04-24-2007 02:47 AM - edited 03-11-2019 03:03 AM
Hello..
I have been facing a problem since 2 weeks with a brand new PIX 515e. I cannot ping from or to the PIX even from or to an inside host !! I tried every configuration I've managed to find on Internet with no success.. Also, I am not able to telnet to the unit.. I enabled the debugging for ICMP and for packets, and when I ping to the inside interface from an inside host, I get debugging messages for the packets but not for ICMP.. All the needed information is in the attached file.
I am connecting to the firewall by console only, and I tried all the ICMP permit commands, access-lists, static and dynamic natting, and everything else with no success. Any idea about fixing the problem? I am really out of ideas
Thanks
04-24-2007 03:15 AM
Hi there,
I am also facing a similar problem with the PIX515E with 7.2(2).I am not able to assign an IP address for the inside interface,it shows ip address on the running config,but on show interface output it shows "ip address unassigned".
Linking my query at netpro to this post.
04-24-2007 04:59 AM
It is not the same.. I am able to assign the IP addresses, and they show up through the debug command.. The interfaces recieve the packets, but it stops there !!
04-24-2007 09:02 AM
Is your host machine connected directly to the PIX interface ethernet1 via straight-thru cat5? If you are then its not possible and you would need a crossover cable in order to be able to connect directly to the PIX interface.
You test config looks fine to me. Its probably a layer 1 issue. Also try using acces-list capture to debug the situation, it would ease on the main focus which is the transversing packets not the packet details themselves.
If you like the review please provide some level of rating.
04-24-2007 12:48 PM
I used a cross cable for the direct connection.. Then I connected them through straight cables and a switch.. Do you have any suggestions to check the root of the problem?
04-24-2007 01:53 PM
Try configuring dhcpd on your PIX and then try to obtain an IP via your host machine. Make sure you are on a dhcp client not hard-coded static IP on your host machine.
This is the example from Cisco for dhcpd configuration on PIX 6.3:
04-24-2007 03:03 PM
Hi .. please post the output of show version
04-24-2007 11:48 PM
The below is the output of sh ver command:
Cisco PIX Firewall Version 6.3(5)
Compiled on Thu 04-Aug-05 21:40 by morlee
pix up 1 hour 23 mins
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 1100.1cbb.48d4, irq 10
1: ethernet1: address is 1100.1cbb.49d4, irq 11
2: ethernet2: address is 0090.2774.d98d, irq 5
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 3
Maximum Interfaces: 5
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Restricted ? license.
04-24-2007 10:32 PM
Hi,
Almost same incident happened to me as well.But it was related to static natting issue. I upgraded the IOS to 7.1 (2)& changed nothing. It started working fine & still going on in a good shape. I would suggest you to try once.
another point: create 1 access list "access-list 10 permit ip any any" & bind this to inside interface by " ip access-group 10 in interface inside)& try to ping the inside interface.
If both the 2 points doesn't make any sense then there must be a problem with the ethernet port (h/w related issue).
i faced the booting problem for consecutive times with a brand new IPS. In trasit it may got faulty.
04-25-2007 12:19 AM
Check the Routing , inside NAT and Global NAT
04-25-2007 12:38 AM
hi.
Since you dont have any ACL's on the inside, i would suggest you to try putting a conduit for icmp..just for testing purposes and see if it works..
conduit permit icmp any any
04-25-2007 01:55 AM
From the PIX, clear down the ARP cache, ping a known good adfdress and see if the cache gets populated.
If it does, then it is a layer 3 issue, if not layer 1 or 2.
04-25-2007 02:01 AM
Thanks for all the suggestions, but I tried them all with no success :-(
04-25-2007 02:27 AM
Is it possible to log into the switch where the inside interface is connected?
Check to see if the switch interface becomes active.
If so try a ping from the switch to the PIX and see if the PIX MAC address shows up in the interface MAC address table.
04-25-2007 02:43 AM
The addresses are there in the debug messages.. Also, the firewall is able to get even the ip addresses of the connected hosts which I used to ping to it from..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide