11-16-2009 02:10 PM
Hello
I am trying to configure active/standby stateful failover setup. Here are my sh ver outputs on the pix units
Active PIX (PIX1)
sh ver
Cisco PIX Security Appliance Software Version 8.0(4)
Compiled on Thu 07-Aug-08 19:42 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"
pixfirewall up 5 mins 44 secs
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: Ext: Ethernet0 : address is 000d.ede9.97a7, irq 10
1: Ext: Ethernet1 : address is 000d.ede9.97a8, irq 11
Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Disabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license.
Serial Number: 807421244
Running Activation Key: yyyyyyyyyyyyyyyyyyyyyyy
Configuration has not been modified since last system restart.
----------------------------------------------------------------------------
Failover PIX (PIX2)
sh ver
Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Wed 19-Mar-03 11:49 by morlee
pixfirewall up 33 secs
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5
0: ethernet0: address is 000c.30f8.be67, irq 10
1: ethernet1: address is 000c.30f8.be68, irq 11
2: ethernet2: address is 0002.b3b3.d806, irq 5
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Interfaces: 6
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Failover Only (FO) license.
Serial Number: 807101050 (0x301b627a)
Running Activation Key: xxxxxxxxxxxxxxxxxxxxxx
Configuration last modified by enable_15 at 18:54:58.390 UTC Mon Nov 9 2009
I see that I need to take care of the below before the upgrade
Upgrade PIX2 to 8.0(4) version to match PIX1 (6.3 -> 7.2 -> 8.0(4)
Upgrade ASDM to 6.1 (5) on PIX and PIX2
Upgrade to 128 MB RAM on both PIX1 and PIX2 (I believe I have to remove 64MB and add to 128MB stick). Please confirm
Add additional interface on PIX1 for LAN based failover PIX-515-MEM-128= and also use the same interface for stateful failover - Can I use this way with v8.0. I read that I cannot use the same interface in v7.0
Get 3DES key from Cisco website on PIX1
Please advise if I am missing any.
I tried to upgrade the PIX2 from 6.3 to 7.2 using copy tftp command. I configured a static IP on eth0 int and on my laptop but I am not able to ping these. Is there any other way on failover firewall to upgarde the firmware?
Solved! Go to Solution.
11-21-2009 12:55 PM
Hi
If you are upgrading from:
•32 MB to 64 MB of memory, install an additional 32 MB memory module into the empty socket for a new total of 64 MB of memory.
•32 MB to 128 MB of memory, remove the existing 32 MB memory module. Open the two plastic wing connectors on the sides of the memory socket, and pull the old memory module up and out of the socket. Discard the old 32 MB memory module. Then install the two new 64 MB memory modules for a new total of 128 MB of memory.
•64 MB to 128 MB of memory:
–If two 32 MB memory modules are installed, remove them. Open the two plastic wing connectors on the sides of the memory socket, and pull the old memory module up and out of the socket. Repeat for the second memory module. Discard the old 32 MB memory modules. Then install the two new 64 MB memory modules for a new total of 128 MB of memory.
–If one 64 MB memory module is installed, add an additional 64 MB memory module into the empty socket for a new total of 128 MB of memory.
Hardware Installtion guide.
http://www.cisco.com/en/US/docs/security/pix/pix72/hw/installation/guide/515.html
PIX failover
http://http://www.cisco.com/en/US/docs/security/pix/pix61/configuration/guide/failover.html
Hope this answers your query.
Regards
M
11-25-2009 02:39 AM
How are you cabling it, are you going thru a switch or direct from a pc to the firewall??
if you are connecting thru a switch = straight cable
PC to firewall = xover
11-20-2009 10:22 AM
to answer your questions:-
Upgrade to 128 MB RAM on both PIX1 and PIX2 (I believe I have to remove 64MB and add to 128MB stick). Please confirm - YES
Add additional interface on PIX1 for LAN based failover PIX-515-MEM-128= and also use the same interface for stateful failover - Can I use this way with v8.0. I read that I cannot use the same interface in v7.0 - see http://www.cisco.com/en/US/docs/security/pix/pix61/configuration/guide/failover.html
I tried to upgrade the PIX2 from 6.3 to 7.2 using copy tftp command. I configured a static IP on eth0 int and on my laptop but I am not able to ping these. Is there any other way on failover firewall to upgarde the firmware? - You used e0 - did you still name this as "outside" if so, be default ALL traffic is blocked, try using e1 interface and name it as the "inside"
HTH>
11-21-2009 12:55 PM
Hi
If you are upgrading from:
•32 MB to 64 MB of memory, install an additional 32 MB memory module into the empty socket for a new total of 64 MB of memory.
•32 MB to 128 MB of memory, remove the existing 32 MB memory module. Open the two plastic wing connectors on the sides of the memory socket, and pull the old memory module up and out of the socket. Discard the old 32 MB memory module. Then install the two new 64 MB memory modules for a new total of 128 MB of memory.
•64 MB to 128 MB of memory:
–If two 32 MB memory modules are installed, remove them. Open the two plastic wing connectors on the sides of the memory socket, and pull the old memory module up and out of the socket. Repeat for the second memory module. Discard the old 32 MB memory modules. Then install the two new 64 MB memory modules for a new total of 128 MB of memory.
–If one 64 MB memory module is installed, add an additional 64 MB memory module into the empty socket for a new total of 128 MB of memory.
Hardware Installtion guide.
http://www.cisco.com/en/US/docs/security/pix/pix72/hw/installation/guide/515.html
PIX failover
http://http://www.cisco.com/en/US/docs/security/pix/pix61/configuration/guide/failover.html
Hope this answers your query.
Regards
M
11-25-2009 06:55 AM
Hello
I opened the top panel of the pix unit and I saw 2 slots for the memory. So I just have to use 2 64MB sticks in it. It looks like PIX 515 does not accept 128MB stick. Thanks for your reply
Sarat
11-24-2009 02:31 PM
Hello Andrew
Thanks for the reply. I tried with eth1 as well with no luck. Below is the config
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list CAPTURE permit icmp any any
pager lines 24
logging on
logging console informational
logging buffered informational
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 11.12.13.14 255.0.0.0
ip address inside 192.168.1.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
pdm history enable
arp timeout 14400
pixfirewall# sh capture
capture capin access-list CAPTURE interface outside
pixfirewall# sh capture capin
12 packets captured
21:44:16.915846 192.168.1.1 > 192.168.1.100: icmp: echo request
21:44:17.914137 192.168.1.1 > 192.168.1.100: icmp: echo request
21:4:18.914152 192.168.1.1 > 192.168.1.100: icmp: echo request
21:44:47.219486 192.168.1.1 > 192.168.1.100: icmp: echo request
21:44:48.214634 192.168.1.1 > 192.168.1.100: icmp: echo request
pixfirewall# sh debug
debug access-list all
debug icmp trace
debug packet inside both
--------- PACKET ---------
-- IP --
192.168.1.100 ==> 192.168.1.255
ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x4e
id = 0xd79d flags = 0x0 frag off=0x0
ttl = 0x80 proto=0x11 chksum = 0xde43
-- UDP --
source port = 0x89 dest port = 0x89
len = 0x3a checksum = 0xa0fb
-- DATA --
00000010: 87 41 01 10 |
.A..
00000020: 00 01 00 00 00 00 00 00 20 45 4e 45 48 45 45 45 | ..
...... ENEHEEE
00000030: 44 44 42 43 41 43 41 43 41 43 41 43 41 43 41 43 -----
Thank you for your time in looking at this.
11-25-2009 02:39 AM
How are you cabling it, are you going thru a switch or direct from a pc to the firewall??
if you are connecting thru a switch = straight cable
PC to firewall = xover
11-25-2009 06:29 AM
Andrew
I connected PC to firewall and I tried with both straight and cross over cables. Also there is no firewall enabled on the laptop. I may quickly try connecting through the switch
Thanks
Sarat
11-25-2009 06:56 AM
I tried connecting through the switch as well and no luck. May be the device is faulty.
11-25-2009 07:35 AM
I was finally able to resolve this. If I remember right I read somewhere that I should only use tftp flash to upgrade 515E or version 6.3. As I could not ping my laptop from pix, I took a chance and rebooted that in monitor mode. As soon as I assign the addresses I was able to ping the laptop. Then I upgraded to 7.2(4) version and reloaded the pix. Now I do see the below but when I ping the interface I got a message "no route to host". Made sure the interface is not shut, did a shut and unshut, renamed the interface again, assigned security level 100, removed and assigned IP, assigned a static route to inside and nothing worked. Still unable to ping the interface itself.
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
I finally cleared all the config, reloaded and reconfigured the interface which then worked. Then I upgraded to 8.0(4) using copy tftp flash and it worked. So finally I have everything I needed now :-)
pixfirewall# sh ver
Cisco PIX Security Appliance Software Version 8.0(4)
Compiled on Thu 07-Aug-08 19:42 by builders
System image file is "flash:/pix804.bin"
Config file at boot was "startup-config"
pixfirewall up 5 mins 9 secs
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5)
0: Ext: Ethernet0 : address is 000c.30f8.be67, irq 10
1: Ext: Ethernet1 : address is 000c.30f8.be68, irq 11
2: Ext: Ethernet2 : address is 0002.b3b3.d806, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has a Failover Only-Active/Standby (FO) license.
Serial Number: 807101050
Running Activation Key: 0x65b3dd06 0x376de8f7 0x4b29689b 0x18dea9d0
Configuration has not been modified since last system restart.
Thanks for all the inputs and appreciate your time
Sarat
11-25-2009 07:52 AM
FYI
This is the link that mentioned PIX 515E need to use copy tftp flash command. However monitor also worked.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml#t3
This shows unrestricted/failover supports 128MB stick PIX-515-MEM-128=
PIX-515-MEM-128= is just a part number which actually has 2x64MB sticks.
11-25-2009 08:38 AM
Great news - good job.
To be honest I was not thinking that was a way to go, as ever there is more than 1 way to skin a cat!! (metaphorically speaking of course)
04-13-2010 04:59 AM
The real solution to this problem is that you should give the interface two IP addresses. One for the active unit and one for the standby unit. Because you have a Failover Only license, the pix (even when it is placed in a standalone environment) will only listen with the standby IP address.
That is why you are not able to ping anything or communicate with other IP addresses if you have filled in only one IP.
You can check this with the command: show interface
Regards,
Wouter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide