cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
841
Views
17
Helpful
12
Replies

Can I use a Failover Only Licensed PIX by itself

Dewboy691
Level 1
Level 1

My employer is small and wants to use a Failover Only PIX by itself. They had it as part of their network, obviously as a Failover to another PIX. I can connect through the console cable and IP's are in place but I can't ping or tftp to the inside port. I see it up/up.

Please help me and tell me that I need to upgrade to at least a restricted license.

Thanks

Dewboy

12 Replies 12

bamnocadmin
Level 1
Level 1

Hello,

Here is from PIX Configuration Guide:

The PIX Firewall with the FO license is intended to be used solely for failover and not in standalone mode. If a failover unit is used in standalone mode, the unit will reboot at least once every 24 hours until the unit is returned to failover duty.

Thanks.

I know that it will reboot every 24 hours, but what I'm having a problem with is that I can't even ping the inside interface. The laptop and interface are on the same subnet so I should at least get a ping. What am I doing wrong? Should I post my config?

Please post your config. I tried to access PIX with failover only in my lab and it works.

Thanks.

Here it is. As you can see there are a few lines that aren't necessary but I was trying anything.

PIX Version 6.3(4)

interface ethernet0 auto shutdown

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password xxxxxxx encrypted

passwd xxxxxxx encrypted

hostname BedrockPix

domain-name Bedrock

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

icmp permit 192.168.0.0 255.255.0.0 inside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

no ip address outside

ip address inside 192.168.9.135 255.255.255.0

no ip address intf2

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.10 255.255.255.255 inside

http 192.168.9.136 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 0.0.0.0 0.0.0.0 inside

telnet 192.168.1.10 255.255.255.255 inside

telnet 192.168.9.136 255.255.255.255 inside

telnet 192.168.9.104 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

username xxxxxxx password xxxxxx encrypted privilege 15

terminal width 80

Cryptochecksum:5e8d4a2dc25d4f48835921976f5d9869

: end

What is the IP address and subnet mask on your laptop?

Enable the debug " debug icmp trace"

then try to ping see if the PIX does see the icmp and does it reply?

Hope this helps.

Thanks,

Gilbert

IP address on my laptop is 192.168.9.136 255.255.255.0

I did the debug command before and again this time and same thing. 0 responses. I get up/up on the interface and I get a connection on the laptop interface (so I know that electricity is flowing). Does it have to be a crossover cable? I put a linksys workgroup switch between them and got the same result.

Here is my IPconfig for my laptop.

IP Address. . . . . . . . . . . . : 192.168.9.136

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.9.135

Thanks again for your suggestions.

Joe

Joe,

Can you issue the command "interface ethernet1 100full"

And also, plug the PC directly into the inside interface of the PIX firewall.

After that, can you issue the command " sh interface" on the PIX and see if the interface is UP and the protocol is UP.

Thanks

gilbert

Gilbert or anyone,

I tried this before and it still didn't work. I tried it again just now and now it shows up/down. I hook it up to the switch and it shows up/up. Ay Caramba!!

Any ideas?

Joe

Seems like your PC has some problems.

Get another PC and try it out.

Cheers,

Gilbert

Tried it with a whole new server (brand new) same IP address. Interface shows up/up but I still can't ping. I even moved the cable, IP address, and all reference to the inside interface to intf5 (4 port ethernet card is in the PIX) and it still didn't work.

Is anyone 100% sure a Failover ONLY license will work by itself? I'm willing to sell the new license to my bosses IF I know it's that and not them just throwing $400 away and the config was wrong.

Joe

The answer is an emphatic no!

You will need to upgrade the license.

Probably not worth it, look at an ASA5505 or 5510.

Mate - you can run this fine (I have one at home ;-) ).

Sounds like your failover is activing like the failover unit - you need to make this the primary, can you enter "failover" in global config, this will then make the unit the primary and this will work ;-)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: