Solved: Re: PIX 515e basic config - Page 2

ribin.jones · ‎10-15-2010

Hi,

I got a PIX and here is the config:

sh run

PIX Version 8.0(3)

hostname pixfirewall

enable password 8Ry2YjIyt7RRXU24 encrypted

names

interface Ethernet0

shutdown

nameif Outside

security-level 0

no ip address

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.51 255.255.255.0

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

mtu Outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

Cryptochecksum:6ba6ce7d4cbacfeafbc90a2ed9b0d923

: end

My LAN is 192.168.1.0/24 and I gave the PIX IP as 192.168.1.51. My machine IP is 192.168.1.64 and 192.168.1.1 is the vlan IP of our Layer 3 switch. i am not able to ping 192.168.1.1 from the PIX. What could be the issue?

- Ribin

Rudresh Veerappaji · ‎10-15-2010

Hi Ribin,

Do you see a Solid Green light or an Amber light on the interface at the PIX when you connect a PC direclty or the switch ?

Cheers,

Rudresh V

Rudresh Veerappaji · ‎10-15-2010

Hi Ribin,

From one of the previous messages from, you mentioned we saw the following route present on the PIX:

C 192.168.1.0 255.255.255.0 is directly connected, inside

This means to say that the interface inside is up, physical and layer 2 connectivity should be good. So i think the config on the PIX is fine.

The next place to look at is, the config at the switch. Can you please make sure the PIX interface and the port to which the PC connects to are in the same VLAN... Because the issue we are facing seems to be caused at the switch.

So please issue the command "sh vlan" on the switch and verify that the 2 ports (connecting the PIX and the PC) are in the same vlan.

But it is surprising though that it does not work even with a pc connected directly to PIX. Please do this test: When you connect the PC to the PIX directly, issue the command show route on the PIX and make sure you see one connected route for 192.168.1.0 and that you see a solid Green light at the PIX interface connected to the ASA, and perform a ping. Also issue the command "sh interface" on the PIX and paste the output here.

Let me know if this works,

Cheers,

Rudresh V

ribin.jones · ‎10-15-2010

I see one connected route for 192.168.1.0 and I see a solid Green light at the PIX interface when connecting the PIX directly to the PC.

PIX# sh interface

Interface Ethernet0 "", is administratively down, line protocol is down

Hardware is i82559, BW 100 Mbps, DLY 100 usec

Auto-Duplex, Auto-Speed

Available but not configured via nameif

MAC address 0013.7fdd.2671, MTU not set

IP address unassigned

7 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max packets): hardware (0/0) software (0/0)

output queue (curr/max packets): hardware (1/0) software (0/0)

Interface Ethernet1 "inside", is up, line protocol is up

Hardware is i82559, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

MAC address 0013.7fdd.2672, MTU 1500

IP address unassigned

1160 packets input, 97593 bytes, 0 no buffer

Received 1159 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

<--- More --->

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max packets): hardware (0/1) software (0/2)

output queue (curr/max packets): hardware (0/0) software (0/0)

Traffic Statistics for "inside":

1145 packets input, 80375 bytes

0 packets output, 0 bytes

371 packets dropped

1 minute input rate 0 pkts/sec, 43 bytes/sec

1 minute output rate 0 pkts/sec, 0 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 0 pkts/sec, 73 bytes/sec

5 minute output rate 0 pkts/sec, 0 bytes/sec

5 minute drop rate, 0 pkts/sec

PIX#

Any idea why there is no self ping for the PIX?

- Ribin

Rudresh Veerappaji · ‎10-15-2010

Hi Ribin,

From the show interface output you have pasted, i see the following segment:

Interface Ethernet1 "inside", is up, line protocol is up

Hardware is i82559, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

MAC address 0013.7fdd.2672, MTU 1500

IP address unassigned

....

--So we are seeing ip address un-assigned, can you please confirm if we have assigned the ip address 192.168.1.51 255.255.255.0 to the inside interface (ethenet 1) ? Because the above output is saying ip address is somehow not reflected on the interface. I think this is why we cannot ping the PIX interface itself...

Cheers,

Rudresh V

ribin.jones · ‎10-15-2010

Yes. I confirmed using sh run that we have an IP configured for Ethernet 1 interface.

It shows "Interface Ethernet1 "inside", is up, line protocol is up". How can these be shown "up" if there is no IP address configured.

But as you found out, "IP address unassigned" is something odd.

- Ribin

Rudresh Veerappaji · ‎10-15-2010

Hi Ribin,

This is interestingly odd. We see no output packets but only input packets as seen below:

1160 packets input, 97593 bytes, 0 no buffer

0 packets output, 0 bytes, 0 underruns

Traffic Statistics for "inside":

1145 packets input, 80375 bytes

0 packets output, 0 bytes

This is very odd. Would it be possible to probably shut and no shut the inside interface ? We can also consider a reboot as an option, since there seems this seems to be a at a very basic layer issue. If this does not work, please try using ethernet 0 interface for inside, or any other free interface. I think there could be something wrong with the cable or the interface ehtenet 1 interface itself. Also please let me know what verison of code are u running on the PIX.

Cheers,

Rudresh V

ribin.jones · ‎10-15-2010

I tried rebooting. I even tried configuring the IP in the other interface available (Ethernet 0), but still no luck.

Below is my sh version output:

sh ver

Cisco PIX Security Appliance Software Version 8.0(3)

Device Manager Version 6.0(2)

Compiled on Tue 06-Nov-07 19:50 by builders

System image file is "flash:/pix803.bin"

Config file at boot was "startup-config"

PIX up 1 hour 14 mins

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)

0: Ext: Ethernet0 : address is 0013.7fdd.2671, irq 10

1: Ext: Ethernet1 : address is 0013.7fdd.2672, irq 11

Licensed features for this platform:

Maximum Physical Interfaces : 6

Maximum VLANs : 25

Inside Hosts : Unlimited

Failover : Active/Standby

VPN-DES : Enabled

VPN-3DES-AES : Enabled

<--- More --->

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has a Failover Only-Active/Standby (FO) license.

Serial Number: 809093457

Running Activation Key: 0x41cbbc86 0x489404df 0x3884a4c8 0x9aae1f2a

Configuration last modified by enable_15 at 17:00:36.576 UTC Fri Oct 15 2010

- Ribin

Rudresh Veerappaji · ‎10-15-2010

Hi Ribin,

I think we would have found the issue with your last post. From the sh version output i see that this PIX has the license "Failover only". So this is a possible reason for our normal traffic to not work. Try enabling failvoer on the pix with the command "failover" in conf t mode. This should get the ping and other traffic working.

But please remember that this PIX has a failover license, so it needs to be used in a failover pair (with another pix). So if u did not want to have Failvoer only feature, i would suggest you apply for a new license for normal connections.

Let me know if this works,

Cheers,

Rudresh V

Rudresh Veerappaji · ‎10-15-2010

Hi Ribin,

Here is more details on the issue:

Since the platform has a Failover Only-Active/Standby (FO) license, your PIX cannot be used as standalone unit unless you
 change the type of license it has to an either Restricted or an Unrestricted license. You can still give it a try by enabling
Failover on your device, but the device may reboot by itself every 24 hours since it is to detecting a mate (failover pair). 
In order to enter these commands you need to make sure you are in configuration mode: 

> pixfirewall# config t
> pixfirewall(config) failover
> pixfirewall(config) failover active 

In case you are still unable to pass traffic, or the unit reboot every 24 hours, you  will need to obtain a new license for 
your device. In order to do that, you will need to  contact your Account Manager or the Point of Sales where you got the 
device from, or you can call the TAC front line at 1800 553 2447 and obtain the required license.

Also one more question before you opt for a seperate license. Do you have another PIX that you are willing to use in Active and Standby failover 
mode (with 2 PIX) ? If yes then the PIXs will pass traffic once they are configured for failover.

Cheers,
Rudresh V

ribin.jones · ‎10-18-2010

Thanks Rudresh..I will look into those details. I need to add one more thing here.

This PIX interface was working earlier when I tried to configure this interface some 1 month back. I did a write erase on the PIX recently to do a fresh config and after that only this issue arose.

- Ribin

ribin.jones · ‎10-18-2010

Hey Rudresh,

I did a failover command and then I could get the self ping and other IP's. So I think my issue is sorted out. Thanks everyone for all the help.

Ribin