Re: pix506e not working

jefforamma · ‎09-13-2010

we have a backup inet connection that i had an old netgear firewall on.

A pix506e free'd up recently so i thought i would put that on the rogers cable connection as it was alot more stable than the netgear one i was using.

I reset to factory defaults on it. Configured just the basics.

However i am unable to ping the outside gateway, or get any internet traffic working at all.

I have tried changing the network cables (they were the ones the netgear had been using fine up to this point)

i tried changing the nic settings to all types (10 1/2, 10 full, etc)

if i put the netgear back on it works fine.

the config looks ok to me but i am not an expert. could really use help here as this is causing me to bang my head all day.

here is the config. any qs or info needed let me know.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix
domain-name mydom.ca
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
logging on
logging console informational
mtu outside 1500
mtu inside 1500
ip address outside 208.97.118.106 255.255.255.248
ip address inside 192.168.32.2 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 208.97.118.105 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
console timeout 0
terminal width 80
Cryptochecksum:e9539f3a362870b24b61454dac334236
: end

mirober2 · ‎09-13-2010

Hi Jeff,

Have you tried connecting the PIX again and then rebooting the cable modem? Many cable modems cache the MAC address of the connected device and only allow communication from that device. Power cycling the cable modem after the PIX is attached should allow it to learn the PIX's MAC instead of the Netgear's MAC.

Hope that helps.

-Mike

jefforamma · ‎09-13-2010

hey Mike,

tried that earlier. tried it again just now. no luck though.

i will try leaving both off for an extended period to make sure they are totally cleared out. see if that helps at all.

any other suggestions?

mirober2 · ‎09-13-2010

Hi Jeff,

After you try pinging the gateway from the PIX, do a 'show arp' and see if you have a valid MAC address for the gateway's IP address.

-Mike

jefforamma · ‎09-13-2010

did a ping and show arp. it only shows internal ips, not the exteral with a mac.

tried clearing arp and doing it again but still only shows internal ips in list.

i will try leaving both units off overnight and cycle them up in the morning to see how that goes.

mirober2 · ‎09-13-2010

Hi Jeff,

Are you sure the address and netmask information is configured correctly based on what your ISP provides? If you change the interface config to 'ip address outside dhcp setroute', do you get the same IP address and gateway information?

-Mike

Kureli Sankar · ‎09-13-2010

ip address outside 208.97.118.106 255.255.255.248
route outside 0.0.0.0 0.0.0.0 208.97.118.105 1

When you issue "sh arp | i .118.105" you do not show the MAC for the router IP?

enable "debug arp" and ping 208.97.118.105 from the firewall and see what you get. You are able to ping the fierwall interface 208.97.118.106 right?

-KS

jefforamma · ‎09-14-2010

well..left it off all night. powered up modem this am. then powered up pix.

still no go.

called rogers and they were not any help. they said they could ping it from outside, he reset it remotely. nothing worked.

put the config into ciscos output interpreter and got the following?

WARNING: The following interfaces do not have associated 'route' commands:

inside

The PIX requires a static/default route for any destinations that are not directly

connected to these interfaces, assuming the PIX is not receiving a default RIP

route from a connected router on these interfaces.

TRY THIS: Configure a static/default route for those interfaces that need to access

non directly connected destinations using the configuration command, 'route if_name

ip_address netmask gateway_ip [metric]'.

However I do a show route and see the route there? Not sure what is up.

outside 0.0.0.0 0.0.0.0 208.97.118.105 1 OTHER static

inside 192.168.32.0 255.255.255.0 192.168.32.2 1 CONNECT static

outside 208.97.118.104 255.255.255.248 208.97.118.106 1 CONNECT static

i am not sure what that bottom route is or where it came from. it will not let me remove it either.

i cant set the outside int to dhcp as it is a static ip.

kusankar,

tried the commands you said. here is what came up.

pix(config)# debug arp
pix(config)# 23: arp-in: request at inside from 192.168.32.12 0050.8bec.8b                                                                             6c for 192.168.32.201 0000.0000.0000
24: arp-send: arp request built from 208.97.118.106 0019.30c9.71eb for 208.97.11                                                                             8.105
ping 208.97.118.105
25: arp-req: generating request for 208.97.118.105 at interface outside
26: arp-req: request for 208.97.118.105 still pending
        208.97.118.105 NO response received -- 1000ms
27: arp-req: generating request for 208.97.118.105 at interface outside
28: arp-req: request for 208.97.118.105 still pending
        208.97.118.105 NO response received -- 1000ms
29: arp-req: generating request for 208.97.118.105 at interface outside
30: arp-req: request for 208.97.118.105 still pending
        208.97.118.105 NO response received -- 1000ms
pix(config)# 31: arp-send: arp request built from 208.97.118.106 0019.30c9.71eb for 208.97.118.105
32: arp-send: arp request built from 208.97.118.106 0019.30c9.71eb for 208.97.118.105
33: arp-in: request at inside from 192.168.32.8 000e.6a8a.8fa0 for 192.168.32.3 0000.0000.0000
34: arp-in: request at inside from 192.168.32.23 001f.29e0.7ab4 for 192.168.32.16 0000.0000.0000
ping 208.97.118.105
35: arp-req: generating request for 208.97.118.105 at interface outside
36: arp-req: request for 208.97.118.105 still pending
        208.97.118.105 NO response received -- 1000ms
37: arp-req: generating request for 208.97.118.105 at interface outside
38: arp-req: request for 208.97.118.105 still pending
39: arp-in: request at inside from 192.168.32.56 001f.297a.97ba for 192.168.32.18 0000.0000.0000
40: arp-in: request at inside from 192.168.32.56 001f.297a.97ba for 192.168.32.12 0000.0000.0000
41: arp-in: request at inside from 192.168.32.65 001f.3b95.1ff7 for 192.168.32.12 0000.0000.0000
42: arp-in: request at inside from 192.168.32.65 001f.3b95.1ff7 for 192.168.32.18 0000.0000.0000
        208.97.118.105 NO response received -- 1000ms
43: arp-req: generating request for 208.97.118.105 at interface outside
44: arp-req: request for 208.97.118.105 still pending
45: arp-send: arp request built from 208.97.118.106 0019.30c9.71eb for 208.97.118.105
        208.97.118.105 NO response received -- 1000ms
pix(config)# no46: arp-in: request at inside from 192.168.32.56 001f.297a.97ba for 192.168.32.48 0000.0000.0000
47: arp-in: request at inside from 192.168.32.48 0026.552f.d102 for 192.168.32.56 0000.0000.0000
debug a48: arp-in: request at inside from 192.168.32.18 0002.a507.f010 for 192.168.32.44 0000.0000.0000
r49: arp-in: request at inside from 192.168.32.111 0050.8bbb.0908 for 192.168.32.16 0000.0000.0000

Kureli Sankar · ‎09-14-2010

I am able to ping 208.97.118.105 but the PIX isnt'.

ping 208.97.118.105
PING 208.97.118.105 (208.97.118.105): 56 data bytes
64 bytes from 208.97.118.105: icmp_seq=0 ttl=40 time=93.893 ms
64 bytes from 208.97.118.105: icmp_seq=1 ttl=40 time=95.276 ms
64 bytes from 208.97.118.105: icmp_seq=2 ttl=40 time=94.002 ms

That other route

outside 208.97.118.104 255.255.255.248 208.97.118.106 1 CONNECT static

is a connected route. Are you sure the mask is correct?

208.97.118.105 - 208.97.118.110 - valid hosts on that subnet are from .105 to .110. The ip addresses .106 and .105 are valid hosts.

You are not seeing any packets coming from the router towards the PIX's outside interface is my guess.

cap capout int outside

sh cap capout

see if you are seeing any packets coming towards your interface.

-KS

jefforamma · ‎09-14-2010

ya i can ping the 105 gateway externally from another site as well.

icmp is not enable on the 106 int.

here is the capout when enabled and a ping is done.

14:37:31.334592 arp who-has 208.97.118.105 tell 208.97.118.106

on the asdm i dont see any traffic on outside int

forgot to mention. yes you have all the right subnet info there. i did verify that all from the old firewall and the call with rogers as well.

Kureli Sankar · ‎09-14-2010

Can you call them and ask if they have a static arp configured on the router pointing to the old firewall's MAC address for this IP address .106.

get the mac address of the PIX's outside interface MAC and give that to them so, the router send traffric to this MAC.

Have them check that.

-KS