03-04-2004 09:32 PM - edited 02-20-2020 11:16 PM
Dear all,
We have just bought a PIX 515E and try to use it but got a few issues. Here is the show ver:
PIX-151E#show version
Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Wed 19-Mar-03 11:49 by morlee
PIX-515E up 5 hours 15 mins
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 000f.2457.4b12, irq 10
1: ethernet1: address is 000f.2457.4b13, irq 11
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Interfaces: 6
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited IKE peers: Unlimited
This PIX has a Failover Only (FO) license.
Problem is we cannot ping the Inside port if we do not turn on failover but this is single machine. Here is another message after we turn on Failover:
PIX-515E# config t
**** WARNING ***
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.
PIX-515E(config)#
Please help to resolve this issue. Wonder if we purchase the wrong license ? Thanks a lot.
Solved! Go to Solution.
03-05-2004 05:41 AM
you have in your possession a failover PIX. That is why is says so in the "sh run".
This device is meant to be used only as the failover device for live one. It will run as a live PIX but will behave badly. It is cheaper than a PIX with an Unrestricted License, as it is not meant to be used as a stand-alone device. Check with whoever you purchased it from to get the situation sorted.
Good luck
Steve
03-09-2004 04:48 AM
to access the PIX using the PDM there are three things that you need to do.
1st PDM LOCATION COMMAND
2nd HTTP SERVER COMMAND
3rd access the PIX by HTTPS on the inside is safest.
Some people like the PDM and some people prefer the command line. If you really want to understand the working of the device program it using the PDM and then look at the lines created via the command line.
Have fun
Steve
03-09-2004 11:04 PM
hi,
1.PDM LOCATION tells the firewall what host is able to access PDM
2. HTTP SERVER enables http access to the firewall form the ip adress of the network or host specified. Eg: http 10.1.1.0 255.255.255.0 inside or http 10.1.1.1 255.255.255.255 inside
PDM location can be detected by the firewall automatically. So, the most important command is the http server and do not forget to use https in the browser instead of http. Eg; https://10.1.1.254
03-10-2004 05:54 AM
For the record, #1 above is *not* correct. Here is some text that was previously posted regarding the PDM location commands:
A PDM location is a pure book keeping command used by PDM to build its topology database. It has nothing to do with the PIX's functionalities. In particular, it does **NOT** control which host can access PDM which is a common misunderstanding. The control is done by the command "http
Why do we need it?
In PDM's world, policy (those rules) is built on top of topology. Ideally user creates the topology first via the Host/Network tab, then configures policy else where (like Access Rule tab). A network object exists by itself, even if there is no policy configured directly on it at a particular time. We use "pdm location" command to remember the location
of a network object.
Scott
03-04-2004 11:33 PM
also another question : we thought the PDM should come free with this unit ? or it an option ? Thanks for help.
03-04-2004 11:36 PM
never mind about stupid question on PDM. Please help with the first question. Thank you very much.
03-04-2004 11:40 PM
Please post your "show run" contents.
03-05-2004 06:04 AM
Here it is:
PIX-515E# show run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx
passwd xxxxx
hostname PIX-515E
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24 mtu outside 1500
mtu inside 1500 ip address outside 192.168.27.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm
no failover failover timeout 0:00:00 failover poll 15
no failover ip address outside no failover ip address inside pdm location 192.168.1.0 255.255.255.0 inside pdm history enable arp timeout 14400 route inside 0.0.0.0 0.0.0.0 192.168.27.2 1
timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable
telnet timeout 5 ssh timeout 5 console timeout 0
terminal width 80 Cryptochecksum:xxxxxx : end
Thank you very much, Sir.
03-05-2004 05:41 AM
you have in your possession a failover PIX. That is why is says so in the "sh run".
This device is meant to be used only as the failover device for live one. It will run as a live PIX but will behave badly. It is cheaper than a PIX with an Unrestricted License, as it is not meant to be used as a stand-alone device. Check with whoever you purchased it from to get the situation sorted.
Good luck
Steve
03-05-2004 06:06 AM
Thank you very much, Sir. I thought so that we got a wrong license PIX.
03-08-2004 01:58 AM
One more question, please. Do I need to config in PIX515E in order to activate the PDM ? could not use http to do web config. Thanks.
03-09-2004 04:48 AM
to access the PIX using the PDM there are three things that you need to do.
1st PDM LOCATION COMMAND
2nd HTTP SERVER COMMAND
3rd access the PIX by HTTPS on the inside is safest.
Some people like the PDM and some people prefer the command line. If you really want to understand the working of the device program it using the PDM and then look at the lines created via the command line.
Have fun
Steve
03-09-2004 05:29 PM
Hi Steve,
Please elaborate a little more about :
1st PDM LOCATION COMMAND
2nd HTTP SERVER COMMAND
Exactly what I should do ? Thank you very much.
Regards
03-09-2004 11:04 PM
hi,
1.PDM LOCATION tells the firewall what host is able to access PDM
2. HTTP SERVER enables http access to the firewall form the ip adress of the network or host specified. Eg: http 10.1.1.0 255.255.255.0 inside or http 10.1.1.1 255.255.255.255 inside
PDM location can be detected by the firewall automatically. So, the most important command is the http server and do not forget to use https in the browser instead of http. Eg; https://10.1.1.254
03-10-2004 05:54 AM
For the record, #1 above is *not* correct. Here is some text that was previously posted regarding the PDM location commands:
A PDM location is a pure book keeping command used by PDM to build its topology database. It has nothing to do with the PIX's functionalities. In particular, it does **NOT** control which host can access PDM which is a common misunderstanding. The control is done by the command "http
Why do we need it?
In PDM's world, policy (those rules) is built on top of topology. Ideally user creates the topology first via the Host/Network tab, then configures policy else where (like Access Rule tab). A network object exists by itself, even if there is no policy configured directly on it at a particular time. We use "pdm location" command to remember the location
of a network object.
Scott
03-10-2004 05:27 PM
Thank you, gentlemen for your great help. In short, all I need is one command : http 192.168.1.0 255.255.255.0 ethernet0 (for example).
03-10-2004 05:30 PM
Sorry : https 192.168.1.1 255.255.255.255 inside.
03-11-2004 12:01 AM
no, it is http://192.168.1.1 255.255.255.255 inside.
use https only on the browser.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide