topic Re: VERY basic pix 515 question in Network Security

VERY basic pix 515 question

garcia.mike1 — Mon, 11 Mar 2019 09:43:21 GMT

I am new to the whole security world... ie. configuring pixes... I have a question, I was given (free) pix 515 with the two interfaces... I did a wr erase on it to start fresh, but wanted to test the ports for connectivity...

I configured my outside interface with 10.1.1.1/24 and a host 10.1.1.2/24 did a ping and got a reply... good

next i erased that config and did inside the same way, but when my host pings i get no reply and when the pix pings the host it gets no replay... got a up/up on the interface did a permit icmp any any and permit ip any any and noting... is the pix broken ?

what can i do to test...

non production environment BTW

also the host is connected DIRECTLY to eth0 and eth1

Re: VERY basic pix 515 question

vitripat — Thu, 08 Mar 2007 16:23:12 GMT

Did you clear the ARP cache on the host when connecting to the inside interface of PIX? When trying to ping the inside interface of PIX, please enable debugs on PIX and logging also to see if ICMP packets are reaching the inside interface-

debug icmp trace

logg con 7

logg on

Now try pinging again and let me know what you see on the console connection of PIX.

Regards,

Vibhor.

Re: VERY basic pix 515 question

abinjola — Fri, 09 Mar 2007 04:45:10 GMT

Firstly,

From the firewall (from config mode) can you ping the inside Interface ? If no then certainly you have a bad firewall that you are playing with

Here I assume that you have assigned the ip address to inside, security level,int status up/up, and other basic commands needed

Secondly make sure you dont have an icmp deny for inside, which ideally should not be if you have erased the config and starting from scratch

in any case to verify this use the command "sh icmp"

Can you please use the following command on firewall to make sure if the arp entries are building up

sh arp

Also verify this on windows machine if it is populating Pix Inside Mac address using the command

arp -a

Lastly yes...make sure the packet is at least reaching the firewall using the command debug icmp trace...if none of the icmp request is hitting the firewall...then you have to bang your pc...and chop the cable that you are using...:-)

Re: VERY basic pix 515 question

garcia.mike1 — Fri, 09 Mar 2007 17:40:25 GMT

Ping from pix to inside got a reply

pix# ping 192.168.1.2

13: ICMP echo request (len 32 id 9233 seq 0) 192.168.1.1 > 192.168.1.2

192.168.1.2 NO response received -- 1000ms

14: ICMP echo request (len 32 id 9233 seq 1) 192.168.1.1 > 192.168.1.2

192.168.1.2 NO response received -- 1000ms

15: ICMP echo request (len 32 id 9233 seq 2) 192.168.1.1 > 192.168.1.2

192.168.1.2 NO response received -- 1000ms

pix# 111008: User 'enable_15' executed the 'ping 192.168.1.2' command.

pix# ping 192.168.1.1

192.168.1.1 response received -- 0ms

pix# 111008: User 'enable_15' executed the 'ping 192.168.1.1' command

workstation is using 192.168.1.2

Pix is using 192.168.1.1

config

pix# sh run

: Saved

PIX Version 6.3(5)

interface ethernet0 auto shutdown

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pix

domain-name home

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

logging on

logging console debugging

mtu outside 1500

mtu inside 1500

no ip address outside

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

conduit permit icmp any any

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:e1f71a437b169145a15aa8ed4e87d318

: end

pix# 111009: User 'enable_15' executed cmd: show running-config

Re: VERY basic pix 515 question

garcia.mike1 — Fri, 09 Mar 2007 17:41:20 GMT

interface ethernet1 "inside" is up, line protocol is up

Hardware is i82559 ethernet, address is 0050.54ff.6389

IP address 192.168.1.1, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

103 packets input, 15307 bytes, 0 no buffer

Received 103 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

64 packets output, 3840 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/1)

output queue (curr/max blocks): hardware (0/1) software (0/1)

<--- More --->111009: User 'enable_15' executed cmd: show interface

Re: VERY basic pix 515 question

abinjola — Fri, 09 Mar 2007 18:04:32 GMT

awrite..

ping from a machine 192.168.1.2 to the firewall 192.168.1.1 and send me the debug icmp trace...do you see anything from your pc hitting the firewall back ?

what about arp -a on machine..? do you see this address 0050.54ff.6389

Re: VERY basic pix 515 question

garcia.mike1 — Sun, 11 Mar 2007 00:06:13 GMT

Got this error when booting UP

32MB RAM

imgsum_config: sumval(0x5d38) md5(0x525ac23a 0x029b65fa 0x9b9c1ed3 0x6f7c4cad)

imgsum_verify: chksum(0x 0) md5(0x2d8372df 0xdca29c51 0x439e5ea1 0xd4f02de3)

Panic: kernel - The checksum verification for this image failed.

=========

Cisco Secure PIX Firewall BIOS (4.0) #0: Thu Mar 2 22:59:20 PST 2000

Platform PIX-515

Flash=i28F640J5 @ 0x300

Use BREAK or ESC to interrupt flash boot.

Use SPACE to begin flash boot immediately.

Reading 1974784 bytes of image from flash.

#################################################################################################################

32MB RAM

imgsum_config: sumval(0x5d38) md5(0x525ac23a 0x029b65fa 0x9b9c1ed3 0x6f7c4cad)

imgsum_verify: chksum(0x 0) md5(0xab907943 0x9824133c 0x5433a1b9 0xbc6c7c6a)

Panic: kernel - The checksum verification for this image failed.

about 3 times then booted normally

pix# debug icmp trace

ICMP trace on

Warning: this may cause problems on busy networks

pix# ping 192.168.1.2

1: ICMP echo request (len 32 id 9233 seq 0) 192.168.1.1 > 192.168.1.2

192.168.1.2 NO response received -- 1000ms

2: ICMP echo request (len 32 id 9233 seq 1) 192.168.1.1 > 192.168.1.2

192.168.1.2 NO response received -- 1000ms

3: ICMP echo request (len 32 id 9233 seq 2) 192.168.1.1 > 192.168.1.2

192.168.1.2 NO response received -- 1000ms

pix#

machine 2 pix

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 192.168.1.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

C:\Documents and Settings\mgarcia>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Request timed out.

arp -a

C:\Documents and Settings\mgarcia>arp -a

Interface: 172.16.1.17 --- 0x2

Internet Address Physical Address Type

172.16.1.1 00-0f-66-9d-0f-91 dynamic

above was wireless card not the card connected to pix.. ??? IS the OS screwed up on this thing

and one more time the counters for this alleged bad interface

interface ethernet1 "inside" is up, line protocol is up

Hardware is i82559 ethernet, address is 0050.54ff.6389

IP address 192.168.1.1, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

5 packets input, 682 bytes, 0 no buffer

Received 5 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

20 packets output, 1200 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/1)

output queue (curr/max blocks): hardware (0/1) software (0/1)

Re: VERY basic pix 515 question

abinjola — Mon, 12 Mar 2007 17:20:21 GMT

Well few more things that we can try :-

1) Can you ping the local machine (192.168.1.2) from any other m achine ?

2)Can you please set the default gateway on this machine as 192.168.1.1 and then ping the firewall, though you dont need a default gateway if the detination ip is in the same subnet,but lets set the DG and then try pinging the inside interface of the FW

3)the firewall should not give those checksum verification failed messages.....can you reinstall a new image and then try...

Re: VERY basic pix 515 question

flopez — Mon, 12 Mar 2007 23:17:47 GMT

You may be getting a reply, but maybe you don't see it. You should add the ACL to allow Echo Replys, etc.

samle lines:

access-list outside_int_name permit icmp any any echo-reply

access-list outside_int_name permit icmp any any unreachable

access-list outside_int_name permit icmp any any time-exceeded

outside_int_name = the name of your outside Interface name. Whatever you called it.

Good luck.

julio

Re: VERY basic pix 515 question

garcia.mike1 — Tue, 13 Mar 2007 02:10:49 GMT

The problem isnt the outside interface... its the inside that is the issue.

Re: VERY basic pix 515 question

garcia.mike1 — Tue, 13 Mar 2007 02:56:29 GMT

well... it looks like the fun is over... pix wont boot any longer after the re-flash

Checksum verification on compression loader failed

and it just reboots over and over..

during the tftp flash it got a lot of timeouts before it started sending the image then it complete and got that error listed above ???

bad flash ?

Re: VERY basic pix 515 question

Patrick Iseli — Tue, 13 Mar 2007 03:10:13 GMT

Basicly if you want to ping from the inside network to the inside interface of the PIX then you need to allow this by the < icmp > command !

icmp permit|deny [host] src_addr [src_mask] [type] int_name

If you want to allow pings through multiple interfaces you need to configure an access-list.

example you want to ping from an inside host to and internet IP (www.yahoo.com).

example:

access-list 101 permit icmp any host 200.1.1.5 echo-reply

access-list 101 permit icmp any host 200.1.1.5 source-quench

access-list 101 permit icmp any host 200.1.1.5 unreachable

access-list 101 permit icmp any host 200.1.1.5 time-exceeded

access-group 101 in interface outside

Reference:

Handling ICMP Pings with the PIX Firewall:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

🙂

sincerely

Patrick

Re: VERY basic pix 515 question

abinjola — Tue, 13 Mar 2007 16:47:50 GMT

yes its bad flash

you have two options :-

1)Contact Cisco-TAC and if you have relevant contract ask them to RMA the device

2)Try uploading a new image from the monitor mode (during boot process hit the escape key and it will take you to monitor mode)