PIX 515 PDM not working +

Unanswered Question
Feb 13th, 2007

Two problems.

1.

I cannot figure out why my web interface to PDM is not working.

2.

I am trying to connect the eth/05 to a new internet router. Without disrupting eth/02 going to a partner connection. I can ping from pix to internet router (and beyond with specific routes added to pix outside interface routing).

below is my config.

any help would be greatly appreciated.

thanks,

Mike

:

PIX Version 7.0(4)

!

names

!

interface Ethernet0

shutdown

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 192.20.27.2 255.255.255.240

!

interface Ethernet2

nameif vendor

security-level 4

ip address 192.168.160.3 255.255.255.0

!

interface Ethernet3

shutdown

!

interface Ethernet4

shutdown

!

interface Ethernet5

nameif outside

security-level 0

ip address xx.16.139.18 255.255.255.248

!

boot system flash:/pix704.bin

ftp mode passive

access-list 200 extended permit ip any any

access-list in-out extended permit ip 192.20.0.0 255.255.0.0 host 192.20.27.3

access-list in-out extended permit ip host 192.168.70.230 192.168.160.0 255.255

.255.0

access-list in-out extended permit ip host 192.20.4.36 192.168.160.0 255.255.25

5.0

access-list in-out extended permit ip any any

access-list in-out extended permit icmp any any

access-list vendor-in extended permit ip 192.168.160.0 255.255.255.0 host 192.1

68.160.152

access-list vendor-in extended permit ip 192.168.160.0 255.255.255.0 host 192.1

68.160.153

access-list vendor-in extended permit ip 192.168.160.0 255.255.255.0 host 192.1

68.160.154

access-list vendor-in extended permit icmp any any

access-list internet-in extended permit icmp any any

pager lines 24

logging enable

logging buffer-size 16000

logging buffered informational

logging asdm informational

mtu dmz 1500

mtu inside 1500

mtu Cendant 1500

mtu intf3 1500

mtu intf4 1500

mtu outside 1500

failover

asdm history enable

arp timeout 14400

nat-control

global (inside) 2 192.20.27.6

global (vendor) 1 192.168.160.151

global (outside) 1 interface

nat (inside) 1 192.20.0.0 255.255.0.0

nat (vendor) 2 192.168.160.0 255.255.255.0 outside

nat (outside) 1 192.20.0.0 255.255.0.0

static (inside,vendor) 192.168.160.152 192.20.10.12 netmask 255.255.255.255

static (vendor,inside) 192.20.27.3 192.168.160.100 netmask 255.255.255.255

static (inside,vendor) 192.168.160.153 192.168.70.230 netmask 255.255.255.255

static (vendor,inside) 192.20.27.4 192.168.160.117 netmask 255.255.255.255

static (vendor,inside) 192.20.27.5 192.168.160.118 netmask 255.255.255.255

static (inside,vendor) 192.168.160.154 192.20.4.36 netmask 255.255.255.255

access-group vendor-in in interface vendor

route inside 0.0.0.0 0.0.0.0 192.20.27.1 1

route inside 192.20.25.0 255.255.255.0 192.20.25.43 1

route inside 192.20.27.0 255.255.255.0 192.20.25.43 1

route inside 192.20.28.0 255.255.255.0 192.20.25.43 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.20.28.0 255.255.255.0 inside

http 192.20.20.19 255.255.255.255 inside

snmp-server host inside 192.20.20.30 community ABC

no snmp-server location

no snmp-server contact

snmp-server community ABC

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-ipsec

telnet 192.20.28.0 255.255.255.0 inside

telnet timeout 5

ssh 192.20.0.0 255.255.0.0 inside

ssh timeout 5

ssh version 1

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect http

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 02/13/2007 - 12:18

Hi

What happens when you try to connect to pdm ? (actually it will be adsm for pix v7.x)

The Internet connection - what is the main issue ?. Is it having to add routes to Internet destinations. The simplest solution to this is to change your default route on the Pix to point to the Internet router. You will need to make sure that you have routes for all your internal networks on the Pix.

HTH

Jon

acsmtrubee Tue, 02/13/2007 - 12:40

Thanks for the quick response.

I think I finally got the internet routing working...

The web config page prompts for https cert (accepted), username and password (seems to take them), error is 404 page not found.

thanks

Mike

Jon Marshall Tue, 02/13/2007 - 23:58

Hi

Do you know what version of pdm/asdm you are running on your firewall.

Jon

Patrick Iseli Wed, 02/14/2007 - 07:57

1.) Be sure that you accespt COOKIES and Popups of your ADSM. Note that you should use ADSM and not PDM which is for the 6.x version.

2.) sh version shows you which version of ADSM is installed. Be sure you use a accurate version.

http://www.cisco.com/cgi-bin/tablebuild.pl/pix?sort=release

3.) Maybe try using the Cisco ADSM Launcher !

http://www.cisco.com/en/US/customer/products/ps6121/prod_release_note09186a0080747e81.html#wp65586

sincerely

Patrick

Actions

This Discussion