cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6234
Views
0
Helpful
11
Replies

PIX 515E failover setup

sarat1317
Level 1
Level 1

Hello

I am trying to configure active/standby stateful failover setup. Here are my sh ver outputs on the pix units

Active PIX (PIX1)

sh ver

Cisco PIX Security Appliance Software Version 8.0(4)

Compiled on Thu 07-Aug-08 19:42 by builders

System image file is "flash:/image.bin"

Config file at boot was "startup-config"

pixfirewall up 5 mins 44 secs

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)

0: Ext: Ethernet0 : address is 000d.ede9.97a7, irq 10

1: Ext: Ethernet1 : address is 000d.ede9.97a8, irq 11

Licensed features for this platform:

Maximum Physical Interfaces : 6

Maximum VLANs : 25

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Disabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has an Unrestricted (UR) license.

Serial Number: 807421244

Running Activation Key: yyyyyyyyyyyyyyyyyyyyyyy

Configuration has not been modified since last system restart.

----------------------------------------------------------------------------

Failover PIX (PIX2)

sh ver

Cisco PIX Firewall Version 6.3(1)

Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 19-Mar-03 11:49 by morlee

pixfirewall up 33 secs

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5

0: ethernet0: address is 000c.30f8.be67, irq 10

1: ethernet1: address is 000c.30f8.be68, irq 11

2: ethernet2: address is 0002.b3b3.d806, irq 5

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Interfaces: 6

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has a Failover Only (FO) license.

Serial Number: 807101050 (0x301b627a)

Running Activation Key: xxxxxxxxxxxxxxxxxxxxxx

Configuration last modified by enable_15 at 18:54:58.390 UTC Mon Nov 9 2009

I see that I need to take care of the below before the upgrade

Upgrade PIX2 to 8.0(4) version to match PIX1 (6.3 -> 7.2 -> 8.0(4)

Upgrade ASDM to 6.1 (5) on PIX and PIX2

Upgrade to 128 MB RAM on both PIX1 and PIX2 (I believe I have to remove 64MB and add to 128MB stick). Please confirm

Add additional interface on PIX1 for LAN based failover PIX-515-MEM-128= and also use the same interface for stateful failover - Can I use this way with v8.0. I read that I cannot use the same interface in v7.0

Get 3DES key from Cisco website on PIX1

Please advise if I am missing any.

I tried to upgrade the PIX2 from 6.3 to 7.2 using copy tftp command. I configured a static IP on eth0 int and on my laptop but I am not able to ping these. Is there any other way on failover firewall to upgarde the firmware?

2 Accepted Solutions

Accepted Solutions

Hi

If you are upgrading from:

32 MB to 64 MB of memory, install an additional 32 MB memory module into the empty socket for a new total of 64 MB of memory.

32 MB to 128 MB of memory, remove the existing 32 MB memory module. Open the two plastic wing connectors on the sides of the memory socket, and pull the old memory module up and out of the socket. Discard the old 32 MB memory module. Then install the two new 64 MB memory modules for a new total of 128 MB of memory.

64 MB to 128 MB of memory:

If two 32 MB memory modules are installed, remove them. Open the two plastic wing connectors on the sides of the memory socket, and pull the old memory module up and out of the socket. Repeat for the second memory module. Discard the old 32 MB memory modules. Then install the two new 64 MB memory modules for a new total of 128 MB of memory.

If one 64 MB memory module is installed, add an additional 64 MB memory module into the empty socket for a new total of 128 MB of memory.

Hardware Installtion guide.

http://www.cisco.com/en/US/docs/security/pix/pix72/hw/installation/guide/515.html

PIX failover

http://http://www.cisco.com/en/US/docs/security/pix/pix61/configuration/guide/failover.html

Hope this answers your query.

Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

View solution in original post

How are you cabling it, are you going thru a switch or direct from a pc to the firewall??

if you are connecting thru a switch = straight cable

PC to firewall = xover

View solution in original post

11 Replies 11

andrew.prince
Level 10
Level 10

to answer your questions:-

Upgrade to 128 MB RAM on both PIX1 and PIX2 (I believe I have to remove 64MB and add to 128MB stick). Please confirm - YES

Add additional interface on PIX1 for LAN based failover PIX-515-MEM-128= and also use the same interface for stateful failover - Can I use this way with v8.0. I read that I cannot use the same interface in v7.0 - see http://www.cisco.com/en/US/docs/security/pix/pix61/configuration/guide/failover.html

I tried to upgrade the PIX2 from 6.3 to 7.2 using copy tftp command. I configured a static IP on eth0 int and on my laptop but I am not able to ping these. Is there any other way on failover firewall to upgarde the firmware? - You used e0 - did you still name this as "outside" if so, be default ALL traffic is blocked, try using e1 interface and name it as the "inside"

HTH>

Hi

If you are upgrading from:

32 MB to 64 MB of memory, install an additional 32 MB memory module into the empty socket for a new total of 64 MB of memory.

32 MB to 128 MB of memory, remove the existing 32 MB memory module. Open the two plastic wing connectors on the sides of the memory socket, and pull the old memory module up and out of the socket. Discard the old 32 MB memory module. Then install the two new 64 MB memory modules for a new total of 128 MB of memory.

64 MB to 128 MB of memory:

If two 32 MB memory modules are installed, remove them. Open the two plastic wing connectors on the sides of the memory socket, and pull the old memory module up and out of the socket. Repeat for the second memory module. Discard the old 32 MB memory modules. Then install the two new 64 MB memory modules for a new total of 128 MB of memory.

If one 64 MB memory module is installed, add an additional 64 MB memory module into the empty socket for a new total of 128 MB of memory.

Hardware Installtion guide.

http://www.cisco.com/en/US/docs/security/pix/pix72/hw/installation/guide/515.html

PIX failover

http://http://www.cisco.com/en/US/docs/security/pix/pix61/configuration/guide/failover.html

Hope this answers your query.

Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

Hello

I opened the top panel of the pix unit and I saw 2 slots for the memory. So I just have to use 2 64MB sticks in it. It looks like PIX 515 does not accept 128MB stick. Thanks for your reply

Sarat

Hello Andrew

Thanks for the reply. I tried with eth1 as well with no luck. Below is the config

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
        
names
access-list CAPTURE permit icmp any any
pager lines 24
logging on
logging console informational
logging buffered informational
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 11.12.13.14 255.0.0.0
ip address inside 192.168.1.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
pdm history enable
arp timeout 14400

pixfirewall#  sh capture
capture capin access-list CAPTURE interface outside

pixfirewall# sh capture capin
12 packets captured
21:44:16.915846 192.168.1.1 > 192.168.1.100: icmp: echo request
21:44:17.914137 192.168.1.1 > 192.168.1.100: icmp: echo request
21:4:18.914152 192.168.1.1 > 192.168.1.100: icmp: echo request
21:44:47.219486 192.168.1.1 > 192.168.1.100: icmp: echo request
21:44:48.214634 192.168.1.1 > 192.168.1.100: icmp: echo request

pixfirewall# sh debug
debug access-list all
debug icmp trace
debug packet inside both

--------- PACKET ---------

-- IP --
192.168.1.100   ==>     192.168.1.255

        ver = 0x4       hlen = 0x5      tos = 0x0       tlen = 0x4e
        id = 0xd79d     flags = 0x0     frag off=0x0
        ttl = 0x80      proto=0x11      chksum = 0xde43

        -- UDP --
                source port = 0x89      dest port = 0x89
                len = 0x3a      checksum = 0xa0fb
        -- DATA --
                00000010:                                     87 41 01 10  |
          .A..
                00000020: 00 01 00 00 00 00 00 00 20 45 4e 45 48 45 45 45  |  ..
...... ENEHEEE
                00000030: 44 44 42 43 41 43 41 43 41 43 41 43 41 43 41 43 -----

Thank you for your time in looking at this.

How are you cabling it, are you going thru a switch or direct from a pc to the firewall??

if you are connecting thru a switch = straight cable

PC to firewall = xover

Andrew

I connected PC to firewall and I tried with both straight and cross over cables. Also there is no firewall enabled on the laptop. I may quickly try connecting through the switch

Thanks

Sarat

I tried connecting through the switch as well and no luck. May be the device is faulty.

sarat1317
Level 1
Level 1

I was finally able to resolve this. If I remember right I read somewhere that I should only use tftp flash to upgrade 515E or version 6.3. As I could not ping my laptop from pix, I took a chance and rebooted that in monitor mode. As soon as I assign the addresses I was able to ping the laptop. Then I upgraded to 7.2(4) version and reloaded the pix. Now I do see the below but when I ping the interface I got a message "no route to host". Made sure the interface is not shut, did a shut and unshut, renamed the interface again, assigned security level 100, removed and assigned IP, assigned a static route to inside and nothing worked. Still unable to ping the interface itself.

interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

I finally cleared all the config, reloaded and reconfigured the interface which then worked. Then I upgraded to 8.0(4) using copy tftp flash and it worked. So finally I have everything I needed now :-)

pixfirewall# sh ver

Cisco PIX Security Appliance Software Version 8.0(4)

Compiled on Thu 07-Aug-08 19:42 by builders
System image file is "flash:/pix804.bin"
Config file at boot was "startup-config"

pixfirewall up 5 mins 9 secs

Hardware:   PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5)
0: Ext: Ethernet0           : address is 000c.30f8.be67, irq 10
1: Ext: Ethernet1           : address is 000c.30f8.be68, irq 11
2: Ext: Ethernet2           : address is 0002.b3b3.d806, irq 5

Licensed features for this platform:
Maximum Physical Interfaces  : 6
Maximum VLANs                : 25

Inside Hosts                 : Unlimited
Failover                     : Active/Standby
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Cut-through Proxy            : Enabled
Guards                       : Enabled
URL Filtering                : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : Unlimited

This platform has a Failover Only-Active/Standby (FO) license.

Serial Number: 807101050
Running Activation Key: 0x65b3dd06 0x376de8f7 0x4b29689b 0x18dea9d0
Configuration has not been modified since last system restart.

Thanks for all the inputs and appreciate your time

Sarat

FYI

This is the link that mentioned PIX 515E need to use copy tftp flash command. However monitor also worked.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml#t3

This shows unrestricted/failover supports 128MB stick PIX-515-MEM-128=

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/prod_bulletin0900aecd8023c8d4.html

PIX-515-MEM-128= is just a part number which actually has 2x64MB sticks.

Great news - good job.

To be honest I was not thinking that was a way to go, as ever there is more than 1 way to skin a cat!! (metaphorically speaking of course)

The real solution to this problem is that you should give the interface two IP addresses. One for the active unit and one for the standby unit. Because you have a Failover Only license, the pix (even when it is placed in a standalone environment) will only listen with the standby IP address.

That is why you are not able to ping anything or communicate with other IP addresses if you have filled in only one IP.

You can check this with the command: show interface and then you can check if your interface communicates with an IP address.

Regards,

  Wouter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: