Obviously, that is what I am trying to do. I do not know the IP address of either interface which is required in order to do the password recovery. I need a different solution.

You do not need to know the IP address of the PIX, please read the doc again. What you need is PC/Laptop a TFTP server running on it, terminal emulator, and console cable , IP address of your choice to define IP interface for PIX and one IP address for your laptop follow the instructions on the documentation. If you need help in the process let us know.

Rgds

Jorge

Jorge, OK maybe I'm missin something here but I did try this as you suggested. I have done this procedure, many times, in the past but only when I knew the actual address that was assigned to one of the interfaces. It has always worked in that scenario. I had assumed that the address command in monitor mode did not apply the address to the interface but rather tell the procedure what that already applied address was. The reason that I have done this many times in the past is that I teach a PIX class and have had students lock themselves out many times - but always I had on othe interface addresses to use. I tried, as you suggested, using the address command in monitor mode to assign an address to one the interfaces (i have tried both inside and outside). I am still to this point not able to ping much less upload using that procedure. Have you actually done this procedure and had it work without actually knowing one of the interface addresses?

whatever address you choose, make sure the pc/laptop that you attach to it is in the same network.

for example...

assign the pix the address 192.168.1.1 255.255.255.0

assign your pc/laptop the address 192.168.1.2 255.255.255.0

the pix 501 is outdated. you should really be using at least an asa 5505 to teach the firewall class, or even a 5510(x2)

Yes I have both devices on the same subnet. Once again, can anyone confirm that they have made this work? I have yet to have anyone tell me that they have actually made this work using the monitor mode 'address' command to assign an address to an interface on the 501.

Lonnie, have your PIX problem been resolved? just following up , let us know if still problems to assist.

Rgds

Jorge

Jorge,

Oddly enough, The issue still exists. I was able to emulate your procedure nearly exactly.

1- One 8 port DLink Hub

2- One IBM labtop w/terminal Emu and TFTP

3- One PIX501

4- Two CAT5 cables

5- One Console cable

I used the exact same ip addresses you show in your example. I cannot ping or upload the np.bin file.

I am stuck -

Hmm, it is very strange somthing must be wrong with the pix.. when you were in the monitor did it take the commands? and did you try pinging from the PIX to the labtop?

monitor>interface 1

monitor>address 10.4.4.100

monitor>server 10.4.4.200

did you try with interface 0 ?

Im sure the dlink hub is auto/auto.

Im out of ideas, I'll see if I come up with one !!.. but definately strange.. , maybe changing flash chip.. but I guess you do not have one handy for PIX..

Dear Lonnie, not a problem , you deserve the benefit of the doubt :). And yes, I have done this not just in my lab.

bellow example is from one of my test lab pix.. this is a 501 , I am not even using a default gateway.

Tools used:

1- One 4 port Netgear

2- One IBM labtop w/terminal Emu and TFTP

3- One PIX501

4- Two CAT5 cables

5- One Console cable

the actual PIX ethernet1 IP address is totally different from this example.

configure labtop with just IP address and subnet mask, not need for default gateway.

I define PIX ethernet1 with IP 10.4.4.200 and the my labtop with 10.4.4.100 running a TFTP server.. although I did not do the actual password recovery I am able to ping my TFTP server from PIX.

Use BREAK or ESC to interrupt flash boot.

Use SPACE to begin flash boot immediately.

Flash boot interrupted.

0: i8255X @ PCI(bus:0 dev:13 irq:11)

1: i8255X @ PCI(bus:0 dev:14 irq:10)

Using 1: i82559 @ PCI(bus:0 dev:14 irq:10), MAC: 0050.54ff.a536

Use ? for help.

monitor> interface 1

0: i8255X @ PCI(bus:0 dev:13 irq:11)

1: i8255X @ PCI(bus:0 dev:14 irq:10)

Using 1: i82559 @ PCI(bus:0 dev:14 irq:10), MAC: 0050.54ff.a536

monitor> address 10.4.4.200

address 10.4.4.200

monitor> server 10.4.4.100

server 10.4.4.100

monitor> ping 10.4.4.100

Sending 5, 100-byte 0xa8b2 ICMP Echoes to 10.4.4.100, timeout is 4 seconds:

!!!!!

Success rate is 100 percent (5/5)

monitor>

Rgds

Jorge

I have the same problem as Nagel. However, I am able to ping the server but have not been able to upload the npXX.bin file. The file currently resides in the C: drive of the server. Where should the file be?

Thanks

This one I do know. The file needs to reside in the root directory of your tftp server. This also needs to be specified in your tftp server configuration. I normally place the "tftp root" folder in the C drive and then create a shortcut to it on my desktop - so that it is very easy to simply drop my transfer files on top of the shortcut icon to get them into the folder. I normally use the free tftp from solarwinds. Also make sure that you have your tftp server started (doh).