Solved: Re: PIX 515E question

duc-vu · ‎03-04-2004

Dear all,

We have just bought a PIX 515E and try to use it but got a few issues. Here is the show ver:

PIX-151E#show version

Cisco PIX Firewall Version 6.3(1)

Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 19-Mar-03 11:49 by morlee

PIX-515E up 5 hours 15 mins

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 000f.2457.4b12, irq 10

1: ethernet1: address is 000f.2457.4b13, irq 11

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Interfaces: 6

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited IKE peers: Unlimited

This PIX has a Failover Only (FO) license.

Problem is we cannot ping the Inside port if we do not turn on failover but this is single machine. Here is another message after we turn on Failover:

PIX-515E# config t

**** WARNING ***

Configuration Replication is NOT performed from Standby unit to Active unit.

Configurations are no longer synchronized.

PIX-515E(config)#

Please help to resolve this issue. Wonder if we purchase the wrong license ? Thanks a lot.

steven.wilson · ‎03-05-2004

you have in your possession a failover PIX. That is why is says so in the "sh run".

This device is meant to be used only as the failover device for live one. It will run as a live PIX but will behave badly. It is cheaper than a PIX with an Unrestricted License, as it is not meant to be used as a stand-alone device. Check with whoever you purchased it from to get the situation sorted.

Good luck

Steve

View solution in original post

steven.wilson · ‎03-09-2004

to access the PIX using the PDM there are three things that you need to do.

1st PDM LOCATION COMMAND

2nd HTTP SERVER COMMAND

3rd access the PIX by HTTPS on the inside is safest.

Some people like the PDM and some people prefer the command line. If you really want to understand the working of the device program it using the PDM and then look at the lines created via the command line.

Have fun

Steve

View solution in original post

tgshahrizam · ‎03-09-2004

hi,

1.PDM LOCATION tells the firewall what host is able to access PDM

2. HTTP SERVER enables http access to the firewall form the ip adress of the network or host specified. Eg: http 10.1.1.0 255.255.255.0 inside or http 10.1.1.1 255.255.255.255 inside

PDM location can be detected by the firewall automatically. So, the most important command is the http server and do not forget to use https in the browser instead of http. Eg; https://10.1.1.254

View solution in original post

scoclayton · ‎03-10-2004

For the record, #1 above is *not* correct. Here is some text that was previously posted regarding the PDM location commands:

A PDM location is a pure book keeping command used by PDM to build its topology database. It has nothing to do with the PIX's functionalities. In particular, it does **NOT** control which host can access PDM which is a common misunderstanding. The control is done by the command "http ".

Why do we need it?

In PDM's world, policy (those rules) is built on top of topology. Ideally user creates the topology first via the Host/Network tab, then configures policy else where (like Access Rule tab). A network object exists by itself, even if there is no policy configured directly on it at a particular time. We use "pdm location" command to remember the location

of a network object.

Scott

View solution in original post

duc-vu · ‎03-04-2004

also another question : we thought the PDM should come free with this unit ? or it an option ? Thanks for help.

duc-vu · ‎03-04-2004

never mind about stupid question on PDM. Please help with the first question. Thank you very much.

tgshahrizam · ‎03-04-2004

Please post your "show run" contents.

duc-vu · ‎03-05-2004

Here it is:

PIX-515E# show run

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxxx

hostname PIX-515E

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

pager lines 24 mtu outside 1500

mtu inside 1500 ip address outside 192.168.27.1 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm

no failover failover timeout 0:00:00 failover poll 15

no failover ip address outside no failover ip address inside pdm location 192.168.1.0 255.255.255.0 inside pdm history enable arp timeout 14400 route inside 0.0.0.0 0.0.0.0 192.168.27.2 1

timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable

telnet timeout 5 ssh timeout 5 console timeout 0

terminal width 80 Cryptochecksum:xxxxxx : end

Thank you very much, Sir.

steven.wilson · ‎03-05-2004

you have in your possession a failover PIX. That is why is says so in the "sh run".

This device is meant to be used only as the failover device for live one. It will run as a live PIX but will behave badly. It is cheaper than a PIX with an Unrestricted License, as it is not meant to be used as a stand-alone device. Check with whoever you purchased it from to get the situation sorted.

Good luck

Steve

duc-vu · ‎03-05-2004

Thank you very much, Sir. I thought so that we got a wrong license PIX.

duc-vu · ‎03-08-2004

One more question, please. Do I need to config in PIX515E in order to activate the PDM ? could not use http to do web config. Thanks.

steven.wilson · ‎03-09-2004

to access the PIX using the PDM there are three things that you need to do.

1st PDM LOCATION COMMAND

2nd HTTP SERVER COMMAND

3rd access the PIX by HTTPS on the inside is safest.

Some people like the PDM and some people prefer the command line. If you really want to understand the working of the device program it using the PDM and then look at the lines created via the command line.

Have fun

Steve

duc-vu · ‎03-09-2004

Hi Steve,

Please elaborate a little more about :

1st PDM LOCATION COMMAND

2nd HTTP SERVER COMMAND

Exactly what I should do ? Thank you very much.

Regards

tgshahrizam · ‎03-09-2004

hi,

1.PDM LOCATION tells the firewall what host is able to access PDM

2. HTTP SERVER enables http access to the firewall form the ip adress of the network or host specified. Eg: http 10.1.1.0 255.255.255.0 inside or http 10.1.1.1 255.255.255.255 inside

PDM location can be detected by the firewall automatically. So, the most important command is the http server and do not forget to use https in the browser instead of http. Eg; https://10.1.1.254

scoclayton · ‎03-10-2004

For the record, #1 above is *not* correct. Here is some text that was previously posted regarding the PDM location commands:

A PDM location is a pure book keeping command used by PDM to build its topology database. It has nothing to do with the PIX's functionalities. In particular, it does **NOT** control which host can access PDM which is a common misunderstanding. The control is done by the command "http ".

Why do we need it?

In PDM's world, policy (those rules) is built on top of topology. Ideally user creates the topology first via the Host/Network tab, then configures policy else where (like Access Rule tab). A network object exists by itself, even if there is no policy configured directly on it at a particular time. We use "pdm location" command to remember the location

of a network object.

Scott

duc-vu · ‎03-10-2004

Thank you, gentlemen for your great help. In short, all I need is one command : http 192.168.1.0 255.255.255.0 ethernet0 (for example).

duc-vu · ‎03-10-2004

Sorry : https 192.168.1.1 255.255.255.255 inside.

tgshahrizam · ‎03-11-2004

no, it is http://192.168.1.1 255.255.255.255 inside.

use https only on the browser.