Re: Cisco PIX 7.0 - Multi-contexts configuration

gaetan.allart · ‎01-13-2006

Hi everybody,

Last week, I started a placement (Internship) in France and I'm working on the PIX 7.0(4) appliance software.

I understood almost all features and managed to make everything word pretty well, but I can't manage to make contexts work properly with subinterfaces.

Actually, I did exactly what's indicated in the first sample of this page : http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008045247c.html

But, even if I only use one subinterface and only one context, I'm unable to communicate between the PIX and a directly connected computer. IP adresses are all right on both sides, nameif are set, so is "icmp permit any inside".

But if I try to send a ping request from/to the PIX, I never manage to get an answer. It seems like the PIX subinterface do not receive anything at all. If I create a capture on this interface, I see outgoing icmp packets but no reply coming back. On the other hand, when capturing packets on the PC, I see the arp request from the PIX (Who has 192.168.1.1 ask 192.168.1.254), the PC sends a reply with its Mac-adress and the PIX never receives it.

Here is what my configuration looks like :

PIX :

- Interface Eth 1

-- Interface Eth 1.4

-- Vlan 4

-- Ip adresse 192.168.1.254 255.255.255.0

-- No shutdown

context admin

- allocate-interface eth 1.4

I did not try to create other contexts because I'd like this one to work first...

Thanks for your help,

gaetan.allart · ‎01-13-2006

Here is the capture from the PIX when sending a ping request from it to 192.168.1.1 directly connected on ETH1 interface :

1: 10:51:25.704782 802.1Q vlan#4 P0 arp who-has 192.168.1.1 tell 192.168.1.254

2: 10:51:26.793660 802.1Q vlan#4 P0 arp who-has 192.168.1.1 tell 192.168.1.254

3: 10:51:27.794423 802.1Q vlan#4 P0 arp who-has 192.168.1.1 tell 192.168.1.254

4: 10:51:31.794560 802.1Q vlan#4 P0 arp who-has 192.168.1.1 tell 192.168.1.254

5: 10:51:36.793812 802.1Q vlan#4 P0 arp who-has 192.168.1.1 tell 192.168.1.254

6: 10:51:41.794651 802.1Q vlan#4 P0 arp who-has 192.168.1.1 tell 192.168.1.254

What's funny is that I receive this ARP requests on the PC but the PIX does not pay attention to my replies...

itchampnz · ‎01-13-2006

This should be easy to get going, are you able to paste your whole admin and system config for me to see and debug.... thanks

gaetan.allart · ‎01-13-2006

Sure, I'll post all this stuff on monday, going back to work :)

Thanks for helping ;)

gaetan.allart · ‎01-16-2006

Hi,

Please find enclosed my configuration files for system context and ctx1 context.

Kind regards,

itchampnz · ‎01-17-2006

Dude, in your messages above you talk about the 192.168.1.x/24 network, i.e. that is what you are trying to ping.

However in your configs you have attached, your interface is ip address 192.168.0.254 255.255.255.0

Change the ip address and you may find it works.. :)

gaetan.allart · ‎01-17-2006

Of course I did use the correct IP@ to ping. This is just a mistake in my firt post...

I don't think the problem comes from this...

info4work · ‎03-08-2006

I'm having the same issue of not being able to use the subinterfaces. Has this issues been resolved? If so were can I obtain the configuration in order to use the subinterfaces in multiple context mode.

gaetan.allart · ‎03-08-2006

Hello,

Yes it's been resolved. The problem was coming from my switch configuration. Actually, you have to configure a trunk link between the switch and the PIX that allow the 2 Vlan IDs. Then you configure each Vlan Id on the other 2 swich interfaces.

I guess I backed-up the configuration file. I'll post it there as soon as I get to to work.