To avoid the message ERROR:

anujseth1.con · ‎09-14-2012

Hi

I am trying to configure cisco Pix firewall but not sure if the firewall is faulty or I am missing something I started with interface configs and i am not able to give IP to the interface

pixfirewall(config)# int ethernet 1

pixfirewall(config-if)# int ethernet 1.100

pixfirewall(config-subif)# ip add

pixfirewall(config-subif)# ip address 193.168.1.1 255.255.255.252

pixfirewall(config-subif)# no shut

pixfirewall(config-subif)#

pixfirewall#sh int ip brief

Interface IP-Address OK? Method Status Protocol

Ethernet0 unassigned YES unset administratively down down

Ethernet1 unassigned YES unset up up

Ethernet1.100 unassigned YES manual up up

Ethernet2 unassigned YES unset up up

Ethernet3 unassigned YES unset administratively down down

Ethernet4 unassigned YES unset administratively down down

Ethernet5 unassigned YES unset administratively down down

pixfirewall# ping 193.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 193.168.1.1, timeout is 2 seconds:

No route to host 193.168.1.1

Success rate is 0 percent (0/1)

pixfirewall#

pixfirewall# sh version

Cisco PIX Security Appliance Software Version 8.0(3)

Device Manager Version 6.0(3)

Compiled on Tue 06-Nov-07 19:50 by builders

System image file is "flash:/pix803.bin"

Config file at boot was "startup-config"

pixfirewall up 4 mins 55 secs

Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)

0: Ext: Ethernet0 : address is 000f.908f.270d, irq 10

1: Ext: Ethernet1 : address is 000f.908f.270e, irq 11

2: Ext: Ethernet2 : address is 000d.88ee.29e0, irq 11

3: Ext: Ethernet3 : address is 000d.88ee.29e1, irq 10

4: Ext: Ethernet4 : address is 000d.88ee.29e2, irq 9

5: Ext: Ethernet5 : address is 000d.88ee.29e3, irq 5

Licensed features for this platform:

Maximum Physical Interfaces : 6

Maximum VLANs : 25

Inside Hosts : Unlimited

Failover : Active/Standby

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has a Failover Only-Active/Standby (FO) license.

Serial Number: 808142152

Running Activation Key: 0x931f63f8 0x72785e79 0xe49e5936 0x976cda7c

Configuration last modified by enable_15 at 16:25:54.924 UTC Fri Sep 14

varrao · ‎09-14-2012

Hi Anuj,

You would need to assign the nameif to the interface as well:

pixfirewall(config)# int ethernet 1

pixfirewall(config)# no shut

pixfirewall(config-if)# int ethernet 1.100

pixfirewall(config-subif)# ip add

pixfirewall(config-subif)# ip address 193.168.1.1 255.255.255.252

pixfirewall(config-subif)#nameif inside (just an example for name)

pixfirewall(config-subif)# no shut

Hope that helps,

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

anujseth1.con · ‎09-14-2012

I just want to assign the IP addresses to the interfaces. Pref. without sub interfaces

tried giving the names as well but still not showing the ip address

pixfirewall(config-if)# int Ethernet1.100

pixfirewall(config-subif)# name

pixfirewall(config-subif)# nameif inside

ERROR: VLAN must be configured for interface Ethernet1.100

pixfirewall(config-subif)# vl

pixfirewall(config-subif)# vlan 100

pixfirewall(config-subif)# ip add 193.168.1.1 255.255.255.252

pixfirewall(config-subif)# no shut

pixfirewall(config-subif)#

pixfirewall#sh int ip brief

Interface IP-Address OK? Method Status Protocol

Ethernet0 unassigned YES unset administratively down down

Ethernet1 unassigned YES unset up up

Ethernet1.100 unassigned YES manual up up

Ethernet2 unassigned YES manual up up

Ethernet3 unassigned YES unset administratively down down

Ethernet4 unassigned YES unset administratively down down

Ethernet5 unassigned YES unset administratively down down

pixfirewall# cond t

^

ERROR: % Invalid input detected at '^' marker.

pixfirewall# conf t

pixfirewall(config)# int Ethernet2

pixfirewall(config-if)# nameif

pixfirewall(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

pixfirewall(config-if)#

pixfirewall(config-if)# ip add

pixfirewall(config-if)# ip address 193.168.1.6 255.255.255.252

pixfirewall(config-if)# no shut

pixfirewall(config-if)#

pixfirewall#sh int ip brief

Interface IP-Address OK? Method Status Protocol

Ethernet0 unassigned YES unset administratively down down

Ethernet1 unassigned YES unset up up

Ethernet1.100 unassigned YES manual up up

Ethernet2 unassigned YES manual up up

Ethernet3 unassigned YES unset administratively down down

Ethernet4 unassigned YES unset administratively down down

Ethernet5 unassigned YES unset administratively down down

pixfirewall#

nkarthikeyan · ‎09-15-2012

Hi Anuj,

Try changing the firewall mode to routed mode so that you can assign ip address to the interfaces directly. I hope that is in transparent mode so it asks for the vlans to be configured for the IP assignments.

Pls check and revert back.

Please do rate if the given information helps.

By

Karthik

juantron · ‎12-31-2015

To avoid the message ERROR: VLAN must be configured for interface Ethernet1.100, try to configure the vlan before:

pixfirewall(config-if)# int Ethernet1.100

pixfirewall(config-subif)# vlan 100

...

It works on GNS3, so it's easy to solve.

Jennifer Halim · ‎09-15-2012

Hi Anuj,

The reason why you can't configure anything on the PIX is because that particular PIX has "

Failover Only-Active/Standby (FO) license", meaning you can't configure it as a standalone PIX.

This PIX needs to be part of an Active/Standby failover PIX pair, and the configuration needs to be synchronised from the Active Primary PIX to this PIX.

Hope that answers your question why it's not configurable.

Configuring cisco PIX