Andy,

Slight typo on my other post:

It should be - https://192.168.1.1/startup.html

Jay

It seems you are not the only one who makes a typo. I meant to type https not http. Thanks for replying, but we have tried that. Any other ideas?

I have enabled logging on the console and if I ping the firewall from the laptop plugged in to the inside port it logs a message saying the UDP packet from the laptop to the firewall is being discarded. Its all very strange as I thought the inside port didn't block anything by default?

Thanks in advance for any insight.

Cheers

Andy

Andy,

Have you got access to the pix via console port, if so, check the config to see if you have the following command:

http server enable

http

If all fails you can configure the firewall via CLI (Command Line Interface) from the console port. To be honest I prefer to use CLI then PDM (encounterd to many issues with PDM).

If you need help on this then let me know and also do you need dhcp on the pix?

Let me know,

Jay

Jay,

Thanks for trying to help. I've pasted a copy of the current config below from the write term command. This may make it easier to see what is currently configured on the Pix.

PIX Version 6.3(3)

interface ethernet0 auto shutdown

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ******** encrypted

passwd ******** encrypted

hostname Test

domain-name test.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

pager lines 24

logging on

logging buffered debugging

mtu outside 1500

mtu inside 1500

no ip address outside

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

pdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.2 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

And the show ver command:

Cisco PIX Firewall Version 6.3(3)

Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 13-Aug-03 13:55 by morlee

Test up 9 mins 59 secs

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : Crypto5823 (revision 0x1)

0: ethernet0: address is 000f.8f20.64f9, irq 10

1: ethernet1: address is 000f.8f20.64fa, irq 11

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Physical Interfaces: 6

Maximum Interfaces: 10

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

While we don't require DHCP, I mentioned it because the getting started guide says use it. It seems the the inside port receives packets but it never allows packets out again.

Cheers

Andy

Andy,

From the config that you have posted, I don't see DHCP server enabled on the pix? Has this been removed? This is why the pix is not issuing your laptop the default IP address!!

Where is the cable from Ethernet 1 plugged into? a switch/hub? I have just looked at the startup guide for the 515E, step1.

If the DHCP Server command has been removed then you'll need to configure the pix via CLI. But if you are saying that the pix config has not been tempered with then I'm really surprised that the DHCP server is not configured on the pix!!!

Let me know,

Jay

We haven't changed the config at all. This is as new out of the box hence why I am as confused as yourself. We assigned the laptop a static IP address but still no joy. The cable from Ethernet1 is currently a crossover cable and is plugged directly in to the laptop. We have also tried using a standalone hub with only the PIX and the laptop connected. We have tried 2 other laptops and a desktop just in case.

We can access the PIX via the CLI no problem using the console, we just cannot get any IP connection whatsoever.

We have 2 Pix firewalls, both brand new and they both exhibit the same problem. This is actually our 2nd set of boxes as our supplier RMA'd the first two (with exactly this problem strangely enough) as they could not get it to work either. What are the chances of 4 boxes being faulty? Thats why I am now seeking help here as there must some change to the default config that is not mentioned in the documentation that comes with the Pix.

If I do a SHOW DHCPD at the console in CLI, nothing is displayed so I agree that it is not enabled. Very confusing as it is supposed to be. I could set it up, but like I mentioned, I won't want to use it anyway and would only disable it again.

I'm reluctant to start configuring the PIX with all the rules etc that we need using the CLI until I can understand what is wrong here. Why can I not ping the PIX from the laptop or the laptop from the PIX?

Cheers

Andy

Andy,

I am SHOCKED, that this is the 2nd sets of pix's and you are running into the same problem. I have read the documentation on the 515E and it states that you CAN configure the 515 via the start-up guide as you are doing. The only thing that comes to mind is, maybe your supplier has a bad batch of pixes! One idea could be, is to get your supplier to contact Cisco and ask them why you are encountering this problem or if you have a SmartNet contarct with Cisco you can open a TAC case for the pixes.

Apart from this I'm lost for an explanation on your problem, I've not found any bug reports on this problem either.

Sorry Andy, :(

Best to ask Cisco TAC on this problem.

Hope it all works out.

Jay

Andy, are you using windows XP? If yes then turn off the inbuilt firewall and make sure you have the Java component installed. Windows XP does not come prebundled with Java. You can download it from java.com or just install netscape 7 as it comes prebundled with Java.

I hope this helps.

Andy,

Glad to hear that you got this resolved. Suppliers.. eh.. who needs them! The PDM and DHCP is not supplied with secoundary units out of the box as you know now.

Well let us know if you need help with the config etc.

Jay