Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2840
Views
0
Helpful
10
Replies

PIX 515E Config Help!!!

jwood1650
Level 1
Level 1

‎05-06-2012 04:39 PM - edited ‎03-11-2019 04:02 PM

I just got my PIX515e configured and thought I had it working correctly, but on my 3745 router, the line protocol is down, I've looked through the configs for bot the PIX and the 3745 and can't seem to figure out why I don't have access. Would anyone be able to please help resolve the issue for me?

Pix515E config:

pixfirewall# show run

: Saved

:

PIX Version 8.0(4)32

!

hostname pixfirewall

domain-name home.jkkcc.com

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.20.1 255.255.255.248

!

interface Ethernet2

nameif DMZ

security-level 50

ip address 10.0.30.1 255.255.255.248

!

ftp mode passive

dns server-group DefaultDNS

domain-name home.jkkcc.com

pager lines 24

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 1 0.0.0.0 0.0.0.0

!

router eigrp 1

network 10.0.0.0 255.0.0.0

network 192.168.0.0 255.255.255.0

network 192.168.2.0 255.255.255.0

network 192.168.4.0 255.255.255.0

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect http

  inspect ils

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:c7359e3905dd13a5aa1a1c0e85a91f52

: end

3745 Config:

3745-Internet#show run

Building configuration...

Current configuration : 2248 bytes

!

version 12.4

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname 3745-Internet

!

boot-start-marker

boot system flash:

boot-end-marker

!

no logging buffered

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

memory-size iomem 25

no network-clock-participate slot 2

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.2.1 192.168.2.150

!

ip dhcp pool HOME-Network

   network 192.168.2.0 255.255.255.0

   default-router 192.168.2.1

   dns-server 192.168.2.127 192.168.1.128

!

ip dhcp pool home-network

!

!

ip domain name www.jkkcc.com

ip name-server 192.168.2.127

!

multilink bundle-name authenticated

parameter-map type regex sdm-regex-nonascii

pattern [^\x00-\x80]

!

!

!

!

!

!

!

username woodjl1650 privilege 15 password 0 henry999

archive

log config

  hidekeys

!

!

!

!

!

interface FastEthernet0/0

description $FW_OUTSIDE$

ip address 10.0.20.2 255.255.255.248

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

!

interface Serial0/0

description $FW_INSIDE$

ip address 10.0.10.1 255.255.255.248

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1

description $FW_INSIDE$

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

!

interface Serial0/1

description $FW_INSIDE$

ip address 10.0.10.2 255.255.255.248

ip nat inside

ip virtual-reassembly

!

router eigrp 1

network 10.0.0.0

network 192.168.0.0

network 192.168.2.0

network 192.168.4.0

auto-summary

!

!

!

no ip http server

ip http authentication local

no ip http secure-server

ip nat inside source list 15 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.2.21 80 interface FastEthernet0/0 80

ip nat inside source list 104 interface FastEthernet0/0 overload

!

access-list 15 permit 10.0.8.0 0.0.7.255

access-list 15 permit 192.168.4.0 0.0.0.255

access-list 104 permit ip any any

snmp-server community public RO

snmp-server community private RW

snmp-server enable traps tty

!

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

transport input telnet

!

!

webvpn cef

!

end

Labels:
0 Helpful
10 Replies 10

Maykol Rojas
Cisco Employee
Cisco Employee

‎05-06-2012 07:16 PM

Jonathan,

Line protocol on which Interface? If it is connected to the switch, the problem is between the switch and the Router isnt it? Can you send the interface configuration of the switch?

Mike

Mike
0 Helpful

jwood1650
Level 1
Level 1
In response to Maykol Rojas

‎05-06-2012 07:22 PM

No it's connected directly, should I use a crossover cable? No switch is used between the pix and router.

Sent from Cisco Technical Support iPhone App

0 Helpful

jwood1650
Level 1
Level 1

‎05-06-2012 07:23 PM

Line protocol down in the router, F 0/0

Sent from Cisco Technical Support iPhone App

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to jwood1650

‎05-06-2012 07:40 PM

Jonathan,

You can try the crossover but if both units are on auto/auto, MDI should kick in and that shouldnt be a problem.

Mike

Mike
0 Helpful

jwood1650
Level 1
Level 1
In response to Maykol Rojas

‎05-07-2012 09:58 AM

Ok, changed a few things around and I am able to connect my router via a switch to the PIX.  Everything works fine, except no internet access...  Is my config right on my PIX?

PIX Version 8.0(4)32

!

hostname pixfirewall

domain-name home.jkkcc.com

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.20.1 255.255.255.248

!

interface Ethernet2

nameif DMZ

security-level 50

ip address 10.0.30.1 255.255.255.248

!

ftp mode passive

dns server-group DefaultDNS

domain-name home.jkkcc.com

pager lines 24

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 1 0.0.0.0 0.0.0.0

!

router eigrp 1

network 10.0.0.0 255.0.0.0

network 192.168.0.0 255.255.255.0

network 192.168.2.0 255.255.255.0

network 192.168.4.0 255.255.255.0

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect http

  inspect ils

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:281e59da1b419753a5c01dcb9b443070

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to jwood1650

‎05-07-2012 01:41 PM

Hi,

Missing the following:

Global (outside) 1 interface

Try with TCP traffic not with icmp.

Mike

Mike
0 Helpful

jwood1650
Level 1
Level 1

‎05-07-2012 03:57 PM

Still can't access the internet from my inside network, I can ping 8.8.8.8 (google DNS) from the pix... Any ideas

Sent from Cisco Technical Support iPhone App

0 Helpful

jwood1650
Level 1
Level 1
In response to jwood1650

‎05-07-2012 04:09 PM

Never mind, got it...no default route on the router...

Last question: ASDM...

I have the file in flash, asmd image command was issued, HTTP server enabled, but still can't access the ASDM, any thoughts?

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to jwood1650

‎05-07-2012 04:31 PM

You need to specify who is going to access it.

For example, host 10.0.20.12 that is on the inside. Issue the following command.

http 10.0.20.12 255.255.255.255 inside

If you want all the inside to access it

http 0 0 inside

Mike

Mike
0 Helpful

jwood1650
Level 1
Level 1
In response to Maykol Rojas

‎05-11-2012 06:14 AM

Everything seems to be working fine now, except one last issue.  I can ping my exchange server.  Do you see anything wrong or why my ping would not go through?  I can ping 10.0.20.1 (Pix Ethernet 1) and I can ping from all my computers to the 10.0.20.1 but not I get this when trying to ping 10.0.30.1

C:\Users\Exchange>ping 10.0.30.1

Pinging 10.0.30.1 with 32 bytes of data:

Reply from 10.0.30.3: Destination host unreachable.

Reply from 192.168.2.1: Destination host unreachable.

Reply from 192.168.2.1: Destination host unreachable.

Reply from 192.168.2.1: Destination host unreachable.

Ping statistics for 10.0.30.1:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Exchange = 10.0.30.3 255.255.255.248

Pix Ethernet 2 (exchange) = 10.0.30.1 255.255.255.248

Current Config:

PIX Version 8.0(4)32

!

hostname pixfirewall

domain-name home.jkkcc.com

enable password DQucN59Njn0OjpJL encrypted

passwd DQucN59Njn0OjpJL encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.20.1 255.255.255.248

!

interface Ethernet2

nameif exchange

security-level 100

ip address 10.0.30.1 255.255.255.248

!

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.2.127

name-server 192.168.2.22

domain-name home.jkkcc.com

access-list inbound extended permit tcp any host 68.224.242.13 eq www

access-list inbound extended permit tcp any host 68.224.242.13 eq smtp

pager lines 24

mtu outside 1500

mtu inside 1500

mtu exchange 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image flash:/asdm-61551.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (exchange) 1 0.0.0.0 0.0.0.0

static (exchange,outside) tcp interface smtp 10.0.30.3 smtp netmask 255.255.255.

255

!

router eigrp 1

network 10.0.0.0 255.0.0.0

network 192.168.0.0 255.255.255.0

network 192.168.2.0 255.255.255.0

network 192.168.4.0 255.255.255.0

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect http

  inspect ils

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:3672d254988d246453e4be381a198858

: end

pixfirewall#

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card