Networking/Cisco PIX

From popdata
Jump to: navigation, search

Cisco ASA 5520 Firewall & VPN

Has replaced the 515e a while ago.
  • 2018-02-06 update wiki page via ASDM java management application.
    • ASA model 5525 software 9.1(7) flash 8192 MB
  • Security advisory affects us because AnyConnect uses "webvpn" with "ikev2". That advisory offers free update (e.g. by contacting Cisco TAC with Product Serial # and referring to advisory URL.

Cisco PIX 515e Firewall

Cisco online configuration guide or local pdf

Interface config

The PIX has 6 physical ports. They are labelled Ethernet 0 which is usually called the outside network. Ethernet 1 which is usually called the inside network. And a 4 port expansion card numbered from left to right Ethernet 2 to Ethernet 5.

Our assignments:

Ethernet 0 outside
Connection to UBCnet
Ethernet 1 redzone
Connection to secondary firewall
Ethernet 2 clients
The various partner VLANs (via UBC switches)
Ethernet 3 dmz
DMZ networks that can be accessed from outside
Ethernet 4 undef
not yet used
Ethernet 5 servers
Server networks from the partners

VLAN config


VLAN: No: Subnet: Comment
CHSPR 647 Public subnet


VLAN: No: Subnet: Comment
CHSPR-CLNT 647 CHSPR clients
PHLO-CLNT 81? PHLO clients


VLAN: No: Subnet: Comment
CHSPR-NET 42 CHSPR Network Services
CHSPR-EML 43 CHSPR Email Services
CHSPR-WEB 44 CHSPR Web Services
PHLO-NET 82 PHLO Network Services
PHLO-EML 83 PHLO Email Services
PHLO-WEB 84 PHLO Web Services


VLAN: No: Subnet: Comment
CHSPR-FP 45 CHSPR File & Print
PHLO-ADMIN 89 PHLO Admin Servers
PHLO-FP 85 PHLO File & Print (collaboratory)

OS Upgrade

  • Login to cisco website ( -> login) Username: phlo-cisco
  • Go to downloads -> VPN Software -> Cisco PIX Security Appliances Software -> Download PIX Security Appliance Software
  • Get the Release Note && Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco Security Appliance Software Version 7.0
  • Choose: asdm-522.bin & pix722.bin
  • setup a tftp server on a machine on the same network as the cisco pix
  • put the two files in the tftp directory on the machine
  • connect a PC to the serial console port of the cisco with blue cable, DB9 connector
  • connect to the serial port with a terminal program (9600 N81)
  • login and enable
  • reload
  • Hit escape when you see:
Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-515E
System Flash=E28F128J3 @ 0xfff00000

Use BREAK or ESC to interrupt flash boot.
  • stuff missing here
  • enter: address
  • enter: address (this being the address of a machine with tftp server running
  • enter: ping You should get a 100% success rate
  • it is now running the new firmware only in ram, we need to move it to flash
  • enter: enable
  • copy it again
  • enter: copy tftp:// flash:
  • enter: write memory
  • enter: reload
  • now do the asdm
  • enter: copy tftp:// flash:asdm
  • enter: write memory
  • enter: reload
  • you can now go to leave the username empty

ASDM GUI (java)

If you have java installed, you can download the ASDM GUI kava applciation from the firewall, one of or your gateway , login and download asdm.jnlp .

Installing Java JDK or JRE for ASDM

    • Clicked on ~/Desktop/"ASDM on from asdm.jnlp.desktop", opens "Icedtea-web 1.6.2ubuntu1" 4/16/16 8PM. Got signature complaints, then errors "too many redirect"
    • Cisco ASDM-IDM Launcher. Connecting to device. Enter username and password.
    • Authentication Required. Enter login details to access Authentication on / {yubikey]
    • Java console: "Trying for ASDM Version file; url ="
    • Exception ... Caused by: Server redirected too many times (20)
  • Get from Ryoko
    • 209674 [Poller] ERROR - Exception while parsing line:SA|ISAKMP_SAS|4294967292|IPSEC_SAS|2|MH|ISAKMP_SAS|4294967292|IPSEC_SAS|2|

Fixing the MSS exceeded messages

phlo-fw1(config)# access-list bacula-tcp permit tcp any host       
phlo-fw1(config)# exit
phlo-fw1# config term
phlo-fw1(config)# class-map bacula-map1
phlo-fw1(config-cmap)# match access-list bacula-tcp
phlo-fw1(config-cmap)# exit
phlo-fw1(config)# tcp-map mss-map
phlo-fw1(config-tcp-map)# exceed-mss allow
phlo-fw1(config-tcp-map)# exit
phlo-fw1(config)# policy-map bacula-map1
phlo-fw1(config-pmap)# class bacula-map1
phlo-fw1(config-pmap-c)# set connection advanced-options mss-map
phlo-fw1(config-pmap-c)# exit
phlo-fw1(config-pmap)# exit 
phlo-fw1(config)# service-policy bacula-map1 interface phlo-admin