PIX 515E: Can't Get Inside Interface Working During Setup

easyadstom · ‎06-23-2010

Hi folks!

I've got a freshly formatted Cisco PIX 515E firewall that I am trying to configure with the proper boot image. When it boots, I can escape into the monitor mode, set the IP address, and download the boot image (pix804.bin) from the TFTP server. I can then boot into the firewall. However, that's as far as I can get.

My next step has been to try to configure the IP address of the appropriate interface and download the image from the TFTP server again in regular console mode so that it can be saved to flash. However, when I attempt to configure the exact same interface with the exact same IP as I used in the monitor mode, I get no network connectivity. I cannot reach the TFTP server, and any ping attempts return "No route to host."

Any thoughts on what I might be doing wrong?

- Tom

Jennifer Halim · ‎06-23-2010

No route to host normally means that you don't have route towards the TFTP server.

What is the ip address of the interface that you configured? Also, please make sure that you configure "nameif" and security level for the interfaces, otherwise, it will not work.

Please post the current config and also what is the TFTP server ip address.

easyadstom · ‎06-23-2010

Well, this is interesting.

If I use "nameif" to give the interface a name and security level, and then do a "show interface" command, it says "IP address unassigned." If I try to do an "ip address" command at the prompt to assign an IP address, it accepts it, but still says "IP address unassigned" in the "show interface" output. No IP address I try to enter will "take."

If I undo the nameif command by doing a "no nameif," then all of a sudden the IP address re-appears in the configuration, and I'm back to the "no route to host" error.

The address I'm trying to configure on the inside interface is 192.168.0.3, which works when I use that address from the "monitor>" prompt.

Here is the current "show config" output:

: Saved

: Written by enable_15 at 00:48:30.190 UTC Thu Jun 24 2010

!

PIX Version 8.0(4)

!

hostname ez2

domain-name prestige.local

enable password xxx encrypted

passwd xxx encrypted

names

!

interface Ethernet0

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.0.3 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name prestige.local

pager lines 24

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

prompt hostname context

Jennifer Halim · ‎06-23-2010

Interface configuration looks ok.

Can you please reconfigure the interface with ip address, nameif and security level, and see if you can ping the TFTP server? Assuming the TFTP server is in the same subnet as the inside interface.

dbutts · ‎02-08-2011

For anyone else googling to find an answer for this problem: I was trying to configure a failover only unit and had the same problem. I had to finish configuring all the failover settings, then force a failover so the interfaces would go active. Once this was finished I was able to do TFTP on the interface that was previously having a problem with the IP address: Do a SH VER and see if you are working with a failover unit. Can't tell from the outside of the case.