Unable to open Pix 515 Web Interface

Unanswered Question
Sep 25th, 2007

Dear Expert,

I dont know why, I cannot open our Pix Web interface eventhough I have added my IP for the access.

Below is the configuration list:

pixsbcp# sh run

: Saved

:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password xxxx

passwd xxx

hostname pixsbcp

domain-name spsb.com.my

clock timezone MYT 8

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_access_in permit icmp any any

access-list inside_access_in permit tcp any any

access-list outside_access_in permit icmp any any

access-list dmz_access_in permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 100.82.250.91 255.255.255.252

ip address inside 10.88.104.10 255.255.255.0

ip address dmz 10.88.188.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

pdm location 192.168.6.0 255.255.255.0 inside

pdm location 192.168.6.185 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.88.0.0 255.255.0.0 0 0

nat (inside) 1 192.168.0.0 255.255.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

access-group dmz_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 100.82.250.90 1

route inside 10.88.0.0 255.255.0.0 10.88.100.1 1

route inside 192.168.0.0 255.255.0.0 10.88.100.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.88.83.199 255.255.255.255 inside

http 10.88.83.185 255.255.255.255 inside

http 10.88.1.27 255.255.255.255 inside

http 192.168.8.185 255.255.255.255 inside

http 10.88.1.222 255.255.255.255 inside

http 10.88.83.28 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.88.83.199 255.255.255.255 inside

telnet 10.88.83.185 255.255.255.255 inside

telnet 10.88.1.27 255.255.255.255 inside

telnet 192.168.8.185 255.255.255.255 inside

telnet 10.88.1.222 255.255.255.255 inside

telnet 10.88.83.28 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

username Darlien password xxx encrypted privilege 15

terminal width 80

Cryptochecksum:xxx

: end

pixsbcp#

PLease advice.

Best Regards,

Darlien Apolonius

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
JORGE RODRIGUEZ Tue, 09/25/2007 - 14:13

Darlien, what message do you get when attempting to connect to fw through the browser? are you doing secure connection as https://fw_Inside_IPaddress , if so are you geting any browser mesagges ? issue " show version " at command line of pix, it should indictate whether you have Device manager installed and its version, please post that information .

Jorge

DarlienDA Tue, 09/25/2007 - 18:34

Jorge,

After I type in password, the browser only display "The webpage cannot be found".

JORGE RODRIGUEZ Tue, 09/25/2007 - 18:45

Darlien, if you got up to the password means pix have pdm installed, unless it is corrupted, have you tried accessing it from another system , or have pdm worked before on this pix?

DarlienDA Tue, 09/25/2007 - 18:56

Jorge,

Last month my collegue change the pix password, after a few days he had forgotten his own admin password. So, he downloaded from CIsco the reset pix to factory setting files via ftp.

Could this process have corrupted the PDM inside the firewall?

Before this event, the PDM can be access by us.

Is there any way we can re-install/reconfigure the PDM?

BR,

Darlien

JORGE RODRIGUEZ Tue, 09/25/2007 - 19:27

Daelien, anything is possible when reseting devices , but reseting to factory defaults would not cause file corruption, what I would do before posting instructions on tftp pdm for you pix code version is to telnet to pix enable mode and remove all https entries and add as follows.

no http 10.88.83.199 255.255.255.255 inside

no http 10.88.83.185 255.255.255.255 inside

no http 10.88.1.27 255.255.255.255 inside

no http 192.168.8.185 255.255.255.255 inside

no http 10.88.1.222 255.255.255.255 inside

no http 10.88.83.28 255.255.255.255 inside

and replace with

http 0.0.0.0 0.0.0.0 inside

then try loading pdm.

DarlienDA Tue, 09/25/2007 - 20:35

Jorge,

I have done as you ask, but still it return me with the same message. "Website not found"

Darlien

JORGE RODRIGUEZ Tue, 09/25/2007 - 21:11

Darlien,

Here are the instructions for installing pdm.

First you need to download it .

You have pix version 6.3 you need pdm version

pdm-304.bin

http://www.cisco.com/cgi-bin/tablebuild.pl/pix

first Backup configs and write down activation keys just in case.

activation keys is found at bottom of " show version " output, right

bellow serial number of pix " running actication keys : xxxx xxxxx xxxxx xxxx,

nothing to do with pdm download but best to backup these, that's my process.

1- setup a tftp server and place pdm image in server

2.- Copy PDM image to flash from tftp

* Below is the procedure for PDM upgrde

PIXFIREWALL(config)# copy tftp flash:pdm

Address or name of remote host [127.0.0.1] ip_of_tftp_server

Source file name [cdisk] pdm-304.bin

copying tftp://ip_of_tftp_server/ pdm-304.bin to flash:pdm

after file is successfuly copied you need to rebood pix.

HTH

Jorge

cctechcco Mon, 10/01/2007 - 07:27

DarlienDA,

Do you have at least a VPN-DES license (or better, a VPN-3DES-AES license) enabled (use 'show version')?

I was having similar problems until I upgraded the product license. Without the VPN license SSL won't work, and many modern browsers won't be happy with just the DES license.

If you haven't upgraded, see https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=119

Actions

This Discussion