cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1400
Views
0
Helpful
23
Replies

Problem With Pix 515e. A strange connectivity problem

hanankz07
Level 1
Level 1

Hello..

I have been facing a problem since 2 weeks with a brand new PIX 515e. I cannot ping from or to the PIX even from or to an inside host !! I tried every configuration I've managed to find on Internet with no success.. Also, I am not able to telnet to the unit.. I enabled the debugging for ICMP and for packets, and when I ping to the inside interface from an inside host, I get debugging messages for the packets but not for ICMP.. All the needed information is in the attached file.

I am connecting to the firewall by console only, and I tried all the ICMP permit commands, access-lists, static and dynamic natting, and everything else with no success. Any idea about fixing the problem? I am really out of ideas

Thanks

23 Replies 23

ajupanicker
Level 1
Level 1

Hi there,

I am also facing a similar problem with the PIX515E with 7.2(2).I am not able to assign an IP address for the inside interface,it shows ip address on the running config,but on show interface output it shows "ip address unassigned".

Linking my query at netpro to this post.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dde402f

It is not the same.. I am able to assign the IP addresses, and they show up through the debug command.. The interfaces recieve the packets, but it stops there !!

gwong
Level 1
Level 1

Is your host machine connected directly to the PIX interface ethernet1 via straight-thru cat5? If you are then its not possible and you would need a crossover cable in order to be able to connect directly to the PIX interface.

You test config looks fine to me. Its probably a layer 1 issue. Also try using acces-list capture to debug the situation, it would ease on the main focus which is the transversing packets not the packet details themselves.

If you like the review please provide some level of rating.

I used a cross cable for the direct connection.. Then I connected them through straight cables and a switch.. Do you have any suggestions to check the root of the problem?

Try configuring dhcpd on your PIX and then try to obtain an IP via your host machine. Make sure you are on a dhcp client not hard-coded static IP on your host machine.

This is the example from Cisco for dhcpd configuration on PIX 6.3:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172794.html#wp1031649

Fernando_Meza
Level 7
Level 7

Hi .. please post the output of show version

The below is the output of sh ver command:

Cisco PIX Firewall Version 6.3(5)

Compiled on Thu 04-Aug-05 21:40 by morlee

pix up 1 hour 23 mins

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 1100.1cbb.48d4, irq 10

1: ethernet1: address is 1100.1cbb.49d4, irq 11

2: ethernet2: address is 0090.2774.d98d, irq 5

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Physical Interfaces: 3

Maximum Interfaces: 5

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has a Restricted ? license.

acharyr123
Level 3
Level 3

Hi,

Almost same incident happened to me as well.But it was related to static natting issue. I upgraded the IOS to 7.1 (2)& changed nothing. It started working fine & still going on in a good shape. I would suggest you to try once.

another point: create 1 access list "access-list 10 permit ip any any" & bind this to inside interface by " ip access-group 10 in interface inside)& try to ping the inside interface.

If both the 2 points doesn't make any sense then there must be a problem with the ethernet port (h/w related issue).

i faced the booting problem for consecutive times with a brand new IPS. In trasit it may got faulty.

mkkeyan
Level 1
Level 1

Check the Routing , inside NAT and Global NAT

zubairjalal
Level 1
Level 1

hi.

Since you dont have any ACL's on the inside, i would suggest you to try putting a conduit for icmp..just for testing purposes and see if it works..

conduit permit icmp any any

mark.j.hodge
Level 3
Level 3

From the PIX, clear down the ARP cache, ping a known good adfdress and see if the cache gets populated.

If it does, then it is a layer 3 issue, if not layer 1 or 2.

Thanks for all the suggestions, but I tried them all with no success :-(

Is it possible to log into the switch where the inside interface is connected?

Check to see if the switch interface becomes active.

If so try a ping from the switch to the PIX and see if the PIX MAC address shows up in the interface MAC address table.

The addresses are there in the debug messages.. Also, the firewall is able to get even the ip addresses of the connected hosts which I used to ping to it from..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: