This is a quick guide for configuring Cisco PIX 515 which is discontinued model.
Even though Cisco PIX 515 is a kind of old model, it provides GUI interface thru built-in software in the box.
That is called PDM stands for PIX Device Manager. Definitely GUI is benefits for network admin.
First of all, here is a device I am configuring:
- Cisco PIX Firewall Version 6.2(2)
- Cisco PIX Device Manager Version 2.1(1) Compiled on Fri 07-Jun-02 17:49 by morlee
- pixfirewall up 1 min 9 secs
- Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz
- Flash i28F640J5 @ 0x300, 16MB
- BIOS Flash AT29C257 @ 0xfffd8000, 32KB 0:
- ethernet0: address is 0004.9ad0.d058, irq 11 1:
- ethernet1: address is 0004.9ad0.d059, irq 10 2:
- ethernet2: address is 0090.2710.3b1c, irq 9
- Licensed Features:
- Failover: Disabled VPN-DES:
- Enabled VPN-3DES:
- Disabled Maximum Interfaces:
- 3 Cut-through Proxy: Enabled
- Guards: Enabled URL-filtering: Enabled
- Inside Hosts: Unlimited Throughput:
- Unlimited IKE peers:
- Unlimited Serial Number: 406080307 (0x18344b33)
- Running Activation Key: 0x78118d39 0xf5e9f2bb 0xdb93e47e 0xd401763e
- Configuration last modified by enable_15 at 02:28:10.920 UTC Mon Jun 22 2009
- pixfirewall# 111009: User 'enable_15' executed cmd: show version
1. Need to console to assign IP address on Ethernet 0 port.
I am using Putty.exe which is free utility you can download from Internet. From Putty configuration mode, choose Serial and Speed 9600(default). I hope you know the login info and enable password. If you don't, you need to try password recovery procedure.
2. Check name of interfaces first. PIX-515#
PIX-515# show nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security0
nameif ethernet2 intf2 security10
While you are configuring PIX 515, you will get asked ''. I thought it meant interface name such as 'Ethernet 0' or 'Ethernet 1'. Actually that is hardware-id in PIX firewall world. It means 'outside' or 'inside' as above output. Personally, I don't like the expression, but what can I do...
3. Configuring IP address on Ethernet1
As you can see the name of interface, which is 'inside'.
PIX-515(config)# ip address inside 192.168.77.1 255.255.255.0
PIX-515# sh int ethernet1
interface ethernet1 "inside" is up, line protocol is down
Hardware is i82559 ethernet, address is 0004.9ad0.d059
IP address 192.168.77.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
This inside port will need to be connected to your switch on your inside network.
4. Changing interface speed It is very very important port to get proper performance.
Especially, PIX 515 is connecting different vendors.
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
Duplex mis-matching often causes performance issue.
Default setup is 'auto' (If line is not connected, it showed 'shutdown')
If you want to make hard coded speed and duplex, specific interface can be configured like below PIX-515(config)#interface ethernet1 100full
5. Allow your device to access PDM
PIX-515(config)#http 192.168.77.101 255.255.255.255 inside
**Important: 192.168.77.101 is your device which is attempting to access PDM.
If you are put a wrong IP address. You will see below on Cisco log
%PIX-6-605001: HTTP daemon interface int_name: connection denied from x.x.x.x
6. Enable HTTP server PIX-515(config)#http server enable
This will setup HTTP access.
7. Create user and password
When you access PDM, you will get asked login prompt.
It is different from enable or login password for accessing PIX 515 box PIX-515(config)# username cisco password xxxxx
8. Access PDM from your browser
Even though we are enable http, when you browse PDM, you MUST use "HTTPS". HTTPS://192.168.77.1
Map address to name
name 192.168.77.22 InternetPHONE
name 192.168.77.31 Linux64
name 192.168.77.55 ipBalance_PC
global (outside) 1 10.1.1.51-10.1.1.100 netmask 255.255.255.0
global (outside) 1 10.1.1.50 netmask 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 1 220.127.116.11 255.255.255.0 0 0
nat (management) 1 18.104.22.168 255.255.255.0 0 0
static (dmz,outside) 22.214.171.124 10.3.3.22 netmask 255.255.255.255 0 0
static (inside,management) 10.1.1.13 10.1.1.13 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
access-list from-management-coming-in permit tcp host 192.168.1.1 host 172.16.1.1 eq 9100
access-group from-inside-coming-in in interface inside