topic Re: PIX 515e basic config in Network Security

PIX 515e basic config

ribin.jones — Mon, 11 Mar 2019 18:54:40 GMT

Hi,

I got a PIX and here is the config:

sh run

PIX Version 8.0(3)

hostname pixfirewall

enable password 8Ry2YjIyt7RRXU24 encrypted

names

interface Ethernet0

shutdown

nameif Outside

security-level 0

no ip address

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.51 255.255.255.0

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

mtu Outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

Cryptochecksum:6ba6ce7d4cbacfeafbc90a2ed9b0d923

: end

My LAN is 192.168.1.0/24 and I gave the PIX IP as 192.168.1.51. My machine IP is 192.168.1.64 and 192.168.1.1 is the vlan IP of our Layer 3 switch. i am not able to ping 192.168.1.1 from the PIX. What could be the issue?

- Ribin

Re: PIX 515e basic config

Dan-Ciprian Cicioiu — Fri, 15 Oct 2010 13:59:42 GMT

could you try :

icmp permit any echo-reply inside

icmp permit any echo inside

policy-map gloval_policy
class class-default
inspect icmp

HTH

Dan

Re: PIX 515e basic config

ribin.jones — Fri, 15 Oct 2010 14:01:43 GMT

No luck with those commands.

- Ribin

Re: PIX 515e basic config

Dan-Ciprian Cicioiu — Fri, 15 Oct 2010 14:23:12 GMT

Could you enable logging and see what messages do you receive :

logging buffered 7

ping

then show logg

Dan

Re: PIX 515e basic config

ribin.jones — Fri, 15 Oct 2010 14:27:08 GMT

Nothing happens.

- Ribin

Re: PIX 515e basic config

sinv — Fri, 15 Oct 2010 14:38:26 GMT

Hi,

Is this the full configuration that you have pasted ? Have you configured any access lists on the PIX ?

As per your description the switch seems to be the next hop on the PIX.

Check the default gateway on the switch.

Do a "debug icmp trace" on the PIX to see if the packets are even reaching the firewall.

Another way to check if the pings are even reaching the firewall is by putting captures.

Check the steps document to see if it helps you isolate the issue

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009402f.shtml

Regards,

Sindhuja

Re: PIX 515e basic config

ribin.jones — Fri, 15 Oct 2010 14:42:00 GMT

Yes Sindhuja, this is the full config I have pasted here. I have not added any acl on the PIX.

What do you meant by "Check the default gateway on the switch." ? I have other devices in the network with gw as 192.168.1.1 which works fine. I think I am missing some basic thing in the PIX initial configuration.

- Ribin

Re: PIX 515e basic config

sinv — Fri, 15 Oct 2010 14:52:37 GMT

Hi,

When I meant default gateway on the switch I meant to see if the traffic is being routed back to the PIX.

Lets just revisit your topology real quick here

host ----- --------------switch ------------------(192.168.1.51) PIX

(192.168.1.64) (192.168.1.1)

Please correct me if this is wrong.

I understand you are unable to ping the 192.168.1.1 ip address.

The only issue on the pix that could be causing this is that the pix is dropping incoming icmp and this can be done by access lists.

Since that option has been eliminated let us look at it from the routing point of view.

1. Are you able to ping from 192.168.1.64 to 192.168.1.51 and vice versa ?

2. What is the output of the debug icmp trace on the firewall when you try to ping 192.168.1.1?

3. Also check that when you do a show route on the PIX you are able to see a directly connected route to the 192.168.1.0 subnet.

Regards,

Sindhuja

Re: PIX 515e basic config

sinv — Fri, 15 Oct 2010 14:58:09 GMT

Hi Ribin,

Also check for any interface access lists on the L3 switch for dropping ICMP

Regards,

Sindhuja

Re: PIX 515e basic config

ribin.jones — Fri, 15 Oct 2010 15:03:34 GMT

Hi,

The topology is right.

My issue is not with the icmp alone. I am unable to make any kind of communication to or from the PIX. I think we can leave out the Layer 3 concept here (since the PC and the PIX sits in the same network). There is no acl in the L3 to block icmp.

1. Are you able to ping from 192.168.1.64 to 192.168.1.51 and vice versa ?

- No

2. What is the output of the debug icmp trace on the firewall when you try to ping 192.168.1.1?

pixfirewall(config)# debug icmp trace
debug icmp trace enabled at level 1
pixfirewall(config)#
pixfirewall# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

3. Also check that when you do a show route on the PIX you are able to see a directly connected route to the 192.168.1.0 subnet.

pixfirewall# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.1.0 255.255.255.0 is directly connected, inside

Re: PIX 515e basic config

sinv — Fri, 15 Oct 2010 15:07:56 GMT

Hi Ribin,

Check your physical connectivity. Change the interface that your have connected to on the pix.

Regards,

Sindhuja

Re: PIX 515e basic config

ribin.jones — Fri, 15 Oct 2010 15:13:39 GMT

No luck. My config oncemore:

sh run

: Saved

PIX Version 8.0(3)

hostname pixfirewall

enable password 8Ry2YjIyt7RRXU24 encrypted

names

interface Ethernet0

shutdown

nameif Outside

security-level 0

no ip address

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.51 255.255.255.0

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

logging buffered debugging

mtu Outside 1500

mtu inside 1500

<--- More --->

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply inside

icmp permit any echo inside

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

username ribin password 4PKgAdpUwCY7ZdMA encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

<--- More --->

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map gloval_policy

class class-default

inspect icmp

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

<--- More --->

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:6ba6ce7d4cbacfeafbc90a2ed9b0d923

: end

- Ribin

Re: PIX 515e basic config

sinv — Fri, 15 Oct 2010 15:19:17 GMT

Ok ... Lets try capturing the traffic.

access-list capin permit icmp host 192.168.1.51 host 192.168.1.1

access-list capin permit icmp host 192.168.1.1 host 192.168.1.51

capture capin interface inside access-list capin.

Then initiate the ping.

Then check the output of 'show cap capin'

Since we are not able to ping even directly connected hosts I am suspecting an issue with the connectivity.

Regards,

Sindhuja

Re: PIX 515e basic config

ribin.jones — Fri, 15 Oct 2010 15:26:28 GMT

Hmm..It is zero packet captured.

pixfirewall# sh capture capin
0 packet captured
0 packet shown

What could be the issue with the connectivity? Just now I connected a laptop (with IP 192.168.1.90) directly to the pix using a straight cable and even these can't ping each other.

- Ribin

Re: PIX 515e basic config

ribin.jones — Fri, 15 Oct 2010 16:13:12 GMT

Just now noticed that the PIX doesn't even give reply to self ping.

- Ribin

Re: PIX 515e basic config

Rudresh Veerappaji — Fri, 15 Oct 2010 16:19:48 GMT

Hi Ribin,

From one of the previous messages from, you mentioned we saw the following route present on the PIX:

C 192.168.1.0 255.255.255.0 is directly connected, inside

This means to say that the interface inside is up, physical and layer 2 connectivity should be good. So i think the config on the PIX is fine.

The next place to look at is, the config at the switch. Can you please make sure the PIX interface and the port to which the PC connects to are in the same VLAN... Because the issue we are facing seems to be caused at the switch.

So please issue the command "sh vlan" on the switch and verify that the 2 ports (connecting the PIX and the PC) are in the same vlan.

But it is surprising though that it does not work even with a pc connected directly to PIX. Please do this test: When you connect the PC to the PIX directly, issue the command show route on the PIX and make sure you see one connected route for 192.168.1.0 and that you see a solid Green light at the PIX interface connected to the ASA, and perform a ping. Also issue the command "sh interface" on the PIX and paste the output here.

Let me know if this works,

Cheers,

Rudresh V

Re: PIX 515e basic config

Rudresh Veerappaji — Fri, 15 Oct 2010 16:22:00 GMT

Hi Ribin,

Do you see a Solid Green light or an Amber light on the interface at the PIX when you connect a PC direclty or the switch ?

Cheers,

Rudresh V

Re: PIX 515e basic config

ribin.jones — Fri, 15 Oct 2010 16:34:34 GMT

I see one connected route for 192.168.1.0 and I see a solid Green light at the PIX interface when connecting the PIX directly to the PC.

PIX# sh interface

Interface Ethernet0 "", is administratively down, line protocol is down

Hardware is i82559, BW 100 Mbps, DLY 100 usec

Auto-Duplex, Auto-Speed

Available but not configured via nameif

MAC address 0013.7fdd.2671, MTU not set

IP address unassigned

7 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max packets): hardware (0/0) software (0/0)

output queue (curr/max packets): hardware (1/0) software (0/0)

Interface Ethernet1 "inside", is up, line protocol is up

Hardware is i82559, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

MAC address 0013.7fdd.2672, MTU 1500

IP address unassigned

1160 packets input, 97593 bytes, 0 no buffer

Received 1159 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

<--- More --->

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max packets): hardware (0/1) software (0/2)

output queue (curr/max packets): hardware (0/0) software (0/0)

Traffic Statistics for "inside":

1145 packets input, 80375 bytes

0 packets output, 0 bytes

371 packets dropped

1 minute input rate 0 pkts/sec, 43 bytes/sec

1 minute output rate 0 pkts/sec, 0 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 0 pkts/sec, 73 bytes/sec

5 minute output rate 0 pkts/sec, 0 bytes/sec

5 minute drop rate, 0 pkts/sec

PIX#

Any idea why there is no self ping for the PIX?

- Ribin

Re: PIX 515e basic config

Rudresh Veerappaji — Fri, 15 Oct 2010 16:56:09 GMT

Hi Ribin,

From the show interface output you have pasted, i see the following segment:

Interface Ethernet1 "inside", is up, line protocol is up

Hardware is i82559, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

MAC address 0013.7fdd.2672, MTU 1500

IP address unassigned

....

--So we are seeing ip address un-assigned, can you please confirm if we have assigned the ip address 192.168.1.51 255.255.255.0 to the inside interface (ethenet 1) ? Because the above output is saying ip address is somehow not reflected on the interface. I think this is why we cannot ping the PIX interface itself...

Cheers,

Rudresh V

Re: PIX 515e basic config

ribin.jones — Fri, 15 Oct 2010 17:00:49 GMT

Yes. I confirmed using sh run that we have an IP configured for Ethernet 1 interface.

It shows "Interface Ethernet1 "inside", is up, line protocol is up". How can these be shown "up" if there is no IP address configured.

But as you found out, "IP address unassigned" is something odd.

- Ribin