03-07-2007 06:06 PM - edited 03-11-2019 02:43 AM
I am new to the whole security world... ie. configuring pixes... I have a question, I was given (free) pix 515 with the two interfaces... I did a wr erase on it to start fresh, but wanted to test the ports for connectivity...
I configured my outside interface with 10.1.1.1/24 and a host 10.1.1.2/24 did a ping and got a reply... good
next i erased that config and did inside the same way, but when my host pings i get no reply and when the pix pings the host it gets no replay... got a up/up on the interface did a permit icmp any any and permit ip any any and noting... is the pix broken ?
what can i do to test...
non production environment BTW
also the host is connected DIRECTLY to eth0 and eth1
03-08-2007 08:23 AM
Did you clear the ARP cache on the host when connecting to the inside interface of PIX? When trying to ping the inside interface of PIX, please enable debugs on PIX and logging also to see if ICMP packets are reaching the inside interface-
debug icmp trace
logg con 7
logg on
Now try pinging again and let me know what you see on the console connection of PIX.
Regards,
Vibhor.
03-08-2007 08:45 PM
Firstly,
From the firewall (from config mode) can you ping the inside Interface ? If no then certainly you have a bad firewall that you are playing with
Here I assume that you have assigned the ip address to inside, security level,int status up/up, and other basic commands needed
Secondly make sure you dont have an icmp deny for inside, which ideally should not be if you have erased the config and starting from scratch
in any case to verify this use the command "sh icmp"
Can you please use the following command on firewall to make sure if the arp entries are building up
sh arp
Also verify this on windows machine if it is populating Pix Inside Mac address using the command
arp -a
Lastly yes...make sure the packet is at least reaching the firewall using the command debug icmp trace...if none of the icmp request is hitting the firewall...then you have to bang your pc...and chop the cable that you are using...:-)
03-09-2007 09:40 AM
k.
Ping from pix to inside got a reply
pix# ping 192.168.1.2
13: ICMP echo request (len 32 id 9233 seq 0) 192.168.1.1 > 192.168.1.2
192.168.1.2 NO response received -- 1000ms
14: ICMP echo request (len 32 id 9233 seq 1) 192.168.1.1 > 192.168.1.2
192.168.1.2 NO response received -- 1000ms
15: ICMP echo request (len 32 id 9233 seq 2) 192.168.1.1 > 192.168.1.2
192.168.1.2 NO response received -- 1000ms
pix# 111008: User 'enable_15' executed the 'ping 192.168.1.2' command.
pix# ping 192.168.1.1
192.168.1.1 response received -- 0ms
192.168.1.1 response received -- 0ms
192.168.1.1 response received -- 0ms
pix# 111008: User 'enable_15' executed the 'ping 192.168.1.1' command
workstation is using 192.168.1.2
Pix is using 192.168.1.1
config
pix# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto shutdown
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name home
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
logging on
logging console debugging
mtu outside 1500
mtu inside 1500
no ip address outside
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
conduit permit icmp any any
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:e1f71a437b169145a15aa8ed4e87d318
: end
pix# 111009: User 'enable_15' executed cmd: show running-config
03-09-2007 09:41 AM
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0050.54ff.6389
IP address 192.168.1.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
103 packets input, 15307 bytes, 0 no buffer
Received 103 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
64 packets output, 3840 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/1)
output queue (curr/max blocks): hardware (0/1) software (0/1)
<--- More --->111009: User 'enable_15' executed cmd: show interface
03-09-2007 10:04 AM
awrite..
ping from a machine 192.168.1.2 to the firewall 192.168.1.1 and send me the debug icmp trace...do you see anything from your pc hitting the firewall back ?
what about arp -a on machine..? do you see this address 0050.54ff.6389
03-10-2007 04:06 PM
Got this error when booting UP
32MB RAM
imgsum_config: sumval(0x5d38) md5(0x525ac23a 0x029b65fa 0x9b9c1ed3 0x6f7c4cad)
imgsum_verify: chksum(0x 0) md5(0x2d8372df 0xdca29c51 0x439e5ea1 0xd4f02de3)
Panic: kernel - The checksum verification for this image failed.
=========
Cisco Secure PIX Firewall BIOS (4.0) #0: Thu Mar 2 22:59:20 PST 2000
Platform PIX-515
Flash=i28F640J5 @ 0x300
Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 1974784 bytes of image from flash.
#################################################################################################################
32MB RAM
imgsum_config: sumval(0x5d38) md5(0x525ac23a 0x029b65fa 0x9b9c1ed3 0x6f7c4cad)
imgsum_verify: chksum(0x 0) md5(0xab907943 0x9824133c 0x5433a1b9 0xbc6c7c6a)
Panic: kernel - The checksum verification for this image failed.
about 3 times then booted normally
pix# debug icmp trace
ICMP trace on
Warning: this may cause problems on busy networks
pix# ping 192.168.1.2
1: ICMP echo request (len 32 id 9233 seq 0) 192.168.1.1 > 192.168.1.2
192.168.1.2 NO response received -- 1000ms
2: ICMP echo request (len 32 id 9233 seq 1) 192.168.1.1 > 192.168.1.2
192.168.1.2 NO response received -- 1000ms
3: ICMP echo request (len 32 id 9233 seq 2) 192.168.1.1 > 192.168.1.2
192.168.1.2 NO response received -- 1000ms
pix#
machine 2 pix
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
C:\Documents and Settings\mgarcia>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Request timed out.
Request timed out.
arp -a
C:\Documents and Settings\mgarcia>arp -a
Interface: 172.16.1.17 --- 0x2
Internet Address Physical Address Type
172.16.1.1 00-0f-66-9d-0f-91 dynamic
above was wireless card not the card connected to pix.. ??? IS the OS screwed up on this thing
and one more time the counters for this alleged bad interface
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0050.54ff.6389
IP address 192.168.1.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
5 packets input, 682 bytes, 0 no buffer
Received 5 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
20 packets output, 1200 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/1)
output queue (curr/max blocks): hardware (0/1) software (0/1)
03-12-2007 10:20 AM
Well few more things that we can try :-
1) Can you ping the local machine (192.168.1.2) from any other m achine ?
2)Can you please set the default gateway on this machine as 192.168.1.1 and then ping the firewall, though you dont need a default gateway if the detination ip is in the same subnet,but lets set the DG and then try pinging the inside interface of the FW
3)the firewall should not give those checksum verification failed messages.....can you reinstall a new image and then try...
03-12-2007 04:17 PM
You may be getting a reply, but maybe you don't see it. You should add the ACL to allow Echo Replys, etc.
samle lines:
access-list outside_int_name permit icmp any any echo-reply
access-list outside_int_name permit icmp any any unreachable
access-list outside_int_name permit icmp any any time-exceeded
outside_int_name = the name of your outside Interface name. Whatever you called it.
Good luck.
julio
03-12-2007 07:10 PM
The problem isnt the outside interface... its the inside that is the issue.
03-12-2007 07:56 PM
well... it looks like the fun is over... pix wont boot any longer after the re-flash
Checksum verification on compression loader failed
and it just reboots over and over..
during the tftp flash it got a lot of timeouts before it started sending the image then it complete and got that error listed above ???
bad flash ?
03-12-2007 08:10 PM
Basicly if you want to ping from the inside network to the inside interface of the PIX then you need to allow this by the < icmp > command !
icmp permit|deny [host] src_addr [src_mask] [type] int_name
If you want to allow pings through multiple interfaces you need to configure an access-list.
example you want to ping from an inside host to and internet IP (www.yahoo.com).
example:
access-list 101 permit icmp any host 200.1.1.5 echo-reply
access-list 101 permit icmp any host 200.1.1.5 source-quench
access-list 101 permit icmp any host 200.1.1.5 unreachable
access-list 101 permit icmp any host 200.1.1.5 time-exceeded
access-group 101 in interface outside
Reference:
Handling ICMP Pings with the PIX Firewall:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml
:-)
sincerely
Patrick
03-13-2007 09:47 AM
yes its bad flash
you have two options :-
1)Contact Cisco-TAC and if you have relevant contract ask them to RMA the device
2)Try uploading a new image from the monitor mode (during boot process hit the escape key and it will take you to monitor mode)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: