09-25-2007 01:01 AM - edited 03-11-2019 04:16 AM
Dear Expert,
I dont know why, I cannot open our Pix Web interface eventhough I have added my IP for the access.
Below is the configuration list:
pixsbcp# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxx
passwd xxx
hostname pixsbcp
domain-name spsb.com.my
clock timezone MYT 8
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_access_in permit icmp any any
access-list inside_access_in permit tcp any any
access-list outside_access_in permit icmp any any
access-list dmz_access_in permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 100.82.250.91 255.255.255.252
ip address inside 10.88.104.10 255.255.255.0
ip address dmz 10.88.188.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
pdm location 192.168.6.0 255.255.255.0 inside
pdm location 192.168.6.185 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.88.0.0 255.255.0.0 0 0
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
access-group dmz_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 100.82.250.90 1
route inside 10.88.0.0 255.255.0.0 10.88.100.1 1
route inside 192.168.0.0 255.255.0.0 10.88.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.88.83.199 255.255.255.255 inside
http 10.88.83.185 255.255.255.255 inside
http 10.88.1.27 255.255.255.255 inside
http 192.168.8.185 255.255.255.255 inside
http 10.88.1.222 255.255.255.255 inside
http 10.88.83.28 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.88.83.199 255.255.255.255 inside
telnet 10.88.83.185 255.255.255.255 inside
telnet 10.88.1.27 255.255.255.255 inside
telnet 192.168.8.185 255.255.255.255 inside
telnet 10.88.1.222 255.255.255.255 inside
telnet 10.88.83.28 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username Darlien password xxx encrypted privilege 15
terminal width 80
Cryptochecksum:xxx
: end
pixsbcp#
PLease advice.
Best Regards,
Darlien Apolonius
09-25-2007 06:11 AM
Did you check to see if you have the proper ASDM image in your firewall?
09-25-2007 06:37 PM
How do I check if I have the proper ADSM?
09-25-2007 02:13 PM
Darlien, what message do you get when attempting to connect to fw through the browser? are you doing secure connection as https://fw_Inside_IPaddress , if so are you geting any browser mesagges ? issue " show version " at command line of pix, it should indictate whether you have Device manager installed and its version, please post that information .
Jorge
09-25-2007 06:34 PM
Jorge,
After I type in password, the browser only display "The webpage cannot be found".
09-25-2007 06:41 PM
1) hostname test
2) domain-name cisco.com
3) ca zeroize rsa
4) ca generate rsa 1024
5) ca save all
6) username cisco password cisco privilege 15
7) http 0 0 outside (for testing)
8) http 0 0 inside (for testing)
Now try https://fw_inside_address
or https://fw_outside_address and use the
account in step 6
09-25-2007 06:45 PM
Darlien, if you got up to the password means pix have pdm installed, unless it is corrupted, have you tried accessing it from another system , or have pdm worked before on this pix?
09-25-2007 06:56 PM
Jorge,
Last month my collegue change the pix password, after a few days he had forgotten his own admin password. So, he downloaded from CIsco the reset pix to factory setting files via ftp.
Could this process have corrupted the PDM inside the firewall?
Before this event, the PDM can be access by us.
Is there any way we can re-install/reconfigure the PDM?
BR,
Darlien
09-25-2007 07:27 PM
Daelien, anything is possible when reseting devices , but reseting to factory defaults would not cause file corruption, what I would do before posting instructions on tftp pdm for you pix code version is to telnet to pix enable mode and remove all https entries and add as follows.
no http 10.88.83.199 255.255.255.255 inside
no http 10.88.83.185 255.255.255.255 inside
no http 10.88.1.27 255.255.255.255 inside
no http 192.168.8.185 255.255.255.255 inside
no http 10.88.1.222 255.255.255.255 inside
no http 10.88.83.28 255.255.255.255 inside
and replace with
http 0.0.0.0 0.0.0.0 inside
then try loading pdm.
09-25-2007 08:35 PM
Jorge,
I have done as you ask, but still it return me with the same message. "Website not found"
Darlien
09-25-2007 09:11 PM
Darlien,
Here are the instructions for installing pdm.
First you need to download it .
You have pix version 6.3 you need pdm version
pdm-304.bin
http://www.cisco.com/cgi-bin/tablebuild.pl/pix
first Backup configs and write down activation keys just in case.
activation keys is found at bottom of " show version " output, right
bellow serial number of pix " running actication keys : xxxx xxxxx xxxxx xxxx,
nothing to do with pdm download but best to backup these, that's my process.
1- setup a tftp server and place pdm image in server
2.- Copy PDM image to flash from tftp
* Below is the procedure for PDM upgrde
PIXFIREWALL(config)# copy tftp flash:pdm
Address or name of remote host [127.0.0.1] ip_of_tftp_server
Source file name [cdisk] pdm-304.bin
copying tftp://ip_of_tftp_server/ pdm-304.bin to flash:pdm
after file is successfuly copied you need to rebood pix.
HTH
Jorge
10-01-2007 07:27 AM
DarlienDA,
Do you have at least a VPN-DES license (or better, a VPN-3DES-AES license) enabled (use 'show version')?
I was having similar problems until I upgraded the product license. Without the VPN license SSL won't work, and many modern browsers won't be happy with just the DES license.
If you haven't upgraded, see https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=119
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide