Table Of Contents
Introduction
Hardware and Software Requirements
Version 5.2
Failover Serial Connection
Inside and Outside Port Restriction Change
Installation Enhancement
Version 5.1
Installation Enhancement
Version 5.0
Version 4.4
Version 4.3
Version 4.2
Safety Recommendations
Maintaining Safety with Electricity
Preventing Electrostatic Discharge Damage
General Site Requirements
Site Environment
Preventive Site Configuration
Power Supply Considerations
Configuring Equipment Racks
Introduction
The Cisco Secure PIX Firewall ships ready to power on and configure. The configuration in the Flash memory lets the PIX Firewall start up, but it does not permit traffic to pass through the network until you configure it to do so. Installing the PIX Firewall consists of unpacking the unit, placing it in a safe place, installing any optional hardware, optionally mounting it in an equipment rack, connecting the network cables, and powering on the unit.
This guide describes how to add hardware upgrades and install optional PIX Firewall software that accompanies the unit. The information in this guide applies to all current and previous models of the PIX Firewall including the PIX 506, PIX 510, PIX 515, PIX 520, PIX 525, PIX10000, and the PIX Firewall. In this guide, the term "PIX Firewall" refers to all models unless specifically noted.
This chapter includes the following sections:
•
Hardware and Software Requirements
•Safety Recommendations
•General Site Requirements
Hardware and Software Requirements
This section includes the following topics, which describe the PIX Firewall requirements by version:
•Version 5.2
•Version 5.1
•Version 5.0
•Version 4.4
•Version 4.3
•Version 4.2
Version 5.2
The following requirements and restrictions apply:
•The PIX Firewall must have at least a 16 MB Flash memory card.
–The PIX 515 and PIX 525 units have 16 MB Flash memory embedded on the motherboard.
–The PIX 506 has 8 MB Flash memory on the motherboard, which works correctly with
version 5.2.
•The PIX Firewall must have at least 32 MB of RAM memory.
•Up to 6 interfaces are supported; the PIX 525 supports up to 8 interfaces with a UR license.
•The PIX 525 supports the following interfaces:
–One four-port Ethernet card and up to two single-port Ethernet cards
–Four single-port Ethernet cards
–Up to 2 Gigabit Ethernet cards with a UR license
•The PIX 520 and earlier models have four PCI slots that you can use for any of the following:
–One four-port Ethernet card and up to two single-port Ethernet or Token Ring cards
–Four single-port Ethernet or Token Ring cards
–Two FDDI interface cards
•Do not attempt to load version 5.1, or higher, on a PIX Firewall unit containing less than 32 MB of RAM memory. Note that PIX 506 and PIX 515 come equipped with 32 MB of RAM memory and the PIX 525 has 128 MB of memory. While the PIX Firewall may appear to permit this configuration, upon reboot, the PIX Firewall unit will continuously fail. You can stop this by immediately inserting a previous software version diskette into the PIX Firewall unit and then pressing the reboot switch.
•Version 5.1 or higher requires at least 2 MB of Flash memory. This version supports 2 MB, 8 MB, or a 16 MB Flash memory card (if you upgrade from 2 MB to 16 MB, do not leave the 2 MB card installed).
•Maximum configuration size is 350 KB for a 2 MB and 8 MB Flash memory card and 1 MB for a 16 MB Flash memory card.
•Use the show version command to verify how much memory is in your Flash memory and RAM.
Note The 16 MB Flash memory card driver has been enhanced so that older PIX Firewall models can use the 16 MB card with software version 5.0.3 or higher. The maximum configuration size with the 16 MB Flash memory card is 1 MB.
•If you are upgrading from version 4 or earlier, you must have a new activation key for the IPSec features or commands. You can have a new activation key sent to you by completing the form at the following site, provided you are a registered user:
https://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324
To become a registered Cisco user, complete the form at the following site:
http://tools.cisco.com/RPF/register/register.do
Before installing this version, save your configuration and write down your activation key and serial number. Refer to "Installation Enhancement" for new installation requirements.
This section includes the following topics:
•Failover Serial Connection
•Inside and Outside Port Restriction Change
•Installation Enhancement
Failover Serial Connection
The failover serial connection has been increased from 9600 baud to 117,760 baud (115K). The maximum supported length for the failover serial cable is 6 feet.
Note Use the failover cable that is shipped with the PIX Firewall unit. If you use a replacement cable, it must have the same specifications as the supplied cable (length, type, and pinouts).
Inside and Outside Port Restriction Change
With the 5.2 software release, there are no longer restrictions on having to use specific Ethernet ports as the inside and outside network ports. Any port, whether fixed or a PCI expansion port, and any interface type, FDDI, Token Ring, Fast Ethernet, or Gigabit Ethernet, can be assigned to be the inside or outside network port.
This revision does not change the rules for port numbering. Refer to "Installing a PIX Firewall" for a description of how ports are numbered for the different PIX Firewall models.
For more information about configuring the inside and outside networks, see the Release Notes for the Cisco Secure PIX Firewall , and the Cisco PIX Firewall Configuration Guide, Version 5.2.
Installation Enhancement
PIX Firewall version 5.1 or higher now provides a software image larger than the size of a diskette. For PIX Firewall units that use a diskette to load the software, you now need to create a Boothelper diskette to start the installation, and then obtain the full image from a TFTP server. You will need your PIX Firewall activation key to complete the installation procedure. If you are upgrading from version 4, you must have obtained a new activation key to enable the VPN features in version 5.1 or higher. For details on how to use the Boothelper diskette and how to download and use a TFTP server, see "Before You Begin the Installation" in "Installing a PIX Firewall."
Version 5.1
The following requirements and restrictions apply:
•The new PIX Firewall model PIX 506 is a compact, desktop firewall security device. The PIX 506 has the following features:
–Two 10 Mbps (10BaseT) network ports
–Console port
–32 MB RAM memory
–8 MB Flash memory
The PIX 506 does not support failover or user upgradeable boards or memory; therefore, the PIX 506 chassis should not be opened. The PIX 506 is designed to be used on a flat surface and not rack mounted.
•Do not attempt to load version 5.1 on a PIX Firewall unit containing less than 32 MB of RAM memory. Note that PIX 506 and PIX 515 come equipped with 32 MB of RAM memory. While the PIX Firewall may appear to permit this configuration, upon reboot, the PIX Firewall unit will continuously fail. You can stop this by immediately inserting a previous software version diskette into the PIX Firewall unit and then pressing the reboot switch.
•Version 5.1 or higher requires at least 2 MB of Flash memory. This version supports 2 MB, 8 MB, or a 16 MB Flash memory card (if you upgrade from 2 MB to 16 MB, do not leave the 2 MB card installed).
•Maximum configuration size is 350 KB for a 2 MB and 8 MB Flash memory card and 1 MB for a 16 MB Flash memory card.
•Use the show version command to verify how much memory is in your Flash memory and RAM.
Note The 16 MB Flash memory card driver has been enhanced so that older PIX Firewall models can use the 16 MB card with software version 5.0.3 or higher. The maximum configuration size with the 16 MB Flash memory card is 1 MB.
•If you are upgrading from version 4 or earlier, you must have a new activation key for the IPSec features or commands. You can have a new activation key sent to you by completing the form at the following site, provided you are a registered user:
https://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324
To become a registered Cisco user, complete the form at the following site:
http://tools.cisco.com/RPF/register/register.do
•Before installing this version, save your configuration and write down your activation key and serial number. Refer to "Installation Enhancement" for new installation requirements.
Installation Enhancement
PIX Firewall version 5.1 or higher now provides a software image larger than the size of a diskette. For PIX Firewall units that use a diskette to load the software, you now need to create a Boothelper diskette to start the installation, and then obtain the full image from a TFTP server. You will need your PIX Firewall activation key to complete the installation procedure. If you are upgrading from version 4, you must have obtained a new activation key to enable the VPN features in version 5.1 or higher. For details on how to use the Boothelper diskette and how to download and use a TFTP server, see "Before You Begin the Installation" in "Installing a PIX Firewall."
Version 5.0
The following requirements and restrictions apply:
•The PIX Firewall must have at least a 2 MB Flash memory card (the PIX 515 has a 16 MB Flash memory card embedded on the motherboard)
•The PIX Firewall must have at least 16 MB of RAM memory (32 MB of RAM is recommended)
•Up to 6 interfaces are supported
•The PIX 520 and earlier models have four PCI slots that you can use for any of the following:
–One four-port Ethernet card and up to two single-port Ethernet or Token Ring cards
–Four single-port Ethernet or Token Ring cards
–One Private Link VPN card and up to three Ethernet or Token Ring interface cards (some earlier models have an ISA slot Private Link card and can have up to four interface cards in the PCI slots)
–Two FDDI interface cards
•The PIX 515 has two Ethernet connectors on the motherboard and two PCI slots. You can use any of the following in the PCI slots:
–One four-port Ethernet card
–Up to two single-port Ethernet cards
The PIX 515 does not have a diskette drive and requires you to have a TFTP server to provide the image to the PIX 515 via TFTP (Trivial File Transfer Protocol). In addition, you need to store the PIX Firewall binary image on the computer on which you will run the TFTP server.
You can download a free TFTP server from Cisco at the following site, provided you are a registered Cisco user:
http://www.cisco.com/pcgi-bin/tablebuild.pl/tftp
To become a registered Cisco user, complete the form at the following site:
http://tools.cisco.com/RPF/register/register.do
You can get the most current PIX Firewall image from the following site:
http://www.cisco.com/pcgi-bin/tablebuild.pl/pix
When the PIX 515 starts, you can access boot mode by pressing the Esc key. You can then use TFTP to download the binary image to your PIX 515.
•If Stateful Failover is used, a dedicated full-duplex, 100BaseTX Ethernet interface is required on both PIX Firewall units to transmit state information. The dedicated interface cable connecting the two units can be either a crossover cable or regular Ethernet cable and a hub. FDDI is not supported with Stateful Failover. Token Ring interfaces are supported with Stateful Failover as long as each dedicated interface is a full-duplex, 100BaseTX Ethernet interface. Stateful Failover with Token Ring interfaces is not supported on the PIX 515, which does not support Token Ring. Stateful Failover supports long-lived connections such as FTP, Telnet, and H.323; HTTP connection state information is not passed to the Secondary unit in the event of a failover.
In version 5.0, the maximum configuration size is 350 KB regardless of the size of Flash memory.
Version 4.4
The following requirements and restrictions apply:
•The PIX Firewall must have at least a 2 MB Flash memory card (the PIX 515 has a 16 MB Flash memory card)
•The PIX Firewall must have at least 16 MB of RAM memory
•Up to 6 interfaces are supported
•The PIX 520 and earlier models have four PCI slots that you can use for any of the following:
–One four-port Ethernet card and up to two single-port Ethernet or Token Ring cards
–Four single-port Ethernet or Token Ring cards
–One Private Link VPN card and up to three Ethernet or Token Ring interface cards (some earlier models have an ISA slot Private Link card and can have up to four interface cards in the PCI slots)
–Two FDDI interface cards
•The PIX 515 has two Ethernet connectors on the motherboard and two PCI slots. You can use any of the following in the PCI slots:
–One four-port Ethernet card
–Two single-port Ethernet cards
–One Private Link VPN card and, if needed, one additional single-port Ethernet card
•In version 4.4, the maximum configuration size is 1 MB regardless of the size of Flash memory
Version 4.3
The following requirements and restrictions apply:
•The PIX Firewall must have a 2 MB Flash memory card
•The PIX Firewall must have at least 16 MB of RAM memory
•Up to four interfaces are supported
•The PIX 520 and earlier models have four PCI slots that you can use for any of the following:
–Four Ethernet cards
–Three Token Ring cards
–One Private Link VPN card and up to three Ethernet or Token Ring interface cards (some earlier models have an ISA slot Private Link card and can have up to four interface cards in the PCI slots)
•In version 4.3, the maximum configuration size is 400 KB
Version 4.2
The following requirements and restrictions apply:
•The PIX Firewall must be equipped with a 2 MB Flash memory card.
•Version 4.2(3) supports up to four Ethernet interfaces. Three Token Ring interfaces have been tested with the PIX Firewall.
•Version 4.2(4) supports up to four interfaces, which may be either Token Ring or Ethernet.
•The PIX 520 and earlier models have four PCI slots that you can use for any of the following:
–Four Ethernet cards
–Three or four Token Ring cards depending on the version
–One Private Link VPN card and up to three Ethernet or Token Ring interface cards (some earlier models have an ISA slot Private Link card and can have up to four interface cards in the PCI slots)
•The maximum size of the configuration differs by the number of interfaces and the RAM size. With four interfaces and 8 MB of RAM, the maximum configuration is 128 KB.
Safety Recommendations
Note If you need to open the PIX Firewall case to install a hardware component such as additional memory or an interface card, doing so does not affect your Cisco warranty. Upgrading the PIX Firewall does not require any special tools and does not create any radio frequency leaks.
Use the following guidelines and the information in the following sections to help ensure your safety and protect the PIX Firewall equipment. The list of guidelines may not address all potentially hazardous situations in your working environment, so be alert and exercise good judgement at all times.
The safety guidelines are as follows:
•Keep the chassis area clear and dust-free before, during and after installation.
•Keep tools away from walk areas where you and others could fall over them.
•Do not wear loose clothing or jewelry, such as earrings, bracelets, or chains, that could get caught in the chassis.
•Wear safety glasses if you are working under any conditions that might be hazardous to your eyes.
•Do not perform any action that creates a potential hazard to people or makes the equipment unsafe.
•Never attempt to lift an object that is too heavy for one person to handle.
This section includes the following topics:
•Maintaining Safety with Electricity
•Preventing Electrostatic Discharge Damage
Maintaining Safety with Electricity
Warning Before working on a chassis or working near power supplies, unplug the power cord on AC units; disconnect the power at the circuit breaker on DC units.
Follow these guidelines when working on equipment powered by electricity:
•Before beginning procedures that require access to the interior of the PIX Firewall, locate the emergency power-off switch for the room in which you are working. Then, if an electrical accident occurs, you can act quickly to turn off the power.
•Do not work alone if potentially hazardous conditions exist anywhere in your work space.
•Never assume that power is disconnected from a circuit; always check the circuit.
•Look carefully for possible hazards in your work area, such as moist floors, ungrounded power extension cables, frayed power cords, and missing safety grounds.
•If an electrical accident occurs, proceed as follows:
–Use caution; do not become a victim yourself.
–Disconnect power from the system.
–If possible, send another person to get medical aid. Otherwise, assess the condition of the victim and then call for help.
–Determine if the person needs rescue breathing or external cardiac compressions; then take appropriate action.
•Use the PIX Firewall within its marked electrical ratings and product usage instructions.
•Install the PIX Firewall in compliance with local and national electrical codes as listed in the Regulatory Compliance and Safety Information for the Cisco Secure PIX Firewall Version 5.2 document.
•PIX Firewall models equipped with AC-input power supplies are shipped with a 3-wire electrical cord with a grounding-type plug that fits only a grounding-type power outlet. This is a safety feature that you should not circumvent. Equipment grounding should comply with local and national electrical codes.
•PIX Firewall models equipped with DC-input power supplies must be terminated with the DC input wiring on a DC source capable of supplying at least 15 amps. A 15-amp circuit breaker is required at the 48 VDC facility power source. An easily accessible disconnect device should be incorporated into the facility wiring. Be sure to connect the grounding wire conduit to a solid earth ground. Cisco recommends that you use a closed loop ring to terminate the ground conductor at the ground stud.
Other DC power guidelines are listed in the Regulatory Compliance and Safety Information for the Cisco Secure PIX Firewall Version 5.2 document.
Preventing Electrostatic Discharge Damage
Electrostatic discharge (ESD) can damage equipment and impair electrical circuitry. ESD damage occurs when electronic components are improperly handled and can result in complete or intermittent failures.
•Always follow ESD-prevention procedures when removing and replacing components. Ensure that the chassis is electrically connected to earth ground. Wear an ESD-preventive wrist strap, ensuring that it makes good skin contact. Connect the grounding clip to an unpainted surface of the chassis frame to safely ground ESD voltages. To properly guard against ESD damage and shocks, the wrist strap and cord must operate effectively. If no wrist strap is available, ground yourself by touching the metal part of the chassis.
•For safety, periodically check the resistance value of the antistatic strap, which should be between 1 and 10 megohms (Mohms).
General Site Requirements
The topics in this section describe the requirements your site must meet for safe installation and operation of your system. Ensure that your site is properly prepared before beginning installation.
This section includes the following topics:
•Site Environment
•Preventive Site Configuration
•Power Supply Considerations
•Configuring Equipment Racks
Site Environment
The PIX Firewall can be placed on a desktop. Except for the PIX 506, all other PIX Firewall models can be mounted in a rack. The location of the PIX Firewall and the layout of your equipment rack or wiring room are extremely important for proper system operation. Equipment placed too close together, inadequate ventilation, and inaccessible panels can cause system malfunctions and shutdowns, and can make PIX Firewall maintenance difficult.
When planning your site layout and equipment locations, keep in mind the precautions described in the next section "Preventive Site Configuration," to help avoid equipment failures and reduce the possibility of environmentally caused shutdowns. If you are currently experiencing shutdowns or unusually high errors with your existing equipment, these precautions may help you isolate the cause of failures and prevent future problems.
Preventive Site Configuration
The following precautions will help you plan an acceptable operating environment for your PIX Firewall and will help you avoid environmentally caused equipment failures:
•Electrical equipment generates heat. Ambient air temperature might not be adequate to cool equipment to acceptable operating temperatures without adequate circulation. Ensure that the room in which you operate your system has adequate air circulation.
•Always follow the ESD-prevention procedures described previously to avoid damage to equipment. Damage from static discharge can cause immediate or intermittent equipment failure.
•Ensure that the chassis top panel is secure. The chassis is designed to allow cooling air to flow effectively within it. An open chassis allows air leaks, which may interrupt and redirect the flow of cooling air from internal components.
Power Supply Considerations
The PIX 510, PIX 515, PIX 520, PIX 525, PIX10000, and PIX Firewall have AC power supplies. The PIX 515 and PIX 520 models can have either an AC or DC power supply. The PIX 506 has an external power supply that converts AC to DC.
Observe the following considerations:
•Check the power at your site before installing the PIX Firewall to ensure that you are receiving "clean" power (free of spikes and noise). Install a power conditioner if necessary, to ensure proper voltages and power levels in the source voltage for the system.
•Install proper grounding for the site to avoid damage from lightning and power surges.
•In units equipped with AC-input power supplies, use these guidelines:
–The PIX Firewall and PIX10000 models automatically select operating ranges of a low range of 90 to 135 volts or a high range of 180 to 270 volts.
–The PIX 510 and 520 models operate with a source voltage ranging from 100 to 240 VAC; the input power supply requires a 20 amp service minimum for North America and 10 amp or
16 amp for the international area.
–The PIX 515 and PIX 525 do not have a selectable operating range. Refer to the label on each model for the correct AC-input power requirement.
–Several styles of AC-input power supply cords are available; make sure you have the correct style for your site.
–Install an uninterruptible power source for your site, if possible.
–Install proper site grounding facilities to guard against damage from lightning or power surges.
•In a unit equipped with DC-input power supplies, use these guidelines:
–Each DC-input power supply requires dedicated 15 amp service.
–For DC power cables, Cisco recommends that you use a minimum of 18 AWG wire cable.
Configuring Equipment Racks
The following tips will help you plan an acceptable equipment rack configuration:
•PIX 515, PIX 520, and PIX 525 units require you to first attach rack mounting brackets to the unit. Rack mounting a PIX Firewall is described in "Installing a PIX Firewall."
•Enclosed racks must have adequate ventilation. Ensure that the rack is not overly congested because each unit generates heat. An enclosed rack should have louvered sides and a fan to provide cooling air.
•When mounting a chassis in an open rack, ensure that the rack frame does not block the intake or exhaust ports. If the chassis is installed on slides, check the position of the chassis when it is seated all the way into the rack.
•In an enclosed rack with a ventilation fan in the top, excessive heat generated by equipment near the bottom of the rack can be drawn upward and into the intake ports of the equipment above it in the rack. Ensure that you provide adequate ventilation for equipment at the bottom of the rack.
•Baffles can help to isolate exhaust air from intake air, which also helps to draw cooling air through the chassis. The best placement of the baffles depends on the airflow patterns in the rack. Experiment with different arrangements to position the baffles effectively.
Feedback
