Cisco PIX 520 - PIX Firewall 520 Reference guide

Index

Glossary

About PDM - New for PDM 1.1

PDM Icon Legend

Getting Started

Applying Configuration Changes in PDM

Refresh

More about Internet Protocol (IP)

Unsupported Commands

Help Topics by Location

Access Rules

Translation Rules

Hosts/Networks

System Properties

Monitoring

Menus

Additional Resources

Top Security Resources

PIX Firewall Documentation

Cisco Technical Assistance Center>PIX Firewall

PIX Firewall Top Issues

PIX Firewall Product Literature

This topic includes the following sections:

Introduction●

About PDM Software●

System Requirements●

Introduction

Cisco PIX Device Manager (PDM) is the graphical user interface (GUI) for configuring and monitoring the Cisco

PIX Firewall.

PDM is available on all PIX 501, PIX 506, PIX 515, PIX 520, PIX 525, and PIX 535 platforms that are running

PIX Firewall software version 6.0 or higher.

PDM is designed to assist you in managing your network security. For example, PDM does the following:

Helps you configure your PIX Firewall using visual tools like task-oriented selections and drop-down

menus.

●

Sends PIX Firewall command-line interface (CLI) commands to the PIX Firewall unit for you.●

Enables you to visually monitor your PIX Firewall system, connections, IDS, and traffic on the interfaces.●

Can create new PIX Firewall configurations or modify existing configurations that were originally

implemented using the PIX Firewall CLI or Cisco Secure Policy Manager (Cisco Secure PM).

●

Monitors and configures one PIX Firewall unit at a time, but you can point your browser to more than one

PIX Firewall unit and administer several PIX Firewall units from a single workstation.

●

Runs on platforms that support Java and does not require a separate plug-in. (The PDM applet uploads to

your workstation when you point your browser at the PIX Firewall.)

●

Uses Secure Socket Layer (SSL) to secure communication between itself (PDM) and the PIX Firewall and

is a signed applet.

●

About PDM Software

If your PIX Firewall unit is new and shipped with PIX Firewall software version 6.0 or higher, the PDM software

is already loaded in the PIX Firewall Flash memory for you.

If you are upgrading from a previous version of PIX Firewall, you need to use TFTP from the PIX Firewall to

copy the PDM image to your PIX Firewall. For instructions on how to do this, refer to the PDM Installation

Guide and Using a TFTP Server.

Note If using PDM with an existing PIX Firewall configuration, refer to "PDM Support for PIX Firewall CLI

Commands," for information on which commands are supported and which are not.

System Requirements

This section includes the following topics:

PIX Firewall Requirements●

Browser Requirements●

PC/Workstation Requirements●

PIX Firewall Requirements

Caution The PIX Firewall must have PIX Firewall software version 6.0 or higher installed and running

for PDM to run. PDM does not run with earlier PIX Firewall software versions

If you are using a PIX Firewall already running PIX Firewall software version 6.0 or higher, then you have

already met all the requirements to run PDM that are discussed in "PIX Firewall Requirements"and can continue

to the "Browser Requirements" section. For example, PIX Firewall units that contain

PIX Firewall software version 6.0 or higher ship with a pre-installed DES activation key.

Otherwise, a PIX Firewall unit must meet the following requirements to successfully install and run PDM:

You must have an activation key that enables Data Encryption Standard (DES) or the more secure 3DES,

which PDM requires for support of the Secure Socket Layer (SSL) protocol.

●

If your PIX Firewall is not enabled for DES, you can have a new activation key sent to you by completing

the form at the following website:

http://www.cisco.com/kobayashi/sw-center/internet/pix-56bit-license-request.shtml

●

Verify that your PIX Firewall meets all PIX Firewall software version 6.0 requirements listed in the

Release Notes for the Cisco Secure PIX Firewall Version 6.0(1) or higher. You must have version 6.0

installed on the PIX Firewall unit before using PDM. You can download version 6.0 and the PDM software

from the following website: http://www.cisco.com/cgi-bin/tablebuild.pl/pix

●

You must have at least 8 MB of Flash memory on the PIX Firewall unit.●

Ensure that your configuration is less than 100 KB (approximately 1500 lines). Configurations over 100

KB cause PDM performance degradation. You can view the size of your configuration with the CLI show

flashfs command as the length for "file 1."

●

Browser Requirements

The following are required to access one or more PIX Firewall units through PDM:

A JavaScript and Java enabled browser running JDK 1.1.4 or higher. If these are not enabled in the

browser, PDM guides you on how to enable them. To check which version you have, launch PDM. When

the PDM information window appears, the field "JDK Version" indicates your JDK version. If you have an

older JDK version, you can get the latest JVM from Microsoft by downloading the product called "Virtual

Machine."

●

Browser support for Secure Socket Layer (SSL) must be enabled. The supported versions of Internet

Explorer and Netscape Navigator support SSL without requiring additional configuration.

Note PIX Firewall software version 6.0 supports SSL 2.0, SSL 3.0, and TLS 1.0 in web browsers. PIX

Firewall supports all browser encryption levels.

●

PC/Workstation Requirements

PDM has different requirements depending on the platform from which you access it.

PDM is not supported for use on computers equipped with the Macintosh, Windows 3.1, or Windows 95

operating systems.

This section includes the following topics:

Windows Requirements●

SUN Solaris Requirements●

Linux Requirements●

Windows Requirements

The following requirements apply to the use of PDM with Windows. PDM does not support use on

Windows 3.1 or Windows 95.

●

Windows 2000 (Service Pack 1), Windows NT 4.0 (Service Pack 4 and higher), Windows 98, or Windows

ME.

●

Supported browsers: Internet Explorer 5.0 (Service Pack 1) or higher (5.5 recommended), Netscape

Communicator 4.51 or higher (4.76 recommended). We recommend Internet Explorer on Windows as

PDM may load faster into this browser on this operating system.

●

Any Pentium or Pentium-compatible processor running at 350 MHz or higher.●

At least 128 MB of random-access memory (RAM). We recommend 192 MB or more.●

An 800 x 600 pixel display with at least 256 colors. We recommend a 1024 x 768 pixel display and at least

High Color (16-bit) colors.

Note The use of virus checking software may dramatically increase the time required for PDM to start.

This is especially true for Netscape Communicator on any Windows platform or Windows 2000 running

any browser.

●

SUN Solaris Requirements

The following requirements apply to the use of PDM with Sun SPARC:

Sun Solaris 2.6 or later running CDE or OpenWindows window manager.●

SPARC microprocessor.●

Supported browser: Netscape Communicator 4.51 or higher (4.76 recommended).●

At least 128 MB of random-access memory (RAM).●

An 800 x 600 pixel display with at least 256 colors. We recommend a 1024 x 768 pixel display and at least

High Color (16-bit) colors.

●

Note PDM does not support Solaris on IBM PC

Linux Requirements

The following requirements apply to the use of PDM with Linux:

Red Hat Linux 7.0 running the GNOME or KDE 2.0 desktop environment.●

Supported browser: Netscape Communicator 4.75 or later version.●

At least 64 MB of random-access memory (RAM).●

An 800 x 600 pixel display with at least 256 colors. We recommend a 1024 x 768 pixel display and at least

16-bit colors.

●

A-D

AAA—Authentication, Authorization, and Accounting. See also TACACS+, RADIUS

Access Control, Access Control Rule, ACE—Information entered into the configuration which allows you to

specify what type of traffic to permit or deny into an the interface. By default, traffic that is not explicitly

permitted is denied.

ACL—Access Control List. A collection of Access Control Entries. An access list allows you to specify what

type of traffic to allow into an interface. By default, traffic that is not explicitly permitted is denied. See also Rule

ActiveX—A set of object-oriented programming technologies and tools used to create mobile or portable

programs. An ActiveX program is roughly equivalent to a Java applet.

Address Translation—The translation of a network address and/or port to another network address/or port.. See

also IP Address, NAT, PAT, Static PAT, Interface PAT.

A record address—"A" stands for address, and refers to name-to-address mapped records in DNS.

ARP—Address Resolution Protocol—A low-level TCP/IP protocol that maps a node's hardware address (called a

"MAC" address) to its IP address.

ASA—Adaptive Security Algorithm. Allows one-way (inside to outside) connections without an explicit

configuration for each internal system and application.

Cache—A temporary repository of information accumulated from previous task executions that can be reused,

decreasing the time required to perform the tasks.

CLI—Command Line Interface. The primary interface for entering configuration and monitoring commands to

the PIX Firewall. Refer to the Configuration Guide for the Cisco Secure PIX Firewall Version x.x for information

on what commands you can enter from the CLI.

Cookie—A cookie is a web browser feature which stores or retrieves information, such as a user's preferences, to

persistent storage. In Netscape and Internet Explorer, cookies are implemented by saving a small text file on your

local hard drive. The file can be loaded the next time you run a Java applet or visit a website. In this way

information unique to you as a user can be saved between sessions. The maximum size of a cookie is

approximately 4KB.

Client/server computing—Term used to describe distributed computing (processing) network systems in which

transaction responsibilities are divided into two parts: client (front end) and server (back end). Also called

distributed computing. See also RPC.

Conduit—An exception to the PIX Firewall Adaptive Security Algorithm permitting connections from external

to internal networks. Refer to the Configuration Guide for the Cisco Secure PIX Firewall Version x.x for

information on conduits.

Configuration, Config, Config File—The PIX Firewall file which represents the equivalent of settings,

preferences, and properties administered by PDM or the CLI. See also Configuration File Terminology.

CSPM—Cisco Secure Policy Manager (CSPM) is a multi-device management tool for Cisco security products

including PIX firewalls, Cisco IOS firewalls, VPN routers and Intrusion Detection System (IDS) Sensors. CSPM

also provides other management services including monitoring, notification and reporting. For more information,

see http://wwwin.cisco.com/cmc/cc/pd/sqsw/sqppmn/prodlit/csp22_rg.htm . Caution: CSPM operates on the

assumption that it is the only management interface for the PIX, and it will overwrite configuration changes made

through other means, including PDM. See CSPM and PDM in Applying Configuration Changes for additional

information.

Cut-Through Proxies—User-based authentication of inbound or outbound connections. Allows security policies

to be enforced on a per-user-ID basis, providing faster traffic flow after authentication.

DHCP—Dynamic Host Configuration Protocol. Provides a mechanism for allocating IP addresses to hosts

dynamically, so that addresses can be reused when hosts no longer need them.

DMZ—See Interface

DNS—Domain Name System (or Service). An Internet service that translates domain names, which are

alphabetic, into IP addresses, which are composed of numbers.

Dynamic PAT, NAT—See NAT, PAT, Address Translation.

E-H

ECHO—See Ping, ICMP. See also Fixup.

Failover, Failover mode—The PIX Firewall feature which links a primary unit and standby (or secondary) unit

together, sharing the same configuration file, so that, if the primary fails, the standby unit can continue to provide

network services. See also System Properties>Failover.

Fixup—A procedure the PIX Firewall employs to process certain application-level protocols. The specific

processing performed by a Fixup will vary by protocol, and can include tasks such as translating IP addresses

embedded in the protocol payload and providing access through the PIX Firewall for dynamically-created data

sessions.

Flash, Flash memory—A memory chip which retains data without power. A type of nonvolatile storage device.

The PIX Firewall configuration may written to its internal Flash by a menu item or . Note: Not related to

Macromedia Flash, a web animation plug-in and file format standard.

FragGuard feature—a Cisco feature that provides IP fragment protection and performs full reassembly of all

ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the PIX

Firewall.

FTP—File Transfer Protocol. Part of the TCP/IP protocol stack, used for transferring files between hosts. See

also Fixup.

H.323—A standard that enables video conferencing over local-area networks (LANs) and other packet-swiched

networks, as well as video over the Internet. See also Fixup.

Host—A computer, such as a PC, or other computing device, such as a server, associated with an individual IP

address and optionally a name. The name for any device on a TCP/IP network that has an IP address. In PIX

Firewall configuration, a host is distinguished from a network. Also any network-addressable device on any

network. The term "node" includes devices such as routers and printers which would not normally be called

"hosts".

Host/Network—An IP address and mask (or netmask) used with other information to identify a single host or

network subnet for PIX Firewall configuration, such as an address translation (xlate) or access control rule

(ACE).

HTTP, HTTPS—Hypertext Transfer Protocol, Hypertext Transfer Protocol, Secure. The protocol used by Web

browsers and Web servers to transfer files, such as text and graphic files. See also Fixup.

I-L

ICMP—Internet Control Message Protocol. Network layer Internet protocol that reports errors and provides other

information relevant to IP packet processing.

Implicit Rule—An Access Rule automatically created by the PIX Firewall based on default rules or as a result of

user-defined rules.

Inside—See Interface.

Interface, Interface Name—The physical connection between a particular network and a PIX Firewall. The

inside interface default name is "inside" and the outside interface default name is "outside." Any perimeter

interface default names are "intfn," such as "intf2" for the first perimeter interface, "intf3" for the second

perimeter interface, and so on to the last interface. The numbers in the intf string corresponds to the interface

card's position in the PIX Firewall. You can use the default names or, if you are an experienced user, give each

interface a more meaningful name.

Interface Names—Human readable name assigned to a PIX Firewall network interface, a physical network

connector. These names are customary and referenced by PIX Firewall documentation:

inside—The first interface, usually port 1, which connects your internal, "trusted" network protected by

your PIX Firewall.

●

outside—The first interface, usually port 0, which connects to other "untrusted" networks outside your PIX

Firewall; the Internet.

●

intfn—Any interface, usually beginning with port 2, which connects to a subset network of your design

that you can custom name and configure, for example, dmz to be an "inside" or "outside" type.

●

Interface PAT—The use of Port Address Translation where the PAT IP address is also the IP address of●

the outside interface. See PAT.

Internet—The global network which uses IP, Internet protocols. Not a LAN. See also intranet.

Intranet—Intranetwork. A LAN which uses IP, Internet protocols. See also network, Internet.

IP—Internet Protocol. The Internet protocols are the world's most popular open-system (nonproprietary) protocol

suite because they can be used to communicate across any set of interconnected networks and are equally well

suited for LAN and WAN communications.

IP Address—IP version 4 addresses are 32-bits, or 4 bytes, in length. This address "space" is used to designate

the following:

network number●

optional subnetwork number●

a host number●

The 32 bits are grouped into four octets (8 binary bits), represented by 4 decimal numbers separated by periods or

"dots". The meaning of each of the four octets is determined by their use in a particular network.

LAN—Local Area Network. A network residing in one location or belonging to one organization, typically, but

not necessarily using the Internet protocols. Not the global Internet. See also intranet, network, Internet.

M-P

Mask, IP Subnet Mask, Netmask, —A 32-bit bit mask which shows how an Internet address is to be divided

into network, subnet and host parts. The netmask has ones in the bit positions in the 32-bit address which are to

be used for the network and subnet parts, and zeros for the host part. The mask should contain at least the

standard network portion (as determined by the address's class), and the subnet field should be contiguous with

the network portion. See also IP Address, TCP/IP, host , host/network.

NAT—Network Address Translation. Mechanism for reducing the need for globally unique IP addresses. NAT

allows an organization with addresses that are not globally unique to connect to the Internet by translating those

addresses into globally routable address space. There are two types of NAT—static and dynamic. See also, PAT,

Static PAT.

Netmask—See Mask.

Network—In the context of PIX Firewall configuration, a network is a group of computing devices which share

part of an IP address space and not a single host. A network consists of multiple "nodes" or devices with IP

address, any of which may be referred to as "hosts". See also Internet, Intranet, IP, LAN.

Node—See host, network

Nonvolatile storage, memory—Storage or memory which, unlike RAM (Random Access Memory) retains its

contents without power. Data in a nonvolatile storage device survives a power-off, power-on cycle or reboot.

Outbound—Outbound CLI commands lets you specify whether inside users can create outbound connections.

Outside—See Interface.

PAT, Dynamic—Port Address Translation. Dynamic PAT lets multiple outbound sessions appear to originate

from a single IP address. With PAT enabled, the PIX Firewall unit chooses a unique port number from the PAT

IP address for each outbound translation slot (xlate). This feature is valuable when an Internet service provider

cannot allocate enough unique IP addresses for your outbound connections. The global pool addresses always

come first, before a PAT address is used. See also, Static PAT, More information about Dynamic NAT, NAT.

Perfmon—PIX feature which gathers and reports a wide variety of feature statistics, such as connections/second,

xlates/second, etc.

Ping—An ICMP request sent between hosts to determine if a host is accessible on the network.

PPTP—Point-to-Point Tunneling Protocol.

Primary, Primary unit—The PIX Firewall unit normally operating when two units are operating in Failover

mode.

Proxy-ARP—This feature enables the PIX Firewall to reply to an ARP request for IP addresses in the global

pool. See also

Q-T

RADIUS—Remote Authentication Dial-In User Service. See also AAA, TACACS+

Refresh—

RPC—remote procedure call. RPCs are procedure calls that are built or specified by clients and executed on

servers, with the results returned over the network to the clients. See also client/server computing.

Caution: RPC is not a very secure protocol and should be used with caution.

Route—path through an internetwork.

RPF—Reverse Path Forwarding.

RSA—A public-key cryptographic system which may be used for encryption and authentication. (Acronym

stands Rivest, Shamir, and Adelman, the inventors of the technique.)

RSH—Remote Shell Protocol. A protocol that allows a user to execute commands on a remote system without

having to log in to the system. For example, RSH can be used to remotely examine the status of a number of

access servers without connecting to each communication server, executing the command, and then disconnecting

from the communication server. See also Fixup.

RTSP—Real Time Streaming Protocol. Enables the controlled delivery of real-time data, such as audio and

video. RTSP is designed to work with established protocols, such as Routing Table Protocol (RTP) and HTTP.

Other manuals for PIX 520 - PIX Firewall 520

This manual suits for next models

Table of contents

Other Cisco Software manuals

Cisco

Cisco 6503-E - Catalyst Chassis With Supervisor Engine 32... Instruction Manual

Cisco

Cisco 1700 series User manual

Cisco

Cisco CRS-1 - Carrier Routing System Router Instruction Manual

Cisco

Cisco ROUTER-SDM-CD User manual

Cisco

Cisco DCNM Quick guide

Cisco

Cisco TELEPRESENCE MANAGEMENT SUITE EXTENSION 2.2 - FOR MICROSOFT... User manual

Cisco

Cisco OL-6900-01 Operator's manual

Cisco

Cisco TELEPRESENCE CALL DETAIL RECORDS FILE FORMAT... User manual

Cisco

Cisco IP Communicator User manual

Cisco

Cisco TELEPRESENCE MANAGEMENT SUITE EXTENSION 2.2 - FOR MICROSOFT... Service manual

Cisco

Cisco TELEPRESENCE MANAGEMENT SUITE SECURE SERVER - CONFIGURATION GUIDE... User manual

Cisco

Cisco MeetingPlace Video Integration Service manual

Cisco

Cisco IPS-4240-K9 - Intrusion Protection Sys 4240 User manual

Cisco

Cisco Unity Express 8.0 Voice-Mail System User manual

Cisco

Cisco CCNA NETWORK SIMULATOR User manual

Cisco

Cisco CSACSE-1111-K9 - Secure Access Control Server Solution... User manual

Cisco

Cisco Servers User manual

Cisco

Cisco 6.x and 7.0 Quick start guide

Cisco

Cisco TELEPRESENCE MANAGEMENT SUITE User manual

Cisco

Cisco III - Supervisor Engine III User manual

Cisco

Cisco GO GREEN User manual

Cisco

Cisco CVPN3002-8E-K9 - Fast Ethernet VPN Gateway User manual

Cisco

Cisco ACTIVE NETWORK ABSTRACTION - BROCHURE WHATS NEW IN RELEASE... User manual

Cisco

Cisco PVDM2 24DM - Digital Modem Module User manual

Popular Software manuals by other brands

COMPRO

COMPRO COMPROFM manual

Muratec

Muratec OFFICEBRIDGE ONLINE user guide

Oracle

Oracle Contact Center Anywhere 8.1 installation guide

Adobe

Adobe 65007312 - Photoshop Lightroom Programmer's guide

Avaya

Avaya NULL One-X for RIM Blackberry user guide

HP ProLiant BL420c user guide

PS Audio

PS Audio PowerPlay Programming manual

Brady

Brady LOCKOUT PRO 3.0 Administrator's guide

Avaya

Avaya Interaction Center user guide

Texas Instruments

Texas Instruments TI-83 Plus Silver Edition Guide book

Novell

Novell GROUPWISE 8 - INTERNET AGENT manual

Oracle

Oracle Application 9i Configuration guide

Acer

Acer RDM user guide

Canon

Canon Vixia HF21 instruction manual

Canon

Canon ZR950 instruction manual

Samsung

Samsung Auto Backup user manual

Polycom

Polycom Vortex EF2201 Application note

Brocade Communications Systems

Brocade Communications Systems Brocade 8/12c user manual