11-18-2008 05:25 PM - edited 03-06-2019 02:33 AM
Hi--
I have two small offices and recently switched from dsl to cable internet. the two pix501 f/w units worked fine on dsl, but for the life of me I cannot even access the units now from the inside as I was able to do before when on dsl signal. I know I need to change the configuration from PPPoe to DHCP, but I can't get access to do it.
Any suggestions?
I believe I have 6.2 software, but I'm not sure. The Inside address is 10.8.6.1 now.
thanks--jb
11-18-2008 05:57 PM
First can you actually ping the PIX inside interface ip 10.8.6.1?
Generally to access the PIX for management you need instruct the PIX which hosts or networks are allowed to manage the firewall.
so you need to make sure of couple of things
1- Confirm physical connectivity for the PIX inside interface and your PC , are they connected to a switch same vlan? hub ?
2- Confirm the PIX has at least these statements by accessing the device through local console if you cannot still telnet or http to the device.
to allow admin access from any host on 10.8.6.0
pix(config)#http 10.8.6.0 255.255.255.0 inside
pix(config)#telnet 10.8.6.0 255.255.255.0 inside
or any network from the inside
pix(config)#http 0 0 inside
pix(config)#telnet 0 0 inside
Try confirming the above and post results
Rgds
Jorge
11-18-2008 08:09 PM
Jorge--
I wonder if my basic connectivity is a problem. I have the PIXfw connected directly to the cable modem,(tried straight and crossed ethernet cables) and the PC connected directly to the PiXfw.
Power light and link light(1) are on. Link(0)is flashing. VPN is off and 100mps(1) is on. I cannot https access, and I tried telnet but no connect. I don't have the console connector. Rebooting modem and Pix hasn't helped.
I am sure that the inside is 10.8.6.1
Any thoughts?
Thanks,
JB
11-19-2008 05:17 AM
OK but can you at least ping the inside interface from your PC, is the PC under the same 10.8.6.0 subnet? in any case you will need to console to find out what is going on in PIX config or PIX start-up process.
11-19-2008 01:04 PM
Jorge--
Some success. I was able to ping the 10.8.6.1 successfully and am also able now to https into the manager.
Pixfw is connected directly to cable modem, and to pc.
I have configured the outside to DHCP obtain ip automatically. The inside is 10.8.6.1. I enabled Easy VPN.
I still do not get internet on the pc. lights are on as noted above. The vpn tunnel (0) is not on.
I ran network diagnostics from the pc XP(3) and received the error message that my DNS Server Search Order failed when pinging 151.203.0.84
Everything else checked out.
Thoughts, Jorge? It must be something silly I'm omitting.
Thanks, JB
11-19-2008 02:31 PM
Can you post the PIX config.
make sure PIX is geting default route
e.i
pix(config)#ip address outside dhcp setroute
also post the output of
pix#show route | inc 0.0.0.0
11-22-2008 12:43 PM
Jeffrey, have you been able to resolve the issue?
can you confirm from the PIX that you can ping by IP to any host outside internet, for eample you can ping yahoo.com @ 69.147.76.15, if you do get a reply you can then rule out routing , without confirming this part you will not be able to connect outbound for eny other connections.
11-23-2008 05:40 PM
Jorge--
Thanks for your note. I have been busy with other matters--the medical practice is relentless. I will get to that question soon and let you know. Thanks for your support.
Jeffrey
12-13-2008 12:50 PM
Hi Jorge--
I'm back and have more info.
to review for you:
-Pix501 direct connected to dhcp router (ip 192.168.1.1)
Cat5 connection to my laptop. no connection obtained.
yet the lights on the pix are on and steady, except VPN tunnel light is off.
I did get console cable and can access the pix.
When I ping from console to 192.168.1.1 i get positive reply.
when I ping Yahoo from the console, I am successful too.
When I ping from laptop to pix,(10.8.6.1) I am unsuccessful. no connection. I also cannot http into the manager from laptop.
Here is the pixconfig show run:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password PVSASRJovmamnVkD encrypted
passwd PVSASRJovmamnVkD encrypted
hostname pixMDC
domain-name keene.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 198.169.188.0 GE
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.8.6.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location GE 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.8.6.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
http 10.8.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.8.6.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.8.6.2-10.8.6.33 inside
dhcpd dns 151.203.0.84 151.202.0.84
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:54d397db26abf93abfd2cf32ced06ba1
: end
Here is pixconfig show ip:
pixMDC(config)# show ip
System IP Addresses:
ip address outside 192.168.1.5 255.255.255.0
ip address inside 10.8.6.1 255.255.255.0
Current IP Addresses:
ip address outside 192.168.1.5 255.255.255.0
ip address inside 10.8.6.1 255.255.255.0
thats all I can think of for now. I much appreciate your thoughts.
Jeffrey
12-13-2008 06:29 PM
When I ping from laptop to pix,(10.8.6.1) I am unsuccessful. no connection. I also cannot http into the manager from laptop
Jeffrey,
1- make sure you are using regular cat5 cable to connect from laptop to one of the ports in 501 built in swith 1 to 4 it should give you solid green LINK LED,
2- On laptop are you geting IP assigment from PIX dhcp? issue c:\ipconfig /all to verify, and try c:\ipconfig /renew.
If you're not geting IP but get green led on the port put a temporary static IP on the laptop to like 10.8.6.10/25 with DG 10.8.6.1, we can troubleshoot dhcp later but first get IP connectivity to pix.
once you get IP connectivity configure pix for telnet access from inside management, it already has http access for inside net
pix>enable
pix#config t
pix(config)#telnet 10.8.6.0 255.255.255.0 inside
to access the pix via browser
https:\\10.6.8.1
yet the lights on the pix are on and steady, except VPN tunnel light is off.
there is not vpn tunnel configuration on the pix, you need to build one.
Rgds
Jorge
12-13-2008 07:05 PM
Also can you post the output of show interface
12-13-2008 08:12 PM
Jorge--
Thanks for your instructions. Here are results:
1. CAT5 cable is correct.
2. Laptop is not getting ip assignment from pix dhcp. ipconfig /renew does not help.
3. green lights steady on pix, but laptop icon says can't acquire connection.
4. I placed tcpip properties to static ip address 10.8.6.10 255.0.0.0 and DG as 10.8.6.1 and the laptop icon now says connected, but browser does not bring up internet pages. cmd ipconfig /all shows ip address and DG as those entered.
4. I also reset the stack for tcpip with the command netsh int ip reset c:\resetlog.txt and rebooted, but no change.
Jorge, it would appear that I have a connectivity problem from laptop to pix, and yet I know the equipment works.
I can, however, now get to the device manager via https, and have that open now. I have built an EasyVPN, but I'm not sure I did it correctly. But still no laptop to pix connectivity.
Next steps?
Thanks,
Jeffrey
12-14-2008 07:19 AM
Jorge--
Also, here is the result of show interface;
Result of firewall command: "show interface"
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0016.c7f9.f673
IP address 192.168.1.5, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
4544 packets input, 692736 bytes, 0 no buffer
Received 4524 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
28 packets output, 8409 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
9 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/2)
output queue (curr/max blocks): hardware (0/2) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0016.c7f9.f674
IP address 10.8.6.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
15151 packets input, 1041492 bytes, 0 no buffer
Received 1771 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
22410 packets output, 24533787 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/9)
output queue (curr/max blocks): hardware (5/18) software (0/1)
Thanks--Jeffrey
12-14-2008 08:28 AM
I placed tcpip properties to static ip address 10.8.6.10 255.0.0.0 and DG as 10.8.6.1 ...
make sure you use 24 bit mask, not 8 bits,
10.8.6.10 255.255.255.0
static ip is a temp fix, we need to get back and try fixing it..
in pix do :
pix#config t
pix(config)#dhcpd enable inside
pix(config)#exit
pix#write mem
then try dhcp from the laptop, if no good place static IP back and we'll get to it later.., ensure you use some type of dns also.
I see pix is geting following dns 151.203.0.84 and 151.202.0.84 , if laptop does not get dhcp use these dns for internet if you do not have done so.
For Easy VPN follow this link, you need to configure the other PIX end as well..
Rgds
Jorge
12-14-2008 05:25 PM
Jorge--
I made sure mask was 24 bit as noted
I enabled dhcpd inside and changed the dns as noted.
from laptop I can ping 10.8.6.1
from laptop i cannot ping to yahoo
I cannot get internet on browser
from laptop, i can get http access to pix manager. so it appears that I have connectivity from laptop to pix, but not through the pix.
I set up easy vpn, I think ok, though for my offices, our pc's only need to do local work. probably don't need vpn at all.
Here is updated Show run
pixMDC(config)# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password PVSASRJovmamnVkD encrypted
passwd PVSASRJovmamnVkD encrypted
hostname pixMDC
domain-name keene.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.8.6.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.0.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.8.6.0 255.255.255.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
http 10.8.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.8.6.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.8.6.2-10.8.6.33 inside
dhcpd dns 151.203.0.84 151.202.0.84
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
vpnclient server 10.8.6.0 10.0.0.0
vpnclient mode client-mode
vpnclient vpngroup fnd password ********
vpnclient username fnd password ********
vpnclient enable
terminal width 80
Cryptochecksum:a7e91cb2362ade92b704c61bb06b206d
: end
Thanks, Jorge. Still not sure what I must do to get traffic through the pix.
Jeffrey
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: