Issues with Cisco PIX 515e

kmcintosh78kmcintosh78 Member Posts: 195
So, i am trying just to do the initial setup of a Cisco PIX515e 6.3, and I am hitting a brick wall.

I got the console up, thought that I had everything configured correctly (Like internal IP and such), but I can't ping to or from, with a crossover cable from inside/ethernet0 to a PC.
Need some help/advise.
I would also like to get it set up for management via ASDM.

It is a base config, nothing else.

Thanks
What I am working on
CCNP Route (Currently) 80% done
CCNP Switch (Next Year)
CCNP TShoot (Next Year)

Comments

  • SubnetZeroSubnetZero Member Posts: 124
    What's the security level on your inside interface? It should be setup to a 100 and named "inside"
    pixfirewall# conf t
    pixfirewall(config)# int e0
    pixfirewall(config-if)# ip address 192.168.1.1 255.255.255.0
    pixfirewall(config-if)# nameif inside
    INFO: Security level for "inside" set to 100 by default.
    
    interface Ethernet0
     nameif inside
     security-level 100
     ip address 192.168.1.1 255.255.255.0 
    

    Also check "show arp" on the PIX, do you see the PC? Is the firewall enabled on the PC?

    While no trees were harmed in the transmission of this message, several electrons were severely inconvenienced
    :cool:
  • kmcintosh78kmcintosh78 Member Posts: 195
    Interface is set correctly. Named and Security 100.
    No ARP entries.
    No firewall on the PC, it is turned off.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • SubnetZeroSubnetZero Member Posts: 124
    Do you have green link lights?

    Please post the output from the following two commands:

    show run interface
    show interface ip brief

    Thanks

    While no trees were harmed in the transmission of this message, several electrons were severely inconvenienced
    :cool:
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Are you sure the cable is good? If you can't get arp you aren't going to ping.
    An expert is a man who has made all the mistakes which can be made.
  • kmcintosh78kmcintosh78 Member Posts: 195
    SubnetZero wrote: »
    Do you have green link lights?

    Please post the output from the following two commands:

    show run interface
    show interface ip brief

    Thanks

    Yep, link light solid.


    PIX# show run interface

    : Saved

    :

    PIX Version 6.3(5)

    interface ethernet0 auto shutdown

    interface ethernet1 auto

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    enable password 8Ry2YjIyt7RRXU24 encrypted

    passwd 2KFQnbNIdI.2KYOU encrypted

    hostname PIX

    domain-name MAIN

    fixup protocol dns maximum-length 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    <--- More --->

    names

    pager lines 24

    mtu outside 1500

    mtu inside 1500

    no ip address outside

    ip address inside 192.168.1.2 255.255.255.0

    ip audit info action alarm

    ip audit attack action alarm

    no failover

    failover timeout 0:00:00

    failover poll 15

    no failover ip address outside

    no failover ip address inside

    pdm history enable

    arp timeout 14400

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout sip-disconnect 0:02:00 sip-invite 0:03:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server TACACS+ max-failed-attempts 3

    aaa-server TACACS+ deadtime 10

    aaa-server RADIUS protocol radius

    <--- More --->

    aaa-server RADIUS max-failed-attempts 3

    aaa-server RADIUS deadtime 10

    aaa-server LOCAL protocol local

    http server enable

    http 192.168.1.1 255.255.255.255 inside

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    terminal width 80

    Cryptochecksum:bed2c9124913b21045d28930a785d464

    : end


    PIX# show interface ip brief

    Usage: interface <hardware_id> [<hw_speed> [shutdown]]

    [no] interface <hardware_id> <vlan_id> [logical|physical] [shutdown]

    interface <hardware_id> change-vlan <old_vlan_id> <new_vlan_id>

    show interface
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • kmcintosh78kmcintosh78 Member Posts: 195
    Are you sure the cable is good? If you can't get arp you aren't going to ping.

    Yep, factory made cross over cable.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • SubnetZeroSubnetZero Member Posts: 124
    OK looks like you're running super old code on that PIX...

    Please post the result from "show interface" please

    While no trees were harmed in the transmission of this message, several electrons were severely inconvenienced
    :cool:
  • kmcintosh78kmcintosh78 Member Posts: 195
    So, looked at the version settings, and found this statement:
    "This PIX has a Failover Only Lincense"

    Set the Failover Ip address and now I can ping between.
    What gives?
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • kmcintosh78kmcintosh78 Member Posts: 195
    PIX>


    PIX>


    PIX> en

    Password:


    PIX# show u interface

    interface ethernet0 "outside" is administratively down, line protocol is down

    Hardware is i82559 ethernet, address is 000d.bdbb.b6c9

    MTU 1500 bytes, BW 10000 Kbit half duplex

    0 packets input, 0 bytes, 0 no buffer

    Received 0 broadcasts, 0 runts, 0 giants

    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

    0 packets output, 0 bytes, 0 underruns

    0 output errors, 0 collisions, 0 interface resets

    0 babbles, 0 late collisions, 0 deferred

    0 lost carrier, 0 no carrier

    input queue (curr/max blocks): hardware (128/12icon_cool.gif software (0/0)

    output queue (curr/max blocks): hardware (0/0) software (0/0)

    interface ethernet1 "inside" is up, line protocol is up

    Hardware is i82559 ethernet, address is 000d.bdbb.b6ca

    IP address 192.168.1.2, subnet mask 255.255.255.0

    MTU 1500 bytes, BW 100000 Kbit full duplex

    2125 packets input, 171033 bytes, 0 no buffer

    Received 657 broadcasts, 0 runts, 0 giants

    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

    2161 packets output, 2179625 bytes, 0 underruns

    0 output errors, 0 collisions, 0 interface resets

    0 babbles, 0 late collisions, 0 deferred

    0 lost carrier, 0 no carrier

    input queue (curr/max blocks): hardware (128/12icon_cool.gif software (0/43)

    <--- More --->

    output queue (curr/max blocks): hardware (0/63) software (0/1)


    PIX# show version



    Cisco PIX Firewall Version 6.3(5)

    Cisco PIX Device Manager Version 3.0(1)



    Compiled on Thu 04-Aug-05 21:40 by morlee



    PIX up 38 mins 53 secs



    Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

    Flash E28F128J3 @ 0x300, 16MB

    BIOS Flash AM29F400B @ 0xfffd8000, 32KB



    Encryption hardware device : VAC+ (Crypto5823 revision 0x1)

    0: ethernet0: address is 000d.bdbb.b6c9, irq 10

    1: ethernet1: address is 000d.bdbb.b6ca, irq 11

    Licensed Features:

    Failover: Enabled

    VPN-DES: Enabled

    VPN-3DES-AES: Enabled

    Maximum Physical Interfaces: 6

    Maximum Interfaces: 10

    Cut-through Proxy: Enabled

    Guards: Enabled

    URL-filtering: Enabled

    <--- More --->

    Inside Hosts: Unlimited

    Throughput: Unlimited

    IKE peers: Unlimited



    This PIX has a Failover Only (FO) license.



    Serial Number: 807333777 (0x301eef91)

    Running Activation Key: 0xf69b4354 0x57e53122 0xc84bc0e0 0xfc9d5cf9

    Configuration last modified by enable_15 at 16:48:51.907 UTC Thu Feb 9 2012


    PIX# show ri un

    : Saved

    :

    PIX Version 6.3(5)

    interface ethernet0 auto shutdown

    interface ethernet1 auto

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    enable password 8Ry2YjIyt7RRXU24 encrypted

    passwd 2KFQnbNIdI.2KYOU encrypted

    hostname PIX

    domain-name MAIN

    fixup protocol dns maximum-length 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    <--- More --->

    names

    pager lines 24

    mtu outside 1500

    mtu inside 1500

    no ip address outside

    ip address inside 192.168.1.2 255.255.255.0

    ip audit info action alarm

    ip audit attack action alarm

    no failover

    failover timeout 0:00:00

    failover poll 15

    no failover ip address outside

    failover ip address inside 192.168.1.4

    pdm history enable

    arp timeout 14400

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout sip-disconnect 0:02:00 sip-invite 0:03:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server TACACS+ max-failed-attempts 3

    aaa-server TACACS+ deadtime 10

    aaa-server RADIUS protocol radius

    <--- More --->

    aaa-server RADIUS max-failed-attempts 3

    aaa-server RADIUS deadtime 10

    aaa-server LOCAL protocol local

    http server enable

    http 192.168.1.1 255.255.255.255 inside

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    terminal width 80

    Cryptochecksum:7152eb4962675a1e97ada571a58be396

    : end


    PIX#
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • SubnetZeroSubnetZero Member Posts: 124
    Your PIX is in failover mode
    pixfirewall(config)# no failover  
    

    While no trees were harmed in the transmission of this message, several electrons were severely inconvenienced
    :cool:
  • kmcintosh78kmcintosh78 Member Posts: 195
    SubnetZero wrote: »
    Your PIX is in failover mode
    pixfirewall(config)# no failover  
    

    Did that, removed the failover IP statement and now link is down.

    Putting the failover IP statement back, ping and arp good.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • SubnetZeroSubnetZero Member Posts: 124
    That's odd it worked for me. Basically I just ran the "no failover" command and then set the IP under the interface. You may also think about clearing the config out and starting fresh?
    pixfirewall# write erase 
    Erase configuration in flash memory? [confirm] 
    

    While no trees were harmed in the transmission of this message, several electrons were severely inconvenienced
    :cool:
  • kmcintosh78kmcintosh78 Member Posts: 195
    SubnetZero wrote: »
    That's odd it worked for me. Basically I just ran the "no failover" command and then set the IP under the interface. You may also think about clearing the config out and starting fresh?
    pixfirewall# write erase 
    Erase configuration in flash memory? [confirm] 
    

    Could it be an issue with the 6.3 version?
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • networker050184networker050184 Mod Posts: 11,962 Mod
    I believe the "failover only" license means that it can only be used as the standby device in a pair when the other device has the licensing you need. So it must be in failover mode, but I'm not sure what kind of restrictions you will run into if you don't have another licensed device to link it with.
    An expert is a man who has made all the mistakes which can be made.
  • kmcintosh78kmcintosh78 Member Posts: 195
    SubnetZero wrote: »
    That's odd it worked for me. Basically I just ran the "no failover" command and then set the IP under the interface. You may also think about clearing the config out and starting fresh?
    pixfirewall# write erase 
    Erase configuration in flash memory? [confirm] 
    

    What about the statement from the show version command: "This PIX has a Failover Only License"
    Does that then mean that it will only operate as a failover?
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • kmcintosh78kmcintosh78 Member Posts: 195
    I believe the "failover only" license means that it can only be used as the standby device in a pair when the other device has the licensing you need. So it must be in failover mode, but I'm not sure what kind of restrictions you will run into if you don't have another licensed device to link it with.


    Yep, numerous Cisco Tech Notes state it requires a License Key upgrade.

    Ok, thanks for the help guys.
    Learned alot just from this and you both.
    I appreciate the responses.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • networker050184networker050184 Mod Posts: 11,962 Mod
    You might be able to trick it into thinking its the standby and the primary has failed. Not sure how that will work for you though.
    An expert is a man who has made all the mistakes which can be made.
  • kmcintosh78kmcintosh78 Member Posts: 195
    You might be able to trick it into thinking its the standby and the primary has failed. Not sure how that will work for you though.

    From what I have read, I might be able to do that, if I had the paired unit it shared the license key with.
    But, I don't.

    It is for a side-job project, where the customer did not really consult me first.
    So, back to the purchasing board for him.

    That show version statement stuck out like sore thumb, and if I had reviewed the device before purchase, I would have walked away.

    Thanks again guys.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • SubnetZeroSubnetZero Member Posts: 124
    I believe the "failover only" license means that it can only be used as the standby device in a pair when the other device has the licensing you need. So it must be in failover mode, but I'm not sure what kind of restrictions you will run into if you don't have another licensed device to link it with.

    Yup you're spot on, good catch

    While no trees were harmed in the transmission of this message, several electrons were severely inconvenienced
    :cool:
  • kmcintosh78kmcintosh78 Member Posts: 195
    SubnetZero wrote: »
    Yup you're spot on, good catch
    icon_cheers.gif Don't take this the wrong way, but I feel pretty damn good right now, having caught that.
    While I learn everyday something new from my team lead, who is a CCIE, I always feel good, and it justifies my skills and abilities to catch something that is missed by people who have been in the game longer then I.

    Again, I truly appreciate the help from you and networker050184.

    Thanks again.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • JeanMJeanM Member Posts: 1,117
    set up a default route

    then #failover active

    that worked for me.
    2015 goals - ccna voice / vmware vcp.
  • umeshregeumeshrege Registered Users Posts: 1 ■□□□□□□□□□
    You can simply define the failover IP address for your config for inside and outside interfaces as shown in ex below.
    it will solve the issue.

    failover ip address inside a.b.c.d

    and your ping will start working.
Sign In or Register to comment.