06-23-2010 09:35 PM - edited 03-11-2019 11:02 AM
Hi folks!
I've got a freshly formatted Cisco PIX 515E firewall that I am trying to configure with the proper boot image. When it boots, I can escape into the monitor mode, set the IP address, and download the boot image (pix804.bin) from the TFTP server. I can then boot into the firewall. However, that's as far as I can get.
My next step has been to try to configure the IP address of the appropriate interface and download the image from the TFTP server again in regular console mode so that it can be saved to flash. However, when I attempt to configure the exact same interface with the exact same IP as I used in the monitor mode, I get no network connectivity. I cannot reach the TFTP server, and any ping attempts return "No route to host."
Any thoughts on what I might be doing wrong?
- Tom
06-23-2010 09:42 PM
No route to host normally means that you don't have route towards the TFTP server.
What is the ip address of the interface that you configured? Also, please make sure that you configure "nameif" and security level for the interfaces, otherwise, it will not work.
Please post the current config and also what is the TFTP server ip address.
06-23-2010 10:00 PM
Well, this is interesting.
If I use "nameif" to give the interface a name and security level, and then do a "show interface" command, it says "IP address unassigned." If I try to do an "ip address" command at the prompt to assign an IP address, it accepts it, but still says "IP address unassigned" in the "show interface" output. No IP address I try to enter will "take."
If I undo the nameif command by doing a "no nameif," then all of a sudden the IP address re-appears in the configuration, and I'm back to the "no route to host" error.
The address I'm trying to configure on the inside interface is 192.168.0.3, which works when I use that address from the "monitor>" prompt.
Here is the current "show config" output:
: Saved
: Written by enable_15 at 00:48:30.190 UTC Thu Jun 24 2010
!
PIX Version 8.0(4)
!
hostname ez2
domain-name prestige.local
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.0.3 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name prestige.local
pager lines 24
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
06-23-2010 10:10 PM
Interface configuration looks ok.
Can you please reconfigure the interface with ip address, nameif and security level, and see if you can ping the TFTP server? Assuming the TFTP server is in the same subnet as the inside interface.
02-08-2011 07:58 AM
For anyone else googling to find an answer for this problem: I was trying to configure a failover only unit and had the same problem. I had to finish configuring all the failover settings, then force a failover so the interfaces would go active. Once this was finished I was able to do TFTP on the interface that was previously having a problem with the IP address: Do a SH VER and see if you are working with a failover unit. Can't tell from the outside of the case.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide