topic Re: Pix 515e unrestricted in Network Security

Pix 515e unrestricted

ward — Fri, 21 Feb 2020 07:11:31 GMT

Just started up my pix and changed the outside address.Tried to access the pdm via the browser,but cannot.Any guidance would be much appreciated.

Re: Pix 515e unrestricted

jmia — Mon, 12 Jan 2004 17:01:27 GMT

Hi,

You'll need to enable http server on the PIX.

In config mode on PIX do:

> http server enable

> http 192.168.1.0 255.255.255.0 inside

(Ofcourse change the above IP to yours)

Now open up IE browser and type:

> https://

When you see the username and password box pop-up in IE browser just type the pix password (no need for username)

Hope this helps and Please rate this post if it helps you out.

Thanks -

Re: Pix 515e unrestricted

ward — Wed, 14 Jan 2004 17:15:52 GMT

Thanks for the help.I can get as far as the Cisc pix PDM manager loading...It has an egg timer that just sits there.I waited for 5 minutes but it is still not coming up with anything further.

It says Loading pix device manager....please wait

Can anyone advise please?

Re: Pix 515e unrestricted

ward — Thu, 15 Jan 2004 09:45:18 GMT

can anyone advise on this please.

Cheers

Re: Pix 515e unrestricted

travis-dennis_2 — Thu, 15 Jan 2004 12:52:34 GMT

Are you getting a pop-up window that ask if you want to install and run Cisco PIX device mananger? That is the next phase. If you are not seeing this it could be a permissions issue on your workstation or I have seen some pop-up blockers kill this as well.

Please remember to rate any post that helps you out.

Re: Pix 515e unrestricted

ward — Fri, 16 Jan 2004 12:31:55 GMT

Yeah I am getting this message coming up.

It keeps saying please wait and just sits there.

It comes up saying the certificate information and then it says do you want to proceed.

I then click yes and it comes up with username and password.I dont have one set so i press enter.

I then get a popup window that says LOADING PIX DEVICE MANAGER please wait......

It just there.I cant get any further. much appreciated.

Any help would be

Re: Pix 515e unrestricted

ward — Fri, 16 Jan 2004 12:41:45 GMT

The only thing that looks out of the ordinary is this startup certiticate message.Could this be the problem.

When i put in https://10.98.7.250 in the browser

it then comes up with the message below.

The information you exchange with this site cannot be viewed or changed by others.

However there is a problem with the sites security certificate.

! The security certificate was issued by a company you have not chosen to trust

! The security certificate has expiredor is not yet valid.

! The name on the security certificate is invalid or does not match the name of the site.

Re: Pix 515e unrestricted

ward — Fri, 16 Jan 2004 15:49:40 GMT

Can anyone advise?

Cheers

Re: Pix 515e unrestricted

mpalardy — Fri, 16 Jan 2004 20:57:14 GMT

Do you have a DES or 3DES key installed on you PIX. This key is required for PDM. If do not have this key Cisco will provide you with a new DES key for free. You will find this information with "show version" command.

Re: Pix 515e unrestricted

l.mourits — Fri, 16 Jan 2004 22:20:53 GMT

Ward,

You should check on CCO on the supported browsers and the requirements of your browser. Sounds to me like not having a correct encryption level, some old version browser or java runtime environment. Check these things first before checking anything else.

You are using no username and the enable secret as the password on the PDM authentication popup?

You do have configured an enable secret. Otherwise I think PDM won´t be able to authenticate.

If all this is not of any help, there´s one other thing you could try, and that is regenerating the rsa key. There should be a procedure described on CCO, otherwise search the frum within this group, cause a few months ago the procedure was posted here. But regenerating the rsa key is rarely needed, so, I advise you to first check on the other things mentioned.

Good luck and kind regards,

Leo

Re: Pix 515e unrestricted

ward — Mon, 19 Jan 2004 13:59:34 GMT

Hi there

Please see my config and show version below.

All I have changed on the pix is the inside ip address,clock and added in the username and password.

i am running java 1.4.1_02 which is correct for internet explorer 6.

After typing the username and password I dont get prompted for it when I try get into pdm via the browser.It just comes up witht he pretty cisco picture saying PDM manager is loading...Please wait...

This is so frustrating.Please see the config and show version below

NLONL02FIREWALL# sho run

: Saved

PIX Version 6.3(1)

interface ethernet0 auto shutdown

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password Be5nymj6ciY8kJol encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname NLONL02FIREWALL

domain-name lon.flitech.net

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

pager lines 24

mtu outside 1500

mtu inside 1500

no ip address outside

ip address inside 10.98.7.250 255.255.248.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

pdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.98.7.2 255.255.255.255 inside

http 10.98.0.0 255.255.248.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

username thgilf password D467B2.MngTyAEZY encrypted privilege 2

terminal width 80

Cryptochecksum:384e1453437cfe00e9f28ab416c4c44b

: end

NLONL02FIREWALL# sho version

Cisco PIX Firewall Version 6.3(1)

Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 19-Mar-03 11:49 by morlee

NLONL02FIREWALL up 46 secs

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : Crypto5823 (revision 0x1)

0: ethernet0: address is 000e.833e.ee8b, irq 10

1: ethernet1: address is 000e.833e.ee8c, irq 11

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES-AES: Disabled

Maximum Interfaces: 6

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number: 806263072 (0x300e9920)

Running Activation Key: 0xed6cddef 0x4c4d4350 0xa3e2a0d9 0x4145f7ad

Configuration last modified by enable_15 at 00:00:10.920 UTC Fri Jan 1 1993

NLONL02FIREWALL#

Thanks for all you help

Re: Pix 515e unrestricted

ward — Mon, 19 Jan 2004 17:23:48 GMT

Can anybody help with this?

Re: Pix 515e unrestricted

l.mourits — Mon, 19 Jan 2004 20:40:14 GMT

Ward,

First I want to state that next time when you post your config, it would be better to remove the passwords..., allthough they are encrypted, the encryption is weak, and there are tools available to break them..... (but don´t worry, normally the moderators of this forum will edit your meaasge soon)

This said I have a few questions for you?

Have you tried just entering the enable password with no username (on the username/password box which is prompted)?

If not, please do so. This will give you access to PDM. There is no need to configure a username and password first.

Bytheway, I think you need to configure pdm location as well for the PC where you want to connect from.

If you want to use usernames and passwords to give different users different privilige levels (which I think you want, assuming this while looking at parts of your config), then you need a lot more config like setting the privilige levels, setting what to authenticate and what not, and stuff like that.

But first try it the easy way, let´s start simple, just enter the enable password you configured as the password on the prompt (and nu username) when connecting to PDM. This will get you in 🙂

You will get privilige level 15 (which is the highest privilige level) when connecting with the enable password.

Hope this helps,

Leo

Re: Pix 515e unrestricted

ward — Tue, 20 Jan 2004 12:20:27 GMT

Hi leo

I appreciate your help on this.

Thanks for the tip on the passwords.

I was so stuck in my fault that I forgot to do that.

I have followed your steps as you said.

I type in the https://10.98.7.250/pdm.html

It then prompts me about the certificate.

All of them are ticked except for one and it says

"The name on the security is invalid or does not

match the name of the site"

I then click on proceed and it comes up with the

loading PDM manager please wait.....

It just sits on that page and does nothing further.

What do I need to do next?

Kind regards

Re: Pix 515e unrestricted

l.mourits — Tue, 20 Jan 2004 14:51:56 GMT

Ward,

In that case it looks to me as you need to regenerate the public/private key.

Please execute the following commands:

ca zero rsa

ca gen rsa key 512

ca save all

After this please try again, but I'm pretty sure this will help you out.

kind regards,

Leo

Re: Pix 515e unrestricted

ward — Tue, 20 Jan 2004 15:34:43 GMT

Leo,

Thanks again.

I have done the commands as you requested.

I then attempted to login again by typing

https://10.98.7.250/pdm.html

I then get prompted again with the security certificate message.It says that the date is valid etc but it still says the name on the security certificate is invalid or does not match the name of the site.

At the top of the popup it says Information you exchange with this site cannot be viewed or changed by others.however there is a problem with the site's security certificate.

So I am still getting this message.

It does however come up with the pretty cisco picture again saying loading PIX PDM manager...please wait...

You got any further ideas?

Thanks again

Ward

Re: Pix 515e unrestricted

davisdev — Wed, 21 Jan 2004 00:57:33 GMT

Hi all.

May this sounds obvious but, have you already put the address of your pix as a trusted site in the Internet Explorer (i.e. https://10.98.7.250), this problem happened to me and I only needed to put te address of the pix as a trusted site and it works immedatly.

Hope this helps.

David

Re: Pix 515e unrestricted

l.mourits — Wed, 21 Jan 2004 15:24:13 GMT

Ward,

First of all, the first pop-up does indeed consists of a messgae indicating that the date is valid, but the name of the site is invalid. This is normal and can be ignored by just accepting.

So, after this you are getting the username/password prompt and when entering just the enable secret you get the message loading PDM.

This indicates that your http server is up, you have http access, you have pdm location configured and that the password entered is valid.

What happens next is what it says, that PDM is loading...., at least, it should be :-S

Normally, the first time you enter PDM, you would get a prompt asking if you want to run and install PDM from Cisco. Did you ever get this message? If so, did you clicked yes then?

Is the box ever upgraded?

Could you enter a "show version" and post output, cause it starts to look like the PDM fiel is missing or something like that.

Maybe we can see something there....

Kind regards,

Leo

Re: Pix 515e unrestricted

ward — Sun, 25 Jan 2004 13:01:50 GMT

Hi Leo

Please see below the show version output.

Please note that I havew done everything that is in all the conversations.Do you think i might need to upgrade my PDM.This is a brand new pix firewall and has never been upgraded.

NLONL02FIREWALL# sho version

Cisco PIX Firewall Version 6.3(1)

Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 19-Mar-03 11:49 by morlee

NLONL02FIREWALL up 46 secs

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : Crypto5823 (revision 0x1)

0: ethernet0: address is 000e.833e.ee8b, irq 10

1: ethernet1: address is 000e.833e.ee8c, irq 11

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES-AES: Disabled

Maximum Interfaces: 6

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

<--- More --->

Throughput: Unlimited

IKE peers: Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number: 806263072 (0x300e9920)

Running Activation Key: 0xed6cddef 0x4c4d4350 0xa3e2a0d9 0x4145f7ad

Configuration last modified by enable_15 at 00:00:10.920 UTC Fri Jan 1 1993

NLONL02FIREWALL#

Re: Pix 515e unrestricted

l.mourits — Mon, 09 Feb 2004 21:49:10 GMT

Sorry for the late reply, but I´ve been a few days of because I´ve become father of a lovely daughter, so I was taken care of mother and child :-))

Ehm, something bothers me from your last reply....

I always thought you had an allready up and running PIX and allready had access to it via PDM, then changed the outside IP-address after which PDM connection failed.

From your last messsage I understand that this is a new out-of-the-box PIX and that configured an IP-address on the outside interface and try to access the PDM via the outside interface. Is this correct?

If so then I´m sorry that I put you on the wrong track all the messages before this one.

If you want to have access to PDM on the outside interface there has to be some crypto-map configud and you have to have a VPN client on your system, caus you can not connect to PDM via the outside without the use of an IPSec tunnel.

You can only connect to PDM without using an IPSec tunnel if you are connecting via the inside IP-address.

If you have a new PIX and you defenitely want to connect via the outside interface to PDM you need to install VPN client on your PC and configure a crypto-map. If this is the case you should read the following sample config (and adapt it to your case):

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094497.shtml

Hope this helps,

Leo