Solved: BandNew PIX 515E issue

cboren · ‎02-07-2006

I've received a few new PIX 515E security applicances and I'm have layer 2 issues on all that I've tested. I installed a small 5 port switch on the inside and cannot ping anything from the console. I have a computer on the switch and it's able to ping other devices on the switch but not the PIX.

What I find odd is that when I try to ping the inside interface on the PIX from one of the inside computers, the PIX shows the MAC address of the inside computer in the arp table.

My goal is to upgrade the PIXs to ver7.0 but I can't do that until I can resolve this issue.

Here is some of the info from one of the PIXs.

#sh ver

Cisco PIX Firewall Version 6.3(4)

Cisco PIX Device Manager Version 3.0(2)

Compiled on Fri 02-Jul-04 00:07 by morlee

pixfirewall up 29 mins 33 secs

Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)

0: ethernet0: address is 0015.625a.f7da, irq 10

1: ethernet1: address is 0015.625a.f7db, irq 11

2: ethernet2: address is 000d.8810.902c, irq 11

3: ethernet3: address is 000d.8810.902d, irq 10

4: ethernet4: address is 000d.8810.902e, irq 9

5: ethernet5: address is 000d.8810.902f, irq 5

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES-AES: Disabled

Maximum Physical Interfaces: 6

Maximum Interfaces: 10

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has a Failover Only (FO) license.

#sh run

interface ethernet1 100full

nameif ethernet1 inside security100

hostname pixfirewall

domain-name testlan

access-list acl_out permit icmp any any

no ip address outside

ip address inside 192.168.1.222 255.255.255.0

no failover ip address outside

no failover ip address inside

#sh int e1

interface ethernet1 "inside" is up, line protocol is up

Hardware is i82559 ethernet, address is 0015.625a.f7db

IP address 192.168.1.222, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

scheikhnajib · ‎02-07-2006

Hi M8,

Your firewall has an FO license, you need to make this unit active to be able to see it.

Run the command:

failover active

With this command, the unit turns into the "Active" state from a failover perspective. It will work after that.

Cheers.

Salem.

View solution in original post

aduerr · ‎02-07-2006

You`ll have to allow it.

icmp permit 192.168.1.0 255.255.255.0 echo inside

icmp permit 192.168.1.0 255.255.255.0 echo-reply inside

Be careful with you acl_out:

1) would recommend to rename it to inside_in

2) used access-group on IF inside ?

3) be sure to allow more traffic in your acl_out than icmp cause everything else will be automatically denied (implicit deny)

HTH

cboren · ‎02-07-2006

Ok, I removed my access-list and access-group from the config. Added the "icmp permit" statements and I still can't ping. I've tried changing the interface from 10Baset to 100Baset to 100Full. I can see that the interface is changing by the lights on the switch but none of the devices can ping the firewall. Also I can't ping anything that I add to the switch. Yet, all the devices can ping each other and are communicating.

kevinhodgson · ‎02-07-2006

Ok lets start with basic,

1 subnets are all the same correct

2 the switch is not mac filtering

3 the switch is all on the same VLAN

4 if you ping from the firewall to machine do you see the mac address in the arp table

5 is the right port with the right access-list and right port on switch.

6 if all else fails set up a capture

access-list cap1 permit icmp any any

capture cap1 access-list cap1 interface inside.

sh cap cap1

you should be able to ping the gateway on the network that the machie connects to, but to my knowledge not through it to another interface on the pix but i may be wrong.

Hope this helps

scheikhnajib · ‎02-07-2006

Hi M8,

Your firewall has an FO license, you need to make this unit active to be able to see it.

Run the command:

failover active

With this command, the unit turns into the "Active" state from a failover perspective. It will work after that.

Cheers.

Salem.

cboren · ‎02-07-2006

Hello Salem,

Thanks a bunch. I thought I had typed that command in the box already. I tried it again and the PIX is working now. I can ping out of the PIX and at the PIX.

Thanks for the help.

Chris