Prepare for PDM

Prepare for PDM

If the PIX Firewall unit shipped with PIX Firewall software Version 6.2 or higher, PDM v2.1 is already installed in the Flash memory. Otherwise, the following steps should be taken before you install PDM v2.1:

  • When performing an upgrade, you must get the PDM software from Cisco using the same methods and, typically, at the same time as securing upgraded PIX Firewall OS software. That process is covered in the last two sections of this chapter.

  • Save the PIX Firewall configuration by issuing a write terminal command to display the configuration, and then use cut-and-paste to save it to a text file.

  • Record the activation key. One method would be to use cut-and-paste with the show version command to save it to a text file.

If the network design incorporates a PIX Firewall failover pair, then it’s necessary to upgrade both units to be the same PIX OS and PDM version. The failover feature is covered in the next section of this chapter.

Installing PDM on a PIX Firewall

If the process of using TFTP is unfamiliar to you, it’s covered in detail in the “Password Recovery” and “Upgrading” sections at the end of this chapter. The following limited commands assume the PIX is configured to function in a network.

Make sure the TFTP server is running, the PDM file (pdm-211.bin) is copied to the TFTP source file folder, and the firewall can ping the TFTP server.

The single step syntax to copy the PDM image file into the PIX Firewall is as follows:

pix# copy tftp://tftp_server_ip_address/pdm_filename flash:pdm

Or, you can enter the follow command to follow the prompts:

pix# copy tftp flash:pdm

The following example shows this latter method. The process prompts for the TFTP server address (address or name of the remote host) and the name of the PDM file. Don’t forget the .bin extension. After confirming the request, the process runs unattended:

Pix# copy tftp flash:pdm
Address or name of remote host []?
Source file name [cdisk]? pdm-211.bin
copying tftp:// to flash:pdm
[yes|no|again]? yes
Erasing current PDM file
Writing new PDM file
 ??(lines omitted)
PDM file installed.

Minimum PIX Configuration

The PDM requires a minimum of the following items configured on the PIX Firewall for the PDM to be accessible. Most of these items should be familiar.

Enable Password


Clock (UTC)

Universal Coordinated Time (UTC). Enter the year, month, day, and time. Enter time in 24-hour time as hh:mm:ss

Inside IP address


Inside network mask


PIX host name


Domain name

Domain name for the PIX Firewall

IP address of host running PDM

A specific host address

Many of these items would probably already be configured on a working firewall and the others could be configured conventionally. For a new or unconfigured PIX, the command mode setup command could also be used, which would then prompt for each item. This is the same autoconfiguration process offered when an unconfigured PIX starts up. Either way, the resulting entries would look something like the following:

Enable password: cisco
Clock (UTC): 21:11:47 Jan 12 2003
Inside IP address:
Inside network mask:
Host name: Pix
Domain name:
IP address of host running PIX Device Manager:

Starting PDM

Once the minimum required PIX configuration is in place and the web browser is set up to be both Java-enabled and support HTTPS (HTTP over SSL), use the following commands to launch PDM:

  1. Use a web browser on the workstation designated as running PIX Device Manager in the PIX configuration. Enter the following, using the PIX inside interface address to launch PDM:

    https://pix_inside_ address

  2. Accept the security certificate. If you don’t accept the certificate, the PDM won’t launch.

  3. A user name/password box will appear. Leave the user name blank and use the enable password as the password. If no enable password is set, click OK to continue.

  4. If prompted, accept the second certificate presented. This VeriSign certificate ensures the certificate originated from Cisco Systems and enables PDM to run as a signed applet.

The PDM should launch after the certificates are accepted. Follow the instructions on the screen. If the PDM detects this is the first PDM session, then it launches the Startup Wizard. Figure 22-4 shows the Startup Wizard opening screen (the next section covers this wizard). Or, you can use the Cancel button to close the wizard and work from the menus. If the Startup Wizard gets closed, it can be reactivated at any time from the Wizards menu.

Click To expand
Figure 22-4: The PDM Startup Wizard opening screen

The online help provides information on how to use PDM.

Using the PDM Startup Wizard

The PDM Startup Wizard is a good place to begin configuring a new or erased PIX Firewall. Using the PIX setup command, followed by the Startup Wizard, provides the basic requirements needed to implement a network security policy for the PIX Firewall.

If the Start Wizard isn’t on the screen after PDM launches, use the following steps from the PDM control panel:

  1. Choose Wizards | Startup Wizard from the main menu.

  2. After reading the Welcome to the Startup Wizard page, click the Next button. The next screen allows changing the host name, the domain name, and enable password, as shown in Figure 22-5. Each screen has a Help button for assistance. Click the Next button to advance.

    Click To expand
    Figure 22-5: Screen 2 of the PDM Start Wizard changes PIX names and password

  3. The next screen allows changing the outside interface configuration, including features like DHCP client and PPPoE. Click the Next button to advance.

  4. Other screens allow configuring the other interfaces, NAT/PAT, and DHCP server on the inside interface.

  5. When you finish with the wizard pages, the Startup Wizard Completed page appears. Click the Finish button to send the configuration to the firewall, and then exit the wizard or click Back to edit previous pages.

Part III: Virtual Private Networks (VPNs)