Cisco PIX 515 - IP Setup

Sunday, 22 May 2011 12:18 administrator
Print

This is a quick guide for configuring Cisco PIX 515 which is discontinued model.

Even though Cisco PIX 515 is a kind of old model, it provides GUI interface thru built-in software in the box.

That is called PDM stands for PIX Device Manager. Definitely GUI is benefits for network admin.

First of all, here is a device I am configuring:


 Here are the steps.

1. Need to console to assign IP address on Ethernet 0 port.

I am using Putty.exe which is free utility you can download from Internet. From Putty configuration mode, choose Serial and Speed 9600(default). I hope you know the login info and enable password. If you don't, you need to try password recovery procedure.

2. Check name of interfaces first. PIX-515#

PIX-515# show nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security0
nameif ethernet2 intf2 security10

While you are configuring PIX 515, you will get asked ''. I thought it meant interface name such as 'Ethernet 0' or 'Ethernet 1'. Actually that is hardware-id in PIX firewall world. It means 'outside' or 'inside' as above output. Personally, I don't like the expression, but what can I do...

3. Configuring IP address on Ethernet1

As you can see the name of interface, which is 'inside'.

PIX-515(config)# ip address inside 192.168.77.1 255.255.255.0

PIX-515# sh int ethernet1
interface ethernet1 "inside" is up, line protocol is down
Hardware is i82559 ethernet, address is 0004.9ad0.d059
IP address 192.168.77.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
PIX-515#

This inside port will need to be connected to your switch on your inside network.

4. Changing interface speed It is very very important port to get proper performance.

Especially, PIX 515 is connecting different vendors.

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown

Duplex mis-matching often causes performance issue.

Default setup is 'auto' (If line is not connected, it showed 'shutdown')

If you want to make hard coded speed and duplex, specific interface can be configured like below PIX-515(config)#interface ethernet1 100full

5. Allow your device to access PDM

PIX-515(config)#http 192.168.77.101 255.255.255.255 inside

**Important: 192.168.77.101 is your device which is attempting to access PDM.

              If you are put a wrong IP address. You will see below on Cisco log

%PIX-6-605001: HTTP daemon interface int_name: connection denied from x.x.x.x

6. Enable HTTP server PIX-515(config)#http server enable

This will setup HTTP access.

7. Create user and password

When you access PDM, you will get asked login prompt.

It is different from enable or login password for accessing PIX 515 box PIX-515(config)# username cisco password xxxxx

8. Access PDM from your browser

Even though we are enable http, when you browse PDM, you MUST use "HTTPS". HTTPS://192.168.77.1 

 


Extra configurations

Map address to name

name 192.168.77.22 InternetPHONE
name 192.168.77.31 Linux64
name 192.168.77.55 ipBalance_PC

 

NAT

global (outside) 1 10.1.1.51-10.1.1.100 netmask 255.255.255.0
global (outside) 1 10.1.1.50 netmask 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 1 100.1.1.0 255.255.255.0 0 0
nat (management) 1 100.2.2.0 255.255.255.0 0 0

 

Static route

static (dmz,outside) 1.1.1.22 10.3.3.22 netmask 255.255.255.255 0 0
static (inside,management) 10.1.1.13 10.1.1.13 netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

 

Access-list

access-list from-management-coming-in permit tcp host 192.168.1.1 host 172.16.1.1 eq 9100
access-group from-inside-coming-in in interface inside

 

Reference:

- PIX message index : http://www.cisco.com/en/US/docs/security/pix/pix61/system/message/pixemsgs.html#wp1032267

 

Last Updated on Sunday, 22 May 2011 12:41