topic Re: PIX 515E question in Network Security

PIX 515E question

duc-vu — Fri, 21 Feb 2020 07:16:35 GMT

Dear all,

We have just bought a PIX 515E and try to use it but got a few issues. Here is the show ver:

PIX-151E#show version

Cisco PIX Firewall Version 6.3(1)

Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 19-Mar-03 11:49 by morlee

PIX-515E up 5 hours 15 mins

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 000f.2457.4b12, irq 10

1: ethernet1: address is 000f.2457.4b13, irq 11

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Interfaces: 6

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited IKE peers: Unlimited

This PIX has a Failover Only (FO) license.

Problem is we cannot ping the Inside port if we do not turn on failover but this is single machine. Here is another message after we turn on Failover:

PIX-515E# config t

**** WARNING ***

Configuration Replication is NOT performed from Standby unit to Active unit.

Configurations are no longer synchronized.

PIX-515E(config)#

Please help to resolve this issue. Wonder if we purchase the wrong license ? Thanks a lot.

Re: PIX 515E question

duc-vu — Fri, 05 Mar 2004 07:33:56 GMT

also another question : we thought the PDM should come free with this unit ? or it an option ? Thanks for help.

Re: PIX 515E question

duc-vu — Fri, 05 Mar 2004 07:36:24 GMT

never mind about stupid question on PDM. Please help with the first question. Thank you very much.

Re: PIX 515E question

tgshahrizam — Fri, 05 Mar 2004 07:40:28 GMT

Please post your "show run" contents.

Re: PIX 515E question

steven.wilson — Fri, 05 Mar 2004 13:41:03 GMT

you have in your possession a failover PIX. That is why is says so in the "sh run".

This device is meant to be used only as the failover device for live one. It will run as a live PIX but will behave badly. It is cheaper than a PIX with an Unrestricted License, as it is not meant to be used as a stand-alone device. Check with whoever you purchased it from to get the situation sorted.

Good luck

Steve

Re: PIX 515E question

duc-vu — Fri, 05 Mar 2004 14:04:13 GMT

Here it is:

PIX-515E# show run

: Saved

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxxx

hostname PIX-515E

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

pager lines 24 mtu outside 1500

mtu inside 1500 ip address outside 192.168.27.1 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm

no failover failover timeout 0:00:00 failover poll 15

no failover ip address outside no failover ip address inside pdm location 192.168.1.0 255.255.255.0 inside pdm history enable arp timeout 14400 route inside 0.0.0.0 0.0.0.0 192.168.27.2 1

timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable

telnet timeout 5 ssh timeout 5 console timeout 0

terminal width 80 Cryptochecksum:xxxxxx : end

Thank you very much, Sir.

Re: PIX 515E question

duc-vu — Fri, 05 Mar 2004 14:06:21 GMT

Thank you very much, Sir. I thought so that we got a wrong license PIX.

Re: PIX 515E question

duc-vu — Mon, 08 Mar 2004 09:58:20 GMT

One more question, please. Do I need to config in PIX515E in order to activate the PDM ? could not use http to do web config. Thanks.

Re: PIX 515E question

steven.wilson — Tue, 09 Mar 2004 12:48:25 GMT

to access the PIX using the PDM there are three things that you need to do.

1st PDM LOCATION COMMAND

2nd HTTP SERVER COMMAND

3rd access the PIX by HTTPS on the inside is safest.

Some people like the PDM and some people prefer the command line. If you really want to understand the working of the device program it using the PDM and then look at the lines created via the command line.

Have fun

Steve

Re: PIX 515E question

duc-vu — Wed, 10 Mar 2004 01:29:50 GMT

Hi Steve,

Please elaborate a little more about :

1st PDM LOCATION COMMAND

2nd HTTP SERVER COMMAND

Exactly what I should do ? Thank you very much.

Regards

Re: PIX 515E question

tgshahrizam — Wed, 10 Mar 2004 07:04:54 GMT

hi,

1.PDM LOCATION tells the firewall what host is able to access PDM

2. HTTP SERVER enables http access to the firewall form the ip adress of the network or host specified. Eg: http 10.1.1.0 255.255.255.0 inside or http 10.1.1.1 255.255.255.255 inside

PDM location can be detected by the firewall automatically. So, the most important command is the http server and do not forget to use https in the browser instead of http. Eg; https://10.1.1.254

Re: PIX 515E question

scoclayton — Wed, 10 Mar 2004 13:54:08 GMT

For the record, #1 above is *not* correct. Here is some text that was previously posted regarding the PDM location commands:

A PDM location is a pure book keeping command used by PDM to build its topology database. It has nothing to do with the PIX's functionalities. In particular, it does **NOT** control which host can access PDM which is a common misunderstanding. The control is done by the command "http ".

Why do we need it?

In PDM's world, policy (those rules) is built on top of topology. Ideally user creates the topology first via the Host/Network tab, then configures policy else where (like Access Rule tab). A network object exists by itself, even if there is no policy configured directly on it at a particular time. We use "pdm location" command to remember the location

of a network object.

Scott

Re: PIX 515E question

duc-vu — Thu, 11 Mar 2004 01:27:39 GMT

Thank you, gentlemen for your great help. In short, all I need is one command : http 192.168.1.0 255.255.255.0 ethernet0 (for example).

Re: PIX 515E question

duc-vu — Thu, 11 Mar 2004 01:30:54 GMT

Sorry : https 192.168.1.1 255.255.255.255 inside.

Re: PIX 515E question

tgshahrizam — Thu, 11 Mar 2004 08:01:16 GMT

no, it is http://192.168.1.1 255.255.255.255 inside.

use https only on the browser.

Re: PIX 515E question

tgshahrizam — Thu, 11 Mar 2004 08:02:39 GMT

no, it is

http 192.168.1.1 255.255.255.255 inside.

use https only on the browser.

sorry for the previous posting.