Re: Strange issue with PIX 7.2 (2) Interface Ip addressing

ajupanicker · ‎04-23-2007

We bought a new PIX with 7.2(2),We are having issues configuring the IP address and telnet to the PIX from inside network.On the running configuration it shows ip address for the interface but the "show interface" shows "ip address unassigned".

Please see the output.

pixfirewall# sh run

: Saved

:

PIX Version 7.2(2)

!

hostname pixfirewall

enable password 8Ry2YjIyt7RRXU24 encrypted names

interface Ethernet0

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet1

nameif inside

security-level 100

<font color="#FF0000"> ip address 192.168.1.250 255.255.255.0</font>

ftp mode passive

pager lines 24

logging asdm informational

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

!

prompt hostname context

: end

pixfirewall# sh int e1

Interface Ethernet1 "inside", is up, line protocol is up

Hardware is i82559, BW 100 Mbps

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

MAC address 001a.a2a4.8737, MTU 1500

<font color="#FF0000"> IP address unassigned</font>

121660 packets input, 11001073 bytes, 0 no buffer

Received 121856 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/6)

output queue (curr/max blocks): hardware (0/0) software (0/0)

Traffic Statistics for "inside":

121856 packets input, 9287953 bytes

0 packets output, 0 bytes

21234 packets dropped

1 minute input rate 2 pkts/sec, 213 bytes/sec

1 minute output rate 0 pkts/sec, 0 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 1 pkts/sec, 124 bytes/sec

5 minute output rate 0 pkts/sec, 0 bytes/sec

I saw 3 similar queries for the same starange issue on our netpro,but it still remain unanswered.Can somebody please help ?

ajupanicker · ‎04-25-2007

I am pasting the show version command output here

pixfirewall# sh ver

Cisco PIX Security Appliance Software Version 7.2(2)

Device Manager Version 5.2(2)

Compiled on Wed 22-Nov-06 14:16 by builders

System image file is "flash:/image"

Config file at boot was "startup-config"

pixfirewall up 15 hours 44 mins

Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xf

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)

0: Ext: Ethernet0 : address is 001a.a2a4.8736, irq 10

1: Ext: Ethernet1 : address is 001a.a2a4.8737, irq 11

2: Ext: Ethernet2 : address is 000f.a3e9.b028, irq 11

3: Ext: Ethernet3 : address is 000f.a3e9.b029, irq 10

4: Ext: Ethernet4 : address is 000f.a3e9.b02a, irq 9

5: Ext: Ethernet5 : address is 000f.a3e9.b02b, irq 5

Licensed features for this platform:

Maximum Physical Interfaces : 6

Maximum VLANs : 25

Inside Hosts : Unlimited

Failover : Active/Standby

VPN-DES : Enabled

VPN-3DES-AES : Disabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has a Failover Only-Active/Standby (FO) license.

Fernando_Meza · ‎04-25-2007

Hi .. as you can see in the last line of the 'show version' your PIx is licensed for FO .. this means it needs another one to work correctly .. contact your vendor or Cisco for getting the right license.

"Failover (FO) ? Designed for use in conjunction with a similar Cisco PIX Security Appliance model that has an Unrestricted

license, providing a cost-effective, Active/Standby high-availability solution.

? Provides the same capabilities as the Unrestricted license, except the Failover license does not support

Active/Active failover. Requires presence of similar Cisco PIX Security Appliance model with an Unrestricted

license to operate properly."

I hope it helps .. please rate if it does !!!

ajupanicker · ‎04-26-2007

Hi Fernando,

It really helps,thanks a lot for this answer.If this is the case,we wont be able to configure this device except from the console session ?,also it can't be used as a stand alone PIX ?

Or is there any possibility that we can get the license from cisco that it can be used as an FO as well as a normal stand alone pix ?

Thanks again for your replies.

mark.j.hodge · ‎04-26-2007

You can purchase a license to upgrade from Failover to Unrestricted license from Cisco, or to an Active/Active failover licenese, these are the part numbers :-

o Unrestricted PIX-515-SW-FO-UR=

o Active/Active PIX-515-SW-FO-AA=

ajupanicker · ‎04-26-2007

Hi Mark,

Thanks for your reply.Wouldn't be possible that you we can assign the ip address's for the interfaces with my existing PIX-515-SW-FO licence and test it ?

You mean the existing licence will not give an option to configure the PIX remotely ?

ajupanicker · ‎04-27-2007

Guyz,Finally this issue has been fixed with the help of 'googling'.

Issue the command "failover" in the global configuration to change the mode from Standby to Active.Now you will be able to assign IP address for the interface's and it will show the ip address for the "show interface" output.

So,without buying/changing the failover licence,this firewall can be configured through telnet sessions.