© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 16 Cisco PIX Device Manager

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe PDM and its capabilities. Describe PDMs browser and PIX Firewall requirements. Prepare the PIX Firewall to use PDM. Navigate PDM configuration windows.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives (cont.) Describe other tools that PDM provides. Install PDM. Configure inside to outside access through the PIX Firewall using PDM. Configure outside to inside access through the PIX Firewall using PDM. Use PDM to create site-to-site VPNs. Use PDM to create remote access VPNs. Use the VPN wizard to create site-to-site and remote access VPNs. Test and verify PDM functionality.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PDM Overview

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA What Is PDM? PDM is a browser-based configuration tool designed to help configure and monitor your PIX Firewall. Internet SSL secure tunnel

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PDM Features Works with PIX Firewall software version 6.0 and higher. Operates on PIX Firewall 500 series models. Implemented in Java to provide robust, real-time monitoring. Runs on a variety of platforms. Does not require a plug-in software installation. Comes preloaded into Flash memory on new PIX Firewalls running versions 6.0 and higher. For upgrading from a previous version of PIX Firewall, it can be downloaded from Cisco and then copied to the PIX Firewall via TFTP. Works with SSL to ensure secure communication with the PIX Firewall.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PDM Operating Requirements

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PDMs PIX Firewall Requirements A PIX Firewall must meet the following requirements to run PDM: Software version compatible with the PDM software version you plan to use. Hardware model compatible with the PDM software version you plan to use. Activation key that enables DES or 3DES. At least 8 MB of Flash memory. Configuration less than 100 KB.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PDMs Browser Requirements To access PDM from a browser,you must meet the following requirements: JavaScript and Java must be enabled. Browser support for SSL must be enabled.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Supported Platforms Windows SUN Solaris Linux

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Prepare for PDM

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configure the PIX Firewall to Use PDM Before you can use or install PDM, you need to enter the following information on the PIX Firewall via a console terminal: –Password –Time –Inside IP address –Inside network mask –Hostname –Domain name –IP address of host running the PDM You must also enable the HTTP server on the PIX Firewall.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Setup Dialog Pre-configure PIX Firewall now through interactive prompts [yes]? Enable Password [ ]: ciscopix Clock (UTC): Year [2002]: Month [Aug]: Day [27]: 28 Time [22:47:37]: 14:22:00 Inside IP address: 10.0.P.1 Inside network mask: Host name: pixP Domain name: cisco.com IP address of host running PIX Device Manager: 10.0.P.11 Use this configuration and write to flash? Y

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Using PDM to Configure the PIX Firewall

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Startup Wizard The PDM Startup Wizard enables you to easily perform basic configuration of the PIX Firewall.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Overall Layout PDM consists of six major configuration areas: Access Rules Translation Rules VPN Hosts/Networks System Properties Monitoring

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Access Rules Tab From the Access Rules tab, you can view, edit, add, and delete ACLs and bind them to interfaces. You can also create service groups and view, enable, or disable Java and ActiveX filtering.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Translation Rules Tab From the Translation Rules tab, you can view, edit, create and delete static and dynamic address translation rules.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA VPN Tab From the VPN tab, you can create site-to-site and remote access VPNs.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Hosts/Networks Tab From the Hosts/Networks tab, you can view, edit, add, or delete hosts, networks, and network groups.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA System Properties Tab From the System Properties tab, you can configure such features as the following: Interfaces Failover Routing User accounts for command authorization DHCP Server Privilege level for command authorization Logging AAA URL filtering Remote management Intrusion detection Turbo ACLs Multicast

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Monitoring Tab The Monitoring tab enables you to monitor per- interface statistics, such as packet counts and bit rates, for each enabled interface on the PIX Firewall.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Interface Graphs Panel The Interface Graphs panel enables you to monitor per-interface statistics, such as packet counts and bit rates, for each enabled interface on the PIX Firewall.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Tools and Options The following are among the tasks you can perform from the drop-down menus in PDMs main window: Enable the Preview Commands Before Sending to PIX option, which enables you to preview any proposed configuration changes before they are applied. Use a text-based tool to send CLI commands to the PIX Firewall and to display responses. Use the ping tool to verify the operation of your PIX Firewall and surrounding communications links.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Using PDM to Create Site-to-Site VPNs

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Setting System Options Permit IPSec packets to bypass PIX Firewall ACLs and conduits by selecting VPN System Options from the Categories tree and selecting the Bypass access check for IPSec traffic check box.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring IKE Select Policies from the IKE branch of the Categories tree and click Add to create an IKE policy.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Certificates Select Certificate> Configuration from the IKE branch of the Categories tree to configure CAs.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Transform Sets Select Transform Sets from the IPSec branch of the Categories tree to configure transform sets.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Creating a Crypto Map Select Tunnel Policy from the IPSec branch of the Categories tree to create a crypto map.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Creating an IPSec Rule Select IPSec Rules from the IPSec branch of the Categories tree and choose Add to define crypto ACLs.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Using PDM to Create Remote Access VPNs

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring the PIX Firewall for VPN Clients To configure the PIX Firewall to work with VPN clients, select Cisco VPN Client from the Remote Access branch of the Categories tree.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring the PIX Firewall for Windows 2000 Clients To configure the PIX Firewall to work with Windows 2000 clients, select L2TP/PPTP Client from the Remote Access branch of the Categories tree.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA VPN Hardware Client Setting To configure the PIX Firewall as a hardware client, select VPN Hardware Client from the Categories tree.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary PDM is a browser-based tool used to configure your PIX Firewall. Minimal setup on the PIX Firewall is required to run PDM. PDM contains several tools in addition to the GUI to help configure your PIX Firewall. PDM can be used to create site-to-site and remote access VPNs.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Q P.0 Lab Visual Objective.2.1 Student PC running PDM in browser PIX Firewall Remote: 10.1.P.11 Local: 10.0.P.11 Remote: 10.1.Q.11 Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6– Web FTP RBB PIX Firewall Student PC running PDM in browser