Issues with Cisco PIX 515e

kmcintosh78

So, i am trying just to do the initial setup of a Cisco PIX515e 6.3, and I am hitting a brick wall.

I got the console up, thought that I had everything configured correctly (Like internal IP and such), but I can't ping to or from, with a crossover cable from inside/ethernet0 to a PC.
Need some help/advise.
I would also like to get it set up for management via ASDM.

It is a base config, nothing else.

Thanks

SubnetZero

What's the security level on your inside interface? It should be setup to a 100 and named "inside"

pixfirewall# conf t
pixfirewall(config)# int e0
pixfirewall(config-if)# ip address 192.168.1.1 255.255.255.0
pixfirewall(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.

interface Ethernet0
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 

Also check "show arp" on the PIX, do you see the PC? Is the firewall enabled on the PC?

kmcintosh78

Interface is set correctly. Named and Security 100.
No ARP entries.
No firewall on the PC, it is turned off.

SubnetZero

Do you have green link lights?

Please post the output from the following two commands:

show run interface
show interface ip brief

Thanks

networker050184

Are you sure the cable is good? If you can't get arp you aren't going to ping.

kmcintosh78

SubnetZero wrote: »

Do you have green link lights?

Please post the output from the following two commands:

show run interface
show interface ip brief

Thanks

Yep, link light solid.


PIX# show run interface

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto shutdown

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX

domain-name MAIN

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

<--- More --->

names

pager lines 24

mtu outside 1500

mtu inside 1500

no ip address outside

ip address inside 192.168.1.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

pdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

<--- More --->

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.1 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:bed2c9124913b21045d28930a785d464

: end


PIX# show interface ip brief

Usage: interface <hardware_id> [<hw_speed> [shutdown]]

[no] interface <hardware_id> <vlan_id> [logical|physical] [shutdown]

interface <hardware_id> change-vlan <old_vlan_id> <new_vlan_id>

show interface

kmcintosh78

networker050184 wrote: »

Are you sure the cable is good? If you can't get arp you aren't going to ping.

Yep, factory made cross over cable.

SubnetZero

OK looks like you're running super old code on that PIX...

Please post the result from "show interface" please

kmcintosh78

So, looked at the version settings, and found this statement:
"This PIX has a Failover Only Lincense"

Set the Failover Ip address and now I can ping between.
What gives?

kmcintosh78

PIX>


PIX>


PIX> en

Password:


PIX# show u interface

interface ethernet0 "outside" is administratively down, line protocol is down

Hardware is i82559 ethernet, address is 000d.bdbb.b6c9

MTU 1500 bytes, BW 10000 Kbit half duplex

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/12 software (0/0)

output queue (curr/max blocks): hardware (0/0) software (0/0)

interface ethernet1 "inside" is up, line protocol is up

Hardware is i82559 ethernet, address is 000d.bdbb.b6ca

IP address 192.168.1.2, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

2125 packets input, 171033 bytes, 0 no buffer

Received 657 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

2161 packets output, 2179625 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/12 software (0/43)

<--- More --->

output queue (curr/max blocks): hardware (0/63) software (0/1)


PIX# show version



Cisco PIX Firewall Version 6.3(5)

Cisco PIX Device Manager Version 3.0(1)



Compiled on Thu 04-Aug-05 21:40 by morlee



PIX up 38 mins 53 secs



Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB



Encryption hardware device : VAC+ (Crypto5823 revision 0x1)

0: ethernet0: address is 000d.bdbb.b6c9, irq 10

1: ethernet1: address is 000d.bdbb.b6ca, irq 11

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Physical Interfaces: 6

Maximum Interfaces: 10

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

<--- More --->

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited



This PIX has a Failover Only (FO) license.



Serial Number: 807333777 (0x301eef91)

Running Activation Key: 0xf69b4354 0x57e53122 0xc84bc0e0 0xfc9d5cf9

Configuration last modified by enable_15 at 16:48:51.907 UTC Thu Feb 9 2012


PIX# show ri un

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto shutdown

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX

domain-name MAIN

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

<--- More --->

names

pager lines 24

mtu outside 1500

mtu inside 1500

no ip address outside

ip address inside 192.168.1.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

failover ip address inside 192.168.1.4

pdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

<--- More --->

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.1 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:7152eb4962675a1e97ada571a58be396

: end


PIX#

SubnetZero

Your PIX is in failover mode

pixfirewall(config)# no failover  

kmcintosh78

SubnetZero wrote: »

Your PIX is in failover mode

pixfirewall(config)# no failover  

Did that, removed the failover IP statement and now link is down.

Putting the failover IP statement back, ping and arp good.

SubnetZero

That's odd it worked for me. Basically I just ran the "no failover" command and then set the IP under the interface. You may also think about clearing the config out and starting fresh?

pixfirewall# write erase 
Erase configuration in flash memory? [confirm] 

kmcintosh78

SubnetZero wrote: »

That's odd it worked for me. Basically I just ran the "no failover" command and then set the IP under the interface. You may also think about clearing the config out and starting fresh?

pixfirewall# write erase 
Erase configuration in flash memory? [confirm] 

Could it be an issue with the 6.3 version?

networker050184

I believe the "failover only" license means that it can only be used as the standby device in a pair when the other device has the licensing you need. So it must be in failover mode, but I'm not sure what kind of restrictions you will run into if you don't have another licensed device to link it with.

kmcintosh78

SubnetZero wrote: »

That's odd it worked for me. Basically I just ran the "no failover" command and then set the IP under the interface. You may also think about clearing the config out and starting fresh?

pixfirewall# write erase 
Erase configuration in flash memory? [confirm] 

What about the statement from the show version command: "This PIX has a Failover Only License"
Does that then mean that it will only operate as a failover?

kmcintosh78

networker050184 wrote: »

I believe the "failover only" license means that it can only be used as the standby device in a pair when the other device has the licensing you need. So it must be in failover mode, but I'm not sure what kind of restrictions you will run into if you don't have another licensed device to link it with.

Yep, numerous Cisco Tech Notes state it requires a License Key upgrade.

Ok, thanks for the help guys.
Learned alot just from this and you both.
I appreciate the responses.

networker050184

You might be able to trick it into thinking its the standby and the primary has failed. Not sure how that will work for you though.

kmcintosh78

networker050184 wrote: »

You might be able to trick it into thinking its the standby and the primary has failed. Not sure how that will work for you though.

From what I have read, I might be able to do that, if I had the paired unit it shared the license key with.
But, I don't.

It is for a side-job project, where the customer did not really consult me first.
So, back to the purchasing board for him.

That show version statement stuck out like sore thumb, and if I had reviewed the device before purchase, I would have walked away.

Thanks again guys.

SubnetZero

networker050184 wrote: »

I believe the "failover only" license means that it can only be used as the standby device in a pair when the other device has the licensing you need. So it must be in failover mode, but I'm not sure what kind of restrictions you will run into if you don't have another licensed device to link it with.

Yup you're spot on, good catch

kmcintosh78

SubnetZero wrote: »

Yup you're spot on, good catch

Don't take this the wrong way, but I feel pretty damn good right now, having caught that.
While I learn everyday something new from my team lead, who is a CCIE, I always feel good, and it justifies my skills and abilities to catch something that is missed by people who have been in the game longer then I.

Again, I truly appreciate the help from you and networker050184.

Thanks again.

JeanM

set up a default route

then #failover active

that worked for me.

umeshrege

You can simply define the failover IP address for your config for inside and outside interfaces as shown in ex below.
it will solve the issue.

failover ip address inside a.b.c.d

and your ping will start working.