Can not connect to pix 515E :(

unarcher1 · ‎04-17-2005

hi guys

I connected the eth1 interface to a hub and my laptop to the hub

The link led is flashing green on both interfaces

I cannot ping the pix515E on 192.168.1.1 and do not have a valid IP adress on my laptop despite PIX being able to give DHCP adress

If I manually set my laptop to 192.168.1.133, I cannot ping the PIX nor accessing the https://192.168.1.1/startup.html page

I do not understand the problem so if somebody can help me :(

(Excuse my poor english)

sachinraja · ‎04-17-2005

hi unacher,

try connecting the pix through cross cable from ur laptop and see if u are able to ping the inside interface of the pix.. post the configs or ur pix if possible..

to allow pdm, u need to allo http access to the pix..just add this command

http server enable

http inside 192.168.1.133

this should enable pdm on ur pix.. try this and let us know

Raj

unarcher1 · ‎04-26-2005

with cross cable I can't ping the inside interface of the pix

but I can connect with the console interface and the pix can ping itself but cannot ping my laptop

I will post the config in a few minutes

matt.austin · ‎04-26-2005

Did you enable the outside interface for DHCP, and set an IP Address on it?

dhcpd enable

unarcher1 · ‎04-26-2005

if it can help you to show me the matter

show dhcpd :

dhcpd address 192.168.1.2-192.168.1.254 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

show running config

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password xxx

passwd xxxx

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

no ip address outside

ip address inside 192.168.1.1 255.255.255.0

no ip address intf2

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm logging informational 100

pdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.1.0 255.255.255.0 inside

telnet 192.168.1.0 255.255.255.0 intf2

telnet 192.168.1.0 255.255.255.0 intf3

telnet 192.168.1.0 255.255.255.0 intf4

telnet 192.168.1.0 255.255.255.0 intf5

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxx

pkapoor · ‎04-26-2005

You can try enabling debugs on the PIX's inside interface, while pinging it.

Do this:

1. Assign your laptop a static IP (192.168.1.2/24)

2. While having your laptop connected via Ethernet to the PIX inside, connect to the console of the PIX also and enable the following debug.

debug packet inside src 192.168.1.2 dst 192.168.1.1 proto icmp

debug packet inside src 192.168.1.1 dst 192.168.1.2 proto icmp

This debug will look for ICMP packets that are sourced from your laptop to the PIX and from the PIX back to your laptop.

3. Ping the PIX's inside IP from your laptop and catch the debugs.

The debugs will tell you whether the ICMP echos from your laptop are even making it to the PIX. And if they are, then are the replies leaving the PIX or not.

unarcher1 · ‎04-26-2005

I entered the debug packet command you told me

but how can I catch the debugs?

What is the command to see what happened during the ping from my laptop?

pkapoor · ‎04-26-2005

Once the debug commands have been entered, they should appear on the sessions.

NOTE: You must be wired with Ethernet to the inside interface (to run the pings) AND have a console session (hyperterminal) to the PIX. You will enter the debug commands and obtain the output on the hyperterminal session. The ethernet connection to the inside interface of the PIX is just to send the pings.

To capture the debugs to a file, you can use hyperterminal's feature to capture the output of the session to a file and then you can read the file.

Question:

What is the interface on the PIX to which you are connecting? Check the port and let me know if it is Ethernet0 or Ethernet1, etc.

unarcher1 · ‎04-27-2005

Ethernet1 direct with a cross cable to my computer

show int :

there is some broadcast packets that are received each time I ping from my computer

but still no response to ping (despite icmp permit any any), no access to pdm, no dhcp (despite dhcp server enabled with default scope)

pkapoor · ‎04-27-2005

Anything from the debugs?

What version of PIX OS are you running?

Turn off any firewalling software on the laptop (if any).

Try pinging the laptop from the PIX.

unarcher1 · ‎04-27-2005

-PIX Version 6.3(4)

-no firewall on my laptop

-cannot ping laptop from pix but can ping the inside interface of pix from the pix console

-if I ping the pix from my laptop, I can see broadcast packets incrementing on eth1 when typing "show int" in pix console but there is no response to ping in my laptop dos console.

pixfirewall(config)# ping 192.168.1.1

192.168.1.1 response received -- 0ms

pixfirewall(config)# ping 192.168.1.1 2

--------- PACKET ---------

-- IP --

192.168.1.1 ==> 192.168.1.2

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0x23c7 flags = 0x0 frag off=0x0

ttl = 0xff proto=0x1 chksum = 0x14a6

-- ICMP --

type = 0x8 code = 0x0 checksum=0xf5da

identifier = 0x1124 seq = 0x0

-- DATA --

00000018: 00 01 02 03 04 05 06 07 08 09 0a 0b | ............

00000028: 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b | ................

00000038: 1c 1d 1e 1f 00 | .....

--------- END OF PACKET ---------

192.168.1.2 NO response received -- 1000ms

--------- PACKET ---------

-- IP --

192.168.1.1 ==> 192.168.1.2

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0x23c8 flags = 0x0 frag off=0x0

ttl = 0xff proto=0x1 chksum = 0x14a5

-- ICMP --

type = 0x8 code = 0x0 checksum=0xf5d9

identifier = 0x1124 seq = 0x1

-- DATA --

00000018: 00 01 02 03 04 05 06 07 08 09 0a 0b | ............

00000028: 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b | ................

00000038: 1c 1d 1e 1f 00 | .....

--------- END OF PACKET ---------

192.168.1.2 NO response received -- 1000ms

--------- PACKET ---------

-- IP --

192.168.1.1 ==> 192.168.1.2

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0x23c9 flags = 0x0 frag off=0x0

ttl = 0xff proto=0x1 chksum = 0x14a4

-- ICMP --

type = 0x8 code = 0x0 checksum=0xf5d8

identifier = 0x1124 seq = 0x2

-- DATA --

00000018: 00 01 02 03 04 05 06 07 08 09 0a 0b | ............

00000028: 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b | ................

00000038: 1c 1d 1e 1f 00 | .....

--------- END OF PACKET ---------

192.168.1.2 NO response received -- 1000ms

Patrick Iseli · ‎04-27-2005

Enter the following command in your PIX:

# Connect the blue cable on the PIX and into your Serial port 9600/N/1

# Enter into the config mode

enable

conf t

# a.) To open all icmp packets from the inside host to the inside interface on the PIX

icmp permit any inside

# b.) To enable just exho reply from the PIX to the inside host use this one.

icmp permit any echo-reply inside

# c.) To enable ping and icmp to a spesific inside host

icmp permit host 192.168.1.x echo inside

ICMP and PIX BASICS

******************************************************

First things to know is: Without an access-list on the interface a higher level interface. eg inside, can access all other lower interfaces as outside.

Second thing to know is: Ping is not a stateful protocol. To allow pings from the inside to the outside interface you need to create an access-list. If you want to ping the same interface that you are physicly connected you need to configure the "icmp" command.

example:

See: Handling ICMP Pings with the PIX Firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

The PIX and the traceroute Command

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

examples:

Traveroute

Microsoft:

access-group 101 in interface outside

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

access-list 101 permit icmp any host YourPublicIP echo-reply

UNIX:

access-group 101 in interface outside

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

ICMP command example

icmp deny any outside

icmp permit any echo-reply outside

icmp permit any echo-reply inside

icmp permit host 192.168.1.30 echo inside

icmp permit host 192.168.1.31 echo inside

icmp permit host 192.168.1.20 echo inside

icmp permit host 192.168.1.40 echo inside

icmp permit host 192.168.1.100 echo inside

sincerely

Patrick

unarcher1 · ‎04-28-2005

I think I have found the problem

When rebooting the PIX, I saw the following message while connected via console

========================== NOTICE ========================

This machine is licensed as a secondary failover unit but lacks a connection to a fully-licensed primary PIX.

Please check the failover cable connection to the primary system. This machine will reboot at intervals in its current state.

==========================================================

So I think my boss made a mistake buying a failover licenced only Pix

Can you confirm this? an alone failover pix can't do the job of a pix?

Can I transform this failover pix to a full licenced model by buying a licence and upgrading the pix or I should buy another one?

sachinraja · ‎04-28-2005

hello unacher,

no.. u cannot use a failover pix alone.. you can upgrade it to a PIX R or UR licensed versions, depending on ur requirement. YOu can order either one of the following:

PIX-515-SW-FO-R= PIX 515/515E FO to R Platform License Upgrade

PIX-515-SW-FO-UR= PIX 515/515E FO to UR

HTH

Raj

unarcher1 · ‎04-28-2005

ok thanks, so we will purchase one

Thanks for all