Announcement

Collapse
No announcement yet.

Configure Web Interface on Pix 506?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Configure Web Interface on Pix 506?

    I'm a total novice with anything Cisco but have the dubious privilege of having responsibility for a Pix 506 firewall which came into my care working but with no passwords or anything else

    I have managed to reset the password using the excellent (once I worked out the version to use) instructions from Cisco but now I need to work out how to enable / configure / whatever the web interface to
    a) view current configuration
    b) establish some VPNs

    I have console / telnet access but am reluctant to prat about in case I upset the existing configuration.

    Can some kind soul (David?) please give me eejit proof instructions or point me to a good link to do this - I have searched but nothing comes up

    Many thanks
    Tom
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

  • #2
    Re: Configure Web Interface on Pix 506?

    Hi Tom,

    Thanks for your post!

    For folks new to the PIX, I recommend using the GUI interface - PDM.

    What you need it the minimum to get PDM up and running. That should be like an inside IP address, enable the interface, enable http, and create a password.

    Here are some links on PDM including the install / config guide. They should tell you how to get the basics up and running. Please review & let us know where you need help after that.

    I would copy off the existing config onto notepad and save it - then wipe it clean and start fresh.

    http://www.cisco.com/en/US/docs/secu.../pdm30CH4.html
    http://www.netcraftsmen.net/welcher/papers/pdm.html

    And don't forget to check out my article on configuring a PIX from scratch

    CISCO PIX OS & PDM DOCS:
    http://www.cisco.com/univercd/cc/td/.../pix/index.htm

    I Hope that helps
    David Davis - Petri Forums Moderator & Video Training Author
    Train Signal - The Global Leader in IT Video Training
    TrainSignalTraining.com - Free IT Training Products
    Personal Websites: HappyRouter.com & VMwareVideos.com

    Comment


    • #3
      Re: Configure Web Interface on Pix 506?

      Thanks, David,

      OK, I can get into the PDM with a blank username/password at the WINDOWS password dialog. It then puts up a popup window with another password dialog as shown in the screenshot. I've tried every combination of
      <blank>, admin, cisco for both username and password and not managed to find my way into it! If I use blanks for both, it gives a status bar message "exception: java.security.AccessControlException: access denied"

      AFAIK, after resetting the PIX password, the default is cisco?

      Do I need to turn on something from the console?

      Tom
      Attached Files
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Configure Web Interface on Pix 506?

        Hi Tom,

        If you telnet or SSH to the PIX, what password do you login with (don't tell me). I believe that the PDM username would be blank and you would put in the same password used for telnet/SSH. It might also be the "secret/enable" password used to move from

        PIX>

        to

        PIX#

        If there isn't one set, then set one and use that.

        The box that is popping up is the Java authentication box. It may be that it just doesn't like a blank username & password.

        When you say "resetting the password", do you mean you cleared the entire config? If so, then the password is blank.

        hope that helps
        David Davis - Petri Forums Moderator & Video Training Author
        Train Signal - The Global Leader in IT Video Training
        TrainSignalTraining.com - Free IT Training Products
        Personal Websites: HappyRouter.com & VMwareVideos.com

        Comment


        • #5
          Re: Configure Web Interface on Pix 506?

          Originally posted by daviddavis View Post
          Hi Tom,

          Thanks for your post!

          For folks new to the PIX, I recommend using the GUI interface - PDM.
          Really?
          Ever seen a config created by PDM???
          It makes a complete mess of it.

          Personally i wouldn't recommend it cause its harder to find any config problems.
          I've seen for about 3 pages (doublesided printed) with only pdm mesh.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: Configure Web Interface on Pix 506?

            Hi Dumber,

            Hmmm.... You make a good point and you are correct - it does make a complete mess out of the config. This is also true for SDM.

            I groan every time someone posts a config from SDM or PDM because it take a half hour to sort through all the "junk". I think I was looking at the positives of PDM/SDM and ignoring the negatives.

            Upon careful reconsideration of the good and bad, I would like to rephrase what I said and make this recommendation to all beginners out there -->

            LEARN THE IOS / PIX OS

            The Cisco PDM and SDM can be useful tools. They can quickly generate the config for some complex configs like CBAC or VPN tunnels but I would only generate the config on a test box then copy and paste only the section you need onto the box you are trying to configure.

            Dumber - Thanks for your help
            David Davis - Petri Forums Moderator & Video Training Author
            Train Signal - The Global Leader in IT Video Training
            TrainSignalTraining.com - Free IT Training Products
            Personal Websites: HappyRouter.com & VMwareVideos.com

            Comment


            • #7
              Re: Configure Web Interface on Pix 506?

              Thanks, both David and Marcel!

              Next newbie question, then:

              what are / where can I find
              the commands to open ports using the CLI interface on the PIX?

              Tom
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: Configure Web Interface on Pix 506?

                Hi Tom,

                I suspect you are looking for ACL & Fixup commands at these links-

                http://www.cisco.com/en/US/docs/secu...html#wp1068707

                http://www.cisco.com/en/US/docs/secu...ide/fixup.html

                Please review those and let me know if that helps you. If not, remind me what you are trying to do and I would be glad to help.

                When you say open ports I think of allowing inbound connections, I usually think of 1) an ACL and 2) ensuring there is a inbound NAT for that IP. However, you may be thinking of something different that I when you say "opening ports".
                David Davis - Petri Forums Moderator & Video Training Author
                Train Signal - The Global Leader in IT Video Training
                TrainSignalTraining.com - Free IT Training Products
                Personal Websites: HappyRouter.com & VMwareVideos.com

                Comment


                • #9
                  Re: Configure Web Interface on Pix 506?

                  Thanks, David.

                  To clarify -- I need to open ports 1702 and 1723 inbound to allow remote clients to establish a VPN using Windows RRAS to handle authentication etc.

                  My other option is to establish a static VPN from the remote site routers to the PIX (both ends have static IPs) but I wonder how complex that will be, also there are some teleworkers who will need VPN abilities.

                  Tom
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: Configure Web Interface on Pix 506?

                    SDM makes the config less messy then PDM. It can reduce the the config with more then 2 pages

                    However, i also would start configuring with the GUI. Then copy and past the config to notepad, give the cisco device a write erase and past the config back witout the PDM mess.

                    Tom,

                    You need to create additional rules to you're inbound acl.
                    something like this:

                    Access-list 110 ip any <ipadress windows box> eq 1723

                    To clarify the ACL:
                    >100 gives you extended acl's where you're allowed to use portnumbers in the acl's.
                    ip allows both ip as tcp connections
                    Any is the source in this case
                    Ip adress is the destination of the rras server
                    eq 1723 matches the portnumbers.
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment

                    Working...
                    X