02-28-2005 07:44 PM - edited 02-20-2020 11:59 PM
Just managed to lock myself out of a 501; no console access, no pdm access, and no telnet/ssh access. Went through the whole password recovery routine, but in that mode, the PIX could not even ping its own inside interface. You can already guess that it could not ping the tftp server.
Any clues?
The tftp server is directly connected to the inside interface of the PIX via a hub.
03-01-2005 04:07 AM
When you do the password recovery connect a crossover cable to the outside interface and try again to ping and TFTP.
With the "interface n" commnand it should be possible to set the interace but otherwise it uses the outside interface.
Password Recovery and AAA Configuration Recovery Procedure for the PIX:
sicerely
Patrick
03-01-2005 07:06 PM
went through all that process. Here's my setup and the output from a recovery attempt:
tftp_server===hub===(inside)_PIX_(outside)===modem
Note that the pix could not even ping its inside interface.
monitor> interface inside
0: i8255X @ PCI(bus:0 dev:13 irq:10)
1: i8255X @ PCI(bus:0 dev:14 irq:7 )
Using 0: i82559 @ PCI(bus:0 dev:13 irq:10), MAC: 0050.54ff.82b9
monitor> address 172.16.1.1
address 172.16.1.1
monitor> server 172.16.1.4
server 172.16.1.4
monitor> file np63.bin
file np63.bin
monitor> gateway 172.16.1.1
gateway 172.16.1.1
monitor> ping 172.16.1.4
Sending 5, 100-byte 0xf8d3 ICMP Echoes to 172.16.1.4, timeout is 4 seconds:
.....
Success rate is 0 percent (0/5)
monitor> ping 172.16.1.1
Sending 5, 100-byte 0xf8d3 ICMP Echoes to 172.16.1.1, timeout is 4 seconds:
.....
Success rate is 0 percent (0/5)
monitor>tftp
{this just hangs. Not that I really expected it to work after the ping failure!)
03-04-2005 09:22 AM
you have to select an interface by its number to apply your commands to
interface 0 is the outside interface
interface 0
ip address 172.16.1.1
server 172.16.1.4
file np63.bin
gateway is irellevant here
ping should work if you are connected to the outside f0
03-04-2005 10:51 AM
Do you use personal Firewall software that blocks incomming connections for ICMP (ping) or TFTP ?
Windows XP SP2 ...
sincerely
Patrick
03-04-2005 03:17 PM
Looks like I kind of shot myself in the foot earlier, but you might have a negotiation issue with your hub. Some of the early 501's were 10 m only and I don't have real good luck with dual speed hubs negotiating either.
03-04-2005 03:51 PM
Might be a good idea to use a Crossover cable and connect the PC and PIX directly to do the password recovery !!!
04-03-2005 06:32 PM
I am having the same problem with a PIX 501. Used crossover cable to the outside interface. Neither could ping the other. Using a patch lead to get into one of the four hub ports on the back of the PIX, the PC was able to ping the PIX, but the PIX could not ping the PC. I looked at the MAC addresses and they didn't match.
However, bear in mind that the patch lead connected directly from the PC to the PIX, nothing in between, so it's not an IP address conflict. The PC is configured with a static address in the same subnet as the PIX.
Any ideas people?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide