cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1540
Views
0
Helpful
30
Replies

Can't access PIX 501 after switch from dsl to cable

jblomstedt
Level 1
Level 1

Hi--

I have two small offices and recently switched from dsl to cable internet. the two pix501 f/w units worked fine on dsl, but for the life of me I cannot even access the units now from the inside as I was able to do before when on dsl signal. I know I need to change the configuration from PPPoe to DHCP, but I can't get access to do it.

Any suggestions?

I believe I have 6.2 software, but I'm not sure. The Inside address is 10.8.6.1 now.

thanks--jb

30 Replies 30

JORGE RODRIGUEZ
Level 10
Level 10

First can you actually ping the PIX inside interface ip 10.8.6.1?

Generally to access the PIX for management you need instruct the PIX which hosts or networks are allowed to manage the firewall.

so you need to make sure of couple of things

1- Confirm physical connectivity for the PIX inside interface and your PC , are they connected to a switch same vlan? hub ?

2- Confirm the PIX has at least these statements by accessing the device through local console if you cannot still telnet or http to the device.

to allow admin access from any host on 10.8.6.0

pix(config)#http 10.8.6.0 255.255.255.0 inside

pix(config)#telnet 10.8.6.0 255.255.255.0 inside

or any network from the inside

pix(config)#http 0 0 inside

pix(config)#telnet 0 0 inside

Try confirming the above and post results

Rgds

Jorge

Jorge Rodriguez

Jorge--

I wonder if my basic connectivity is a problem. I have the PIXfw connected directly to the cable modem,(tried straight and crossed ethernet cables) and the PC connected directly to the PiXfw.

Power light and link light(1) are on. Link(0)is flashing. VPN is off and 100mps(1) is on. I cannot https access, and I tried telnet but no connect. I don't have the console connector. Rebooting modem and Pix hasn't helped.

I am sure that the inside is 10.8.6.1

Any thoughts?

Thanks,

JB

OK but can you at least ping the inside interface from your PC, is the PC under the same 10.8.6.0 subnet? in any case you will need to console to find out what is going on in PIX config or PIX start-up process.

Jorge Rodriguez

Jorge--

Some success. I was able to ping the 10.8.6.1 successfully and am also able now to https into the manager.

Pixfw is connected directly to cable modem, and to pc.

I have configured the outside to DHCP obtain ip automatically. The inside is 10.8.6.1. I enabled Easy VPN.

I still do not get internet on the pc. lights are on as noted above. The vpn tunnel (0) is not on.

I ran network diagnostics from the pc XP(3) and received the error message that my DNS Server Search Order failed when pinging 151.203.0.84

Everything else checked out.

Thoughts, Jorge? It must be something silly I'm omitting.

Thanks, JB

Can you post the PIX config.

make sure PIX is geting default route

e.i

pix(config)#ip address outside dhcp setroute

also post the output of

pix#show route | inc 0.0.0.0

Jorge Rodriguez

Jeffrey, have you been able to resolve the issue?

can you confirm from the PIX that you can ping by IP to any host outside internet, for eample you can ping yahoo.com @ 69.147.76.15, if you do get a reply you can then rule out routing , without confirming this part you will not be able to connect outbound for eny other connections.

Jorge Rodriguez

Jorge--

Thanks for your note. I have been busy with other matters--the medical practice is relentless. I will get to that question soon and let you know. Thanks for your support.

Jeffrey

Hi Jorge--

I'm back and have more info.

to review for you:

-Pix501 direct connected to dhcp router (ip 192.168.1.1)

Cat5 connection to my laptop. no connection obtained.

yet the lights on the pix are on and steady, except VPN tunnel light is off.

I did get console cable and can access the pix.

When I ping from console to 192.168.1.1 i get positive reply.

when I ping Yahoo from the console, I am successful too.

When I ping from laptop to pix,(10.8.6.1) I am unsuccessful. no connection. I also cannot http into the manager from laptop.

Here is the pixconfig show run:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password PVSASRJovmamnVkD encrypted

passwd PVSASRJovmamnVkD encrypted

hostname pixMDC

domain-name keene.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 198.169.188.0 GE

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.8.6.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location GE 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.8.6.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.0.0.0 255.0.0.0 inside

http 10.8.6.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.8.6.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.8.6.2-10.8.6.33 inside

dhcpd dns 151.203.0.84 151.202.0.84

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:54d397db26abf93abfd2cf32ced06ba1

: end

Here is pixconfig show ip:

pixMDC(config)# show ip

System IP Addresses:

ip address outside 192.168.1.5 255.255.255.0

ip address inside 10.8.6.1 255.255.255.0

Current IP Addresses:

ip address outside 192.168.1.5 255.255.255.0

ip address inside 10.8.6.1 255.255.255.0

thats all I can think of for now. I much appreciate your thoughts.

Jeffrey

When I ping from laptop to pix,(10.8.6.1) I am unsuccessful. no connection. I also cannot http into the manager from laptop

Jeffrey,

1- make sure you are using regular cat5 cable to connect from laptop to one of the ports in 501 built in swith 1 to 4 it should give you solid green LINK LED,

2- On laptop are you geting IP assigment from PIX dhcp? issue c:\ipconfig /all to verify, and try c:\ipconfig /renew.

If you're not geting IP but get green led on the port put a temporary static IP on the laptop to like 10.8.6.10/25 with DG 10.8.6.1, we can troubleshoot dhcp later but first get IP connectivity to pix.

once you get IP connectivity configure pix for telnet access from inside management, it already has http access for inside net

pix>enable

pix#config t

pix(config)#telnet 10.8.6.0 255.255.255.0 inside

to access the pix via browser

https:\\10.6.8.1

yet the lights on the pix are on and steady, except VPN tunnel light is off.

there is not vpn tunnel configuration on the pix, you need to build one.

Rgds

Jorge

Jorge Rodriguez

Also can you post the output of show interface

Jorge Rodriguez

Jorge--

Thanks for your instructions. Here are results:

1. CAT5 cable is correct.

2. Laptop is not getting ip assignment from pix dhcp. ipconfig /renew does not help.

3. green lights steady on pix, but laptop icon says can't acquire connection.

4. I placed tcpip properties to static ip address 10.8.6.10 255.0.0.0 and DG as 10.8.6.1 and the laptop icon now says connected, but browser does not bring up internet pages. cmd ipconfig /all shows ip address and DG as those entered.

4. I also reset the stack for tcpip with the command netsh int ip reset c:\resetlog.txt and rebooted, but no change.

Jorge, it would appear that I have a connectivity problem from laptop to pix, and yet I know the equipment works.

I can, however, now get to the device manager via https, and have that open now. I have built an EasyVPN, but I'm not sure I did it correctly. But still no laptop to pix connectivity.

Next steps?

Thanks,

Jeffrey

Jorge--

Also, here is the result of show interface;

Result of firewall command: "show interface"

interface ethernet0 "outside" is up, line protocol is up

Hardware is i82559 ethernet, address is 0016.c7f9.f673

IP address 192.168.1.5, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

4544 packets input, 692736 bytes, 0 no buffer

Received 4524 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

28 packets output, 8409 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

9 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/2)

output queue (curr/max blocks): hardware (0/2) software (0/1)

interface ethernet1 "inside" is up, line protocol is up

Hardware is i82559 ethernet, address is 0016.c7f9.f674

IP address 10.8.6.1, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

15151 packets input, 1041492 bytes, 0 no buffer

Received 1771 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

22410 packets output, 24533787 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/9)

output queue (curr/max blocks): hardware (5/18) software (0/1)

Thanks--Jeffrey

I placed tcpip properties to static ip address 10.8.6.10 255.0.0.0 and DG as 10.8.6.1 ...

make sure you use 24 bit mask, not 8 bits,

10.8.6.10 255.255.255.0

static ip is a temp fix, we need to get back and try fixing it..

in pix do :

pix#config t

pix(config)#dhcpd enable inside

pix(config)#exit

pix#write mem

then try dhcp from the laptop, if no good place static IP back and we'll get to it later.., ensure you use some type of dns also.

I see pix is geting following dns 151.203.0.84 and 151.202.0.84 , if laptop does not get dhcp use these dns for internet if you do not have done so.

For Easy VPN follow this link, you need to configure the other PIX end as well..

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008019e6d7.shtml

Rgds

Jorge

Jorge Rodriguez

Jorge--

I made sure mask was 24 bit as noted

I enabled dhcpd inside and changed the dns as noted.

from laptop I can ping 10.8.6.1

from laptop i cannot ping to yahoo

I cannot get internet on browser

from laptop, i can get http access to pix manager. so it appears that I have connectivity from laptop to pix, but not through the pix.

I set up easy vpn, I think ok, though for my offices, our pc's only need to do local work. probably don't need vpn at all.

Here is updated Show run

pixMDC(config)# show run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password PVSASRJovmamnVkD encrypted

passwd PVSASRJovmamnVkD encrypted

hostname pixMDC

domain-name keene.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.8.6.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.0 255.0.0.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.8.6.0 255.255.255.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.0.0.0 255.0.0.0 inside

http 10.8.6.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.8.6.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.8.6.2-10.8.6.33 inside

dhcpd dns 151.203.0.84 151.202.0.84

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

vpnclient server 10.8.6.0 10.0.0.0

vpnclient mode client-mode

vpnclient vpngroup fnd password ********

vpnclient username fnd password ********

vpnclient enable

terminal width 80

Cryptochecksum:a7e91cb2362ade92b704c61bb06b206d

: end

Thanks, Jorge. Still not sure what I must do to get traffic through the pix.

Jeffrey

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: