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 219 System Properties>Advanced>Fragment The Fragment panel allows you to configure the IP fragment database for each interface of your PIX Firewall. The following sections are included in this Help topic: Field Descriptions Changing Fragment Parameters for an Iinterface Resetting to Last Applied Settings Field Descriptions The Fragment panel displays the following fields: Fragment table...
Page 220 Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 221 Rules. When this option is not selected, the PIX silently discards the packets of all such sessions. Apply to PIX—Applies changes you have made to the PIX Firewall. Reset—Restores settings to last applied state. Copyright © 2001 Cisco Systems, Inc.
Page 222 Important Notes We recommend that you do not change these values unless advised to do so by Customer Support. For more information about timeout values, refer to the Configuration Guide for the Cisco Secure PIX Firewall Version x.x. Field Descriptions The Timeout pane displays the following fields: Connection—Modifies the idle time until a connection slot is freed.
Page 223 Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 224 System Properties>History Metrics The History Metrics panel enables the PIX Firewall to keep a history of many statistics, which can be displayed by PDM through the Monitoring tab. The following statistics are kept when history metrics are enabled: Input and output bytes (per interface) Input and output packets (per interface) Input and output errors (per interface) Available block count (4 bytes, 80 bytes, 256 bytes and 1550 bytes)
Page 225 Select the PDM History Metrics check box. Click Apply to PIX. Resetting to Last Applied Settings Reset—Discards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open. Copyright © 2001 Cisco Systems, Inc.
Page 226 PIX Device Manager Startup Wizard >Interface Configuration The Interface Configuration panel allows you to configure network interfaces on your PIX Firewall. The following sections are included in this Help topic: Important Notes Field Descriptions Resetting to Last Applied Settings Important Notes The PIX Device Manager recognizes which hardware interfaces already exist on your PIX Firewall.
Page 227 Startup Wizard, and clicking Continue will return you to the PIX Device Manager Startup Wizard panel. Remember at any time in the PIX Device Manager Startup Wizard you can click Back to return to the previous panel. Copyright © 2001 Cisco Systems, Inc.
Page 228 PIX Device Manager Startup Wizard >Default Route Configuration The Default Route Configuration panel allows you to set up the default route for you PIX Firewall. The following sections are included in this Help topic: Important Notes Field Descriptions Setting the Default Route Resetting to Last Applied Settings Important Notes The default route is usually the router connected to the outside interface of your PIX Firewall.
Page 229: Setting The Default Route
Startup Wizard, and clicking Continue will return you to the PIX Device Manager Startup Wizard panel. Remember at any time in the PIX Device Manager Startup Wizard you can click Back to return to the previous panel. Copyright © 2001 Cisco Systems, Inc.
Page 230 PIX Device Manager Startup Wizard >Static Route Configuration The Static Route Configuration panel allows you to enter the network address, network mask, router address, and hop count to create a static route. A static route enables hosts on one interface to reach hosts or networks on an interface that is not directly connected to the PIX Firewall or not reachable through the default route.
Page 231: Adding A Static Route
Mask—The subnet mask of the IP address. Router Address—The external IP address of the router which will route packets to the selected network. Hops—The number of hops to the selected router. Back—Returns you to the previous panel. Next—Advances you to the next panel. Finish—Submits your configuration to the PIX Firewall based upon choices made in the previous panels.
Page 233 Device Manager Startup Wizard, and clicking Continue will return you to the PIX Device Manager Startup Wizard panel. Remember at any time in the PIX Device Manager Startup Wizard you can click Back to return to the previous panel. Copyright © 2001 Cisco Systems, Inc.
Page 234 PIX Device Manager Startup Wizard >Network Address Translation (NAT) The Network Address Translation panel allows you to enter the address range that will be used to translate addresses on the inside interface to addresses on the outside interface. The global addresses in the pool provide an IP address for each outbound connection, and for those inbound connections resulting from outbound connections.
Page 235 Startup Wizard, and clicking Continue will return you to the PIX Device Manager Startup Wizard panel. Remember at any time in the PIX Device Manager Startup Wizard you can click Back to return to the previous panel. Copyright © 2001 Cisco Systems, Inc.
Page 236 PIX Device Manager Startup Wizard >Port Address Translation (PAT) The Port Address Translation panel allows you to configure Port Address Translation (PAT) for your PIX Firewall. PAT allows you to set up a single IP address to be used for the global address. With PAT, you can set multiple outbound sessions to appear as if they originate from a single IP address.
Page 237 Startup Wizard, and clicking Continue will return you to the PIX Device Manager Startup Wizard panel. Remember at any time in the PIX Device Manager Startup Wizard you can click Back to return to the previous panel. Copyright © 2001 Cisco Systems, Inc.
Page 238 PIX Device Manager Startup Wizard >Mail Server Configuration The PIX Device Manager Startup Wizard>Mail Server Configuration panel allows you to permit people or hosts on the outside to access your mail server. The following sections are included in this Help topic: Important Notes Field Descriptions Adding a Mail Server...
Page 239 Mail Server Table—Lists the configured web servers. Name—The name of the web server. Address—The internal IP address of the server. External—The external IP address of the server. Interface—The interface on which the mail server resides. Add—Adds the configured mail server to the Mail Server table. Clear—Clears the mail server configuration boxes.
Page 240 Startup Wizard, and clicking Continue will return you to the PIX Device Manager Startup Wizard panel. Remember at any time in the PIX Device Manager Startup Wizard you can click Back to return to the previous panel. Copyright © 2001 Cisco Systems, Inc.
Page 241 PIX Device Manager Startup Wizard The PIX Device Manager Startup Wizard panel allows you to begin the process of configuring your PIX Firewall using the PIX Device Manager Startup Wizard. The following sections are included in this Help topic: Important Notes Field Descriptions Resetting to Last Applied Settings Important Notes...
Page 242 Startup Wizard, and clicking Continue will return you to the PIX Device Manager Startup Wizard panel. Remember at any time in the PIX Device Manager Startup Wizard you can click Back to return to the previous panel. Copyright © 2001 Cisco Systems, Inc.
Page 243 PIX Device Manager Startup Wizard >Web Server Configuration The Web Server Configuration panel allows you to specify which server will provide web services on your network. The following sections are included in this Help topic: Field Descriptions Adding a Web Server Deleting a Web Server Resetting to Last Applied Settings Field Descriptions...
Page 244 Startup Wizard, and clicking Continue will return you to the PIX Device Manager Startup Wizard panel. Remember at any time in the PIX Device Manager Startup Wizard you can click Back to return to the previous panel. Copyright © 2001 Cisco Systems, Inc.
Page 245 PIX Device Manager Startup Wizard>Finish The Finish panel allows you to submit the configuration you have created based on the choices made on previous panels to the PIX Firewall. The following sections are included in this Help topic: Field Descriptions Resetting to Last Applied Settings Important Notes Once you have completed the steps necessary to create a configuration on the PIX Firewall, clicking Finish will...
Page 247 The Internet protocols consist of a suite of communication protocols, of which the two best known are the Transmission Control Protocol (TCP) and the Internet Protocol (IP). The Internet protocol suite not only includes lower-layer protocols (such as TCP and IP), but it also specifies common applications such as electronic mail, terminal emulation, and file transfer.
Page 248 IP Packet Fourteen fields comprise an IP packet. Version—Indicates the version of IP currently used. IP Header Length (IHL)---Indicates the datagram header length in 32-bit words. Type-of-Service—Specifies how an upper-layer protocol would like a current datagram to be handled, and assigns datagrams various levels of importance. Total Length—Specifies the length, in bytes, of the entire IP packet, including the data and header.
Page 249 Identification—Contains an integer that identifies the current datagram. This field is used to help piece together datagram fragments. Flags—Consists of a 3-bit field of which the two low-order (least-significant) bits control fragmentation. The low-order bit specifies whether the packet can be fragmented.The middle bit specifies whether the packet is the last fragment in a series of fragmented packets.
Page 250: Ip Address Classes
IP Address Classes IP addressing supports five different address classes: A, B,C, D, and E. Only classes A, B, and C are available for commercial use. The left-most (high-order) bits indicate the network class. The following illustration provides reference information about the five IP address classes. IP Classes IP Subnet Addressing.
Page 251 Mask, Netmask, IP Subnet Mask A mask is a 32-bit field which shows how an Internet address is to be divided into network, subnet and host parts. The netmask has ones in the bit positions in the 32-bit address which are to be used for the network and subnet parts, and zeros for the host part.
Page 252 Instead, TCP groups bytes into segments and passes them to IP for delivery. TCP offers reliability by providing connection-oriented, end-to-end reliable packet delivery through an internetwork. It does this by sequencing bytes with a forwarding acknowledgment number that indicates to the destination the next byte the source expects to receive.
Page 253 TCP Sliding Window A TCP sliding window provides more efficient use of network bandwidth than PAR because it enables hosts to send multiple bytes or packets before waiting for an acknowledgment. In TCP, the receiver specifies the current window size in every packet. Because TCP provides a byte-stream connection, window sizes are expressed in bytes.
Page 254 Network File System (NFS), Simple Network Management Protocol (SNMP), Domain Name System (DNS), and Trivial File Transfer Protocol (TFTP). UDP Packet Format The UDP packet format contains four fields: source and destination ports, length, and checksum. Copyright © 2001 Cisco Systems, Inc.
Page 255 The Cisco PIX® Device Manager (PDM) is a browser-based configuration tool that enables you to graphically set up, configure, and monitor your Cisco PIX Firewall running version 6.0 or later over a secure administrative session. PDM is implemented as a signed Java applet which uploads to your PC or workstation when you point your browser at the PIX Firewall with requiring a plug-in or other software to be installed beforehand.
Page 256: Operating Systems
OpenWindows window manager • Netscape Communicator 4.51 or higher (4.76 recommended Redhat Linux 6.2 or 7.0 running GNOME or KDE 2.0 • Netscape Communicator 4.76 desktop For more detailed requriments, see Getting Started PDM Installation Guide. Copyright © 2001 Cisco Systems, Inc.

This manual is also suitable for:

Pix device manager 1.1

Cisco PIX 520 - PIX Firewall 520 Online Help Manual

Quick Links

Related Manuals for Cisco PIX 520 - PIX Firewall 520

Summary of Contents for Cisco PIX 520 - PIX Firewall 520

This manual is also suitable for:

Table of Contents