PIX 515E: No ip address assigned - no route to host

Answered Question
Sep 7th, 2010

Hi,

Trying to upgrade PIX 6.3 to 7.04

After reboot, and now cannot do a TFTP to copy the image into the Flash.


I am unable to set the INSIDE interface to have an ip address.

     Did a sh run - its there in the config.

     Did a sh int ip brief - unassigned to the interface!

* In fact, none of the interface are able to hold any static ip address.  DHCP gives a weird ip 80.X.X.X

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.1.10 255.255.255.0

I have the same problem as this guy (link below) - but no answers so far.

https://supportforums.cisco.com/message/3125731

I've got a freshly formatted Cisco PIX 515E firewall that I am trying to configure with the proper boot image. When it boots, I can escape into the monitor mode, set the IP address, and download the boot image (pix804.bin) from the TFTP server. I can then boot into the firewall. However, that's as far as I can get.

My next step has been to try to configure the IP address of the appropriate interface and download the image from the TFTP server again in regular console mode so that it can be saved to flash. However, when I attempt to configure the exact same interface with the exact same IP as I used in the monitor mode, I get no network connectivity. I cannot reach the TFTP server, and any ping attempts return "No route to host."

Is this a bug on certain PIX 515E?

Anybody care to help?

Thanks!

I have this problem too.
0 votes
Correct Answer by abinjola about 6 years 3 months ago

type "no failover" and now put the ip address to the interface , it must show up

--regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Nagaraja Thanthry Tue, 09/07/2010 - 19:37

Hello,

When you issue "show interface ethernet1" do you see the interface status as

up/up or does it show as down? What is connected to Ethernet1 interface? Can

you set the speed/duplex to auto and see if that helps? Also, if you were

trying to connect the PC directly to Ethernet1 interface, can you try

connecting a Switch/Hub in between and see if that helps.?

Regards,

NT

ciscoeknowledge2008 Tue, 09/07/2010 - 21:20

Hi,

Thanks for the reply. Yes... status is up/up.   I can see the lights on the E1.

The connection should be ok since it can transfer file from the initial rommon mode.

I am using a switch in between PC and the PIX.

I have also another PIX515, and the connection is all ok, when connected to the same switch.

Previously tried the speed/duplex to auto.... no changes. So now running out of ideas.

Any other thoughts?

Correct Answer
abinjola Tue, 09/07/2010 - 21:27

type "no failover" and now put the ip address to the interface , it must show up

--regards

ciscoeknowledge2008 Tue, 09/07/2010 - 22:05

no failover

Did that... no changes...

here's my output

PIX Version 7.0(4)

!

hostname PIX515E

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif outside

security-level 100

ip address 10.1.1.10 255.255.255.0

!

interface Ethernet1

description LOCAL OFFICE LAN

speed 100

duplex full

nameif inside

security-level 10

ip address 192.168.100.222 255.255.255.0

!

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

asdm image flash:/pdm

no asdm history enable

arp timeout 14400

global (outside) 1 10.1.1.15 netmask 255.255.255.240

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

Cryptochecksum:3c02d91fb8f36fb79716813198ddb6b3

: end

PIX515E#

PIX515E# sh int ip brief

Interface IP-Address OK? Method Status Prot

ocol

Ethernet0 unassigned YES CONFIG down down

Ethernet1 unassigned YES manual up up

Ethernet2 unassigned YES unset administratively down down

Ethernet3 unassigned YES unset administratively down down

Ethernet4 unassigned YES unset administratively down down

Ethernet5 unassigned YES unset administratively down down

PIX515E#

mirober2 Wed, 09/08/2010 - 06:12

Hello,

It looks like you were able to get an IP address set and the interface up at this point. What is the IP address of the TFTP server you are trying to connect to? Unless it's in the 192.168.100.x/24 subnet, you'll also need to set a route with the 'route' command:

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/mr.html#wp1596190

If the server is in the 192.168.100.x/24 subnet, try pinging it from the ASA and then check the output of 'show arp' to make sure you are getting the correct MAC address for the server.

Hope that helps.

-Mike

ciscoeknowledge2008 Wed, 09/08/2010 - 19:59

Hi,

Yes ...its on the same subnet - 192.168.100.3 /24

Its where I am able to TFTP from rommon of the PIX.

But once reboot into 7.04 image, i am unable to assign an ip address to the interface (any interface - i have 6 ethernets).

How to get check ARP when I can even ping?

PIX515E# show interface inside stats

Interface Ethernet1 "inside", is up, line protocol is up

Hardware is i82559, BW 100 Mbps

Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

Description: LOCAL OFFICE LAN

MAC address 0013.60c1.fd23, MTU 1500

IP address unassigned

3226 packets input, 310398 bytes, 0 no buffer

Received 3251 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/2)

output queue (curr/max blocks): hardware (0/0) software (0/0)

Traffic Statistics for "inside":

3165 packets input, 257820 bytes

0 packets output, 0 bytes

2833 packets dropped

PIX515E# show arp statistics

Number of ARP entries in PIX: 0

Dropped blocks in ARP: 0

Maximum Queued blocks: 0

Queued blocks: 0

Interface collision ARPs Received: 0

ARP-defense Gratuitous ARPS sent: 0

Total ARP retries: 0

Unresolved hosts: 0

Maximum Unresolved hosts: 0

Thanks.....  but still no idea what to do

Maybe i will try to boot to a higher pix(7.22)

Nagaraja Thanthry Wed, 09/08/2010 - 20:06

Hello,

Can you try the following set of commands?

Step 1: Convert the firewall to transparent mode

firewall transparent

Step 2: Convert the firewall back to routed mode

no firewall transparent

Hope this fixes the issue. If it still does not, please upgrade the code to

7.2(x) in the ROMMON mode and see if that helps.

Regards,

NT

ciscoeknowledge2008 Wed, 09/08/2010 - 20:36

I didn't noticed it booted into Standby state.

So i applied FAILOVER.... and the ip address was there.

Thanks for the help!!! Cheers.

Actions

This Discussion

Related Content