Introduction

Table Of Contents

Introduction

Hardware and Software Requirements

Version 5.0

Version 4.4

Version 4.3

Version 4.2

Safety Recommendations

Maintaining Safety with Electricity

Preventing Electrostatic Discharge Damage

General Site Requirements

Site Environment

Preventive Site Configuration

Power Supply Considerations

Configuring Equipment Racks


Introduction


The Cisco Secure PIX Firewall ships ready to power on and configure. The configuration in the Flash memory lets the PIX Firewall start up, but it does not permit traffic to pass through the network until you configure it to do so. Installing the PIX Firewall consists of unpacking the unit, placing it in a safe place, installing any optional hardware, optionally mounting it in an equipment rack, connecting the network cables, and powering on the unit.

This guide describes how to add hardware upgrades and install optional PIX Firewall software that accompanies the unit. The information in this guide applies to all current and previous models of the PIX Firewall including the PIX 515, PIX 520, PIX 510, PIX10000, and the PIX Firewall. In this guide, the term "PIX Firewall" refers to all models unless specifically noted.


Note   If you are not installing additional cards or software and you know how to power on your unit and attach network cables, you can proceed directly to the Configuration Guide for the Cisco Secure PIX Firewall Version 5.0.


This chapter includes the following sections:

Hardware and Software Requirements

Safety Recommendations

General Site Requirements

Hardware and Software Requirements

This section includes the following topics, which describe the PIX Firewall requirements by version.

Version 5.0

The following requirements and restrictions apply:

The PIX Firewall must have at least a 2 MB Flash memory card (the PIX 515 has a 16 MB Flash memory embedded on the motherboard)

The PIX Firewall must have at least 16 MB of RAM memory (32 MB of RAM is recommended)

Up to 6 interfaces are supported

The PIX 520 and earlier models have four PCI slots that you can use for any of the following:

One four-port Ethernet card and up to two single-port Ethernet or Token Ring cards

Four single-port Ethernet or Token Ring cards

One Private Link VPN card and up to three Ethernet or Token Ring interface cards (some earlier models have an ISA slot Private Link card and can have up to four interface cards in the PCI slots)

Two FDDI interface cards

The PIX 515 has two Ethernet connectors on the motherboard and two PCI slots. You can use any of the following in the PCI slots:

One four-port Ethernet card

Two single-port Ethernet cards

The PIX 515 does not have a diskette drive and requires you to have a TFTP server to provide the image to the PIX 515 via TFTP (Trivial File Transfer Protocol). In addition, you need to store the PIX Firewall binary image on the computer on which you will run the TFTP server.

You can download a free TFTP server from Cisco at:

http://www.cisco.com/pcgi-bin/tablebuild.pl/tftp

You can get the most current PIX Firewall image from:

http://www.cisco.com/pcgi-bin/tablebuild.pl/pix

When the PIX 515 starts, you can access boot mode by pressing the Esc key. You can then use TFTP to download the binary image to your PIX 515.

If Stateful Failover is used, a dedicated full-duplex, 100BaseTX Ethernet interface is required on both PIX Firewall units to transmit state information. The dedicated interface cable connecting the two units can be either a crossover cable or regular Ethernet cables and a hub. FDDI is not supported with Stateful Failover. Token Ring interfaces are supported with Stateful Failover as long as each dedicated interface is a full-duplex, 100BaseTX Ethernet interface. Stateful Failover with Token Ring interfaces is not supported on the PIX 515, which does not support Token Ring. Stateful Failover supports long-lived connections such as FTP, Telnet, and H.323; HTTP connection state information is not passed to the Secondary unit in the event of a failover.

The maximum configuration size is 350 KB regardless of the size of Flash memory.

Version 4.4

The following requirements and restrictions apply:

The PIX Firewall must have at least a 2 MB Flash memory card (the PIX 515 has a 16 MB Flash memory card)

The PIX Firewall must have at least 16 MB of RAM memory

Up to 6 interfaces are supported

The PIX 520 and earlier models have four PCI slots that you can use for any of the following:

One four-port Ethernet card and up to two single-port Ethernet or Token Ring cards

Four single-port Ethernet or Token Ring cards

One Private Link VPN card and up to three Ethernet or Token Ring interface cards (some earlier models have an ISA slot Private Link card and can have up to four interface cards in the PCI slots)

Two FDDI interface cards

The PIX 515 has two Ethernet connectors on the motherboard and two PCI slots. You can use any of the following in the PCI slots:

One four-port Ethernet card

Two single-port Ethernet cards

One Private Link VPN card and, if needed, one additional single-port Ethernet card

The maximum configuration size is 1 MB regardless of the size of Flash memory

Version 4.3

The following requirements and restrictions apply:

The PIX Firewall must have a 2 MB Flash memory card

The PIX Firewall must have at least 16 MB of RAM memory

Up to four interfaces are supported

The PIX 520 and earlier models have four PCI slots that you can use for any of the following:

Four Ethernet cards

Three Token Ring cards

One Private Link VPN card and up to three Ethernet or Token Ring interface cards (some earlier models have an ISA slot Private Link card and can have up to four interface cards in the PCI slots)

The maximum configuration size is 400 KB

Version 4.2

The following requirements and restrictions apply:

The PIX Firewall must be equipped with a 2 MB Flash memory card

Version 4.2(3) supports up to four Ethernet interfaces. Three Token Ring interfaces have been tested with the PIX Firewall.

Version 4.2(4) supports up to four interfaces, which may be either Token Ring or Ethernet.

The PIX 520 and earlier models have four PCI slots that you can use for any of the following:

Four Ethernet cards

Three or four Token Ring cards depending on the version

One Private Link VPN card and up to three Ethernet or Token Ring interface cards (some earlier models have an ISA slot Private Link card and can have up to four interface cards in the PCI slots)

The maximum size of the configuration differs by the number of interfaces and the RAM size. With four interfaces and 8 MB of RAM, the maximum configuration is 128 KB.

Safety Recommendations


Note   If you need to open the PIX Firewall case to install a hardware component such as additional memory or an interface card, doing so does not affect your Cisco warranty. Upgrading the PIX Firewall does not require any special tools and does not create any radio frequency leaks.


The guidelines that follow help ensure your safety and protect the PIX Firewall equipment. The list of guidelines may not address all potentially hazardous situations in your working environment, so be alert and exercise good judgement at all times.

The safety guidelines are:

Keep the chassis area clear and dust-free before, during and after installation.

Keep tools away from walk areas where you and others could fall over them.

Do not wear loose clothing or jewelry, such as earrings, bracelets, or chains, that could get caught in the chassis.

Wear safety glasses if you are working under any conditions that might be hazardous to your eyes.

Do not perform any action that creates a potential hazard to people or makes the equipment unsafe.

Never attempt to lift an object that is too heavy for one person to handle.

The remainder of this section describes Maintaining Safety with Electricity and Preventing Electrostatic Discharge Damage.

Maintaining Safety with Electricity


Warning   

Before working on a chassis or working near power supplies, unplug the power cord on AC units; disconnect the power at the circuit breaker on DC units.


Follow these guidelines when working on equipment powered by electricity:

Before beginning procedures that require access to the interior of the PIX Firewall, locate the emergency power-off switch for the room in which you are working. Then, if an electrical accident occurs, you can act quickly to turn off the power.

Do not work alone if potentially hazardous conditions exist anywhere in your work space.

Never assume that power is disconnected from a circuit; always check the circuit.

Look carefully for possible hazards in your work area, such as moist floors, ungrounded power extension cables, frayed power cords, and missing safety grounds.

If an electrical accident occurs, proceed as follows:

Use caution; do not become a victim yourself.

Disconnect power from the system.

If possible, send another person to get medical aid. Otherwise, assess the condition of the victim and then call for help.

Determine if the person needs rescue breathing or external cardiac compressions; then take appropriate action.

Use the PIX Firewall within its marked electrical ratings and product usage instructions.

Install the PIX Firewall in compliance with the following local and national electrical codes:

United States—National Fire Protection Association (NFPA) 70; United States National Electrical Code.

Canada—Canadian Electrical Code, Part I, CSA C22.1.

Other countries—International Electrotechnical Commission (IEC) 364, Part 1 through
Part 7.

PIX Firewall models equipped with AC-input power supplies are shipped with a 3-wire electrical cord with a grounding-type plug that fits only a grounding-type power outlet. This is a safety feature that you should not circumvent. Equipment grounding should comply with local and national electrical codes.

PIX Firewall models equipped with DC-input power supplies must be terminated with the DC input wiring on a DC source capable of supplying at least 15 amps. A 15-amp circuit breaker is required at the 48 VDC facility power source. An easily accessible disconnect device should be incorporated into the facility wiring. Be sure to connect the grounding wire conduit to a solid earth ground. Cisco recommends that you use a closed loop ring to terminate the ground conductor at the ground stud.

Other DC power guidelines are:

Only a DC power source that complies with the safety extra low voltage (SELV) requirements in UL1950, CSA C22.2 Number 950, EN 60950, and IEC 950 can be connected to a PIX Firewall DC-input power supply.

PIX Firewall models equipped with DC-input power supplies are only intended for installation in a restricted access location in accordance with Articles 110-16, 110-17, and 110-18 of the National Electric Code ANSI/ NFPA 70.

Preventing Electrostatic Discharge Damage

Electrostatic discharge (ESD) can damage equipment and impair electrical circuitry. ESD damage occurs when electronic components are improperly handled and can result in complete or intermittent failures.

Always follow ESD-prevention procedures when removing and replacing components. Ensure that the chassis is electrically connected to earth ground. Wear an ESD-preventive wrist strap, ensuring that it makes good skin contact. Connect the grounding clip to an unpainted surface of the chassis frame to safely ground ESD voltages. To properly guard against ESD damage and shocks, the wrist strap and cord must operate effectively. If no wrist strap is available, ground yourself by touching the metal part of the chassis.

For safety, periodically check the resistance value of the antistatic strap, which should be between 1 and 10 megohms (Mohms).

General Site Requirements

The topics in this section describe the requirements your site must meet for safe installation and operation of your system. Ensure that your site is properly prepared before beginning installation.

This section includes the following topics:

Site Environment

Preventive Site Configuration

Site Environment

The PIX Firewall can be placed on a desktop or mounted in a rack. The location of the PIX Firewall and the layout of your equipment rack or wiring room are extremely important for proper system operation. Equipment placed too close together, inadequate ventilation, and inaccessible panels can cause system malfunctions and shutdowns, and can make PIX Firewall maintenance difficult.

When planning your site layout and equipment locations, keep in mind the precautions described in the next section "Preventive Site Configuration," to help avoid equipment failures and reduce the possibility of environmentally caused shutdowns. If you are currently experiencing shutdowns or unusually high errors with your existing equipment, these precautions may help you isolate the cause of failures and prevent future problems.

Preventive Site Configuration

The following precautions will help you plan an acceptable operating environment for your PIX Firewall and will help you avoid environmentally caused equipment failures:

Electrical equipment generates heat. Ambient air temperature might not be adequate to cool equipment to acceptable operating temperatures without adequate circulation. Ensure that the room in which you operate your system has adequate air circulation.

Always follow the ESD-prevention procedures described previously to avoid damage to equipment. Damage from static discharge can cause immediate or intermittent equipment failure.

Ensure that the chassis cover is secure. The chassis is designed to allow cooling air to flow effectively within it. An open chassis allows air leaks, which may interrupt and redirect the flow of cooling air from internal components.

This section includes the following topics:

Power Supply Considerations

Configuring Equipment Racks

Power Supply Considerations

The PIX Firewall, PIX10000, and PIX Firewall 515 have AC power supplies; the PIX Firewall 520 can have either an AC or DC power supply.

Observe the following considerations:

Check the power at your site before installing the PIX Firewall to ensure that you are receiving "clean" power (free of spikes and noise). Install a power conditioner if necessary, to ensure proper voltages and power levels in the source voltage for the system.

Install proper grounding for the site to avoid damage from lightning and power surges.

In units equipped with AC-input power supplies, use these guidelines:

The PIX Firewall and PIX10000 models automatically select operating ranges of a low range of 90 to 135 volts or a high range of 180 to 270 volts. The PIX Firewall 510 and 520 models operate with a source voltage ranging from 100 to 240 VAC; the input power supply requires a 20 amp service minimum for North America and 10 amp or 16 amp for the international area.

Several styles of AC-input power supply cords are available; make sure you have the correct style for your site.

Install an uninterruptible power source for your site, if possible.

Install proper site grounding facilities to guard against damage from lightning or power surges.

In a unit equipped with DC-input power supplies, use these guidelines:

Each DC-input power supply requires dedicated 15 amp service.

For DC power cables, Cisco recommends that you use a minimum of 18 AWG wire cable.

Configuring Equipment Racks

The following tips will help you plan an acceptable equipment rack configuration:

PIX Firewall 515 and 520 units require you to first attach the rack mounting flanges to the unit. Rack mounting a PIX 515 is described in "Installing a PIX 515" in "."

You can attach these to either the front or rear of the unit depending on which orientation you prefer to access the network cable connectors.

Enclosed racks must have adequate ventilation. Ensure that the rack is not overly congested because each unit generates heat. An enclosed rack should have louvered sides and a fan to provide cooling air.

When mounting a chassis in an open rack, ensure that the rack frame does not block the intake or exhaust ports. If the chassis is installed on slides, check the position of the chassis when it is seated all the way into the rack.

In an enclosed rack with a ventilation fan in the top, excessive heat generated by equipment near the bottom of the rack can be drawn upward and into the intake ports of the equipment above it in the rack. Ensure that you provide adequate ventilation for equipment at the bottom of the rack.

Baffles can help to isolate exhaust air from intake air, which also helps to draw cooling air through the chassis. The best placement of the baffles depends on the airflow patterns in the rack. Experiment with different arrangements to position the baffles effectively.