Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Config Help

I just added a PIX515E to my lab (since this is a lab, if I need to change IP address, that is not a problem)....I thought I configured it right, but I am not able to ping any of my other routers/PCs.

I have EIGRP on the other three routers, but not sure if I configured it right on the PIX.

The diagram below shows my current network topology....(right now the PIX is connected vai Ethernet 1 to the switch, not the router itself)

Please help:

Home Network.jpg

PIX Version 8.0(4)32

!

hostname PIX515E

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.4.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object-group icmp-type ICMP-INBOUND

description Permit necessary inbound ICMP traffic

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

router eigrp 1

network 192.168.4.0 255.255.255.0

!

route inside 0.0.0.0 255.255.255.0 192.168.2.1 1

route inside 192.168.2.0 255.255.255.0 192.168.4.0 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd ping_timeout 750

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

!

prompt hostname context

Cryptochecksum:05e5f0b9295e728c54e57736f278d283

: end

PIX515E#

13 REPLIES

Config Help

Hello Jonathan,

So the diagram is not that clear as you said the connection from the pix goes to the switch and no the router!

Now the pix is connected on the outside to a modem or a dhcp server device so you have the default route pointing to the wrong interface, it should be route outside no inside I guess:

route inside 0.0.0.0 255.255.255.0 192.168.2.1 1

Now you are also using EIGRP, you are just publishing the network 192.168.4.0 witch is where the other EIGRP neighbors are so the config is fine.

Now if you cannot ping the directly connected devices you are troubleshooting the wrong device as per your configuration witch is really basic is good for your requirements

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Config Help

Ok, let me clear up what I am trying to do:

The diagram is accurate except for the PIX...All address are correct.

Cable Modem----->Pix----->Cisco 3640----->Cisco 3745-----Cisco 2610

Pix:

Ethernet 0 - Outisde

Ethernet 1 - Inside (192.168.2.4)

Cisco 3640:

Ethernet 0/0 - Connection to Pix (192.168.2.6)

For the EIGRP to work what networks do I need to put in the network statement enable to ping all devices on the network?

Below are the config for the rest of the network?

3640:

Current configuration : 1856 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname 3640-Internet

!

boot system flash c3640-ik9s-mz.122-40a.bin

!

username woodjl1650 privilege 15 password 0 henry999

memory-size iomem 25

ip subnet-zero

ip cef

!

!

ip domain-name www.jkkcc.com

ip name-server 192.168.2.127

ip name-server 192.168.2.128

ip dhcp excluded-address 192.168.2.1 192.168.2.150

!

ip dhcp pool 192.168.2.0/24

   network 192.168.2.0 255.255.255.0

   default-router 192.168.2.1

   dns-server 192.168.2.127 192.168.2.128 8.8.8.8 127.0.0.1

!

!

call rsvp-sync

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

ip route-cache flow

duplex auto

speed auto

!

interface Serial0/0

ip address 10.0.1.9 255.255.255.252

!

interface FastEthernet0/1

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip route-cache flow

duplex auto

speed auto

!

interface Serial0/1

ip address 10.0.1.5 255.255.255.252

!

interface Ethernet1/0

no ip address

shutdown

half-duplex

!

interface Ethernet1/1

no ip address

shutdown

half-duplex

!

interface Ethernet3/0

no ip address

shutdown

half-duplex

!

interface Ethernet3/1

no ip address

shutdown

half-duplex

!

router eigrp 1

network 10.0.0.0

network 192.168.0.0

network 192.168.2.0

no auto-summary

!

ip nat inside source list 15 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.2.128 80 interface FastEthernet0/0 80

ip nat inside source static tcp 192.168.2.128 25 interface FastEthernet0/0 25

ip classless

ip http server

ip http authentication local

!

access-list 15 permit 192.168.2.0 0.0.0.255

snmp-server community public RO

snmp-server community private RW

snmp-server enable traps tty

!

dial-peer cor custom

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet

!

end

3745:

Building configuration...

Current configuration : 1531 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname 3745-Internet

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.150

!

ip dhcp pool 192.168.1.0/24

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   dns-server 192.168.2.127 192.168.2.128 8.8.8.8 127.0.0.1

!

!

ip domain name www.jkkcc.com

ip name-server 192.168.2.127

ip name-server 192.168.2.128

!

username woodjl1650 privilege 15 password 0 henry999

!

!

!

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

ip route-cache flow

duplex auto

speed auto

!

interface Serial0/0

ip address 10.0.1.6 255.255.255.252

no fair-queue

clock rate 2000000

!

interface FastEthernet0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip route-cache flow

shutdown

duplex auto

speed auto

!

interface Serial0/1

no ip address

shutdown

clock rate 2000000

!

router eigrp 1

network 10.0.1.4

network 192.168.1.0

no auto-summary

!

ip forward-protocol nd

ip route 192.168.2.0 255.255.255.0 192.168.20.0

!

ip http server

ip http authentication local

ip nat inside source list 15 interface FastEthernet0/0 overload

!

access-list 15 permit 192.168.1.0 0.0.0.255

snmp-server community public RO

snmp-server community private RW

snmp-server enable traps tty

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet

!

!

end

2610:

Building configuration...

Current configuration : 985 bytes

!

version 12.3

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router

!

boot-start-marker

boot system flash

boot-end-marker

!

no logging on

!

no aaa new-model

ip subnet-zero

ip cef

!

!

ip dhcp excluded-address 192.168.3.1 192.168.3.150

!

ip dhcp pool 192.168.3.0/24

   network 192.168.3.0 255.255.255.0

   default-router 192.168.3.1

   dns-server 192.168.2.127 192.168.2.128 8.8.8.8

!

!

username woodjl1650 privilege 15 password 0 henry999

!

!

!

!

interface Ethernet0/0

ip address 192.168.3.1 255.255.255.0

half-duplex

!

interface Serial0/0

ip address 10.0.1.10 255.255.255.252

clock rate 2000000

!

interface Serial0/1

no ip address

shutdown

!

router eigrp 1

network 10.0.0.0

network 192.168.3.0

no auto-summary

!

no ip http server

ip classless

!

!

snmp-server community public RO

snmp-server community private RW

!

line con 0

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet

!

!

end

Config Help

Hello Jonathan,

For the EIGRP to work what networks do I need to put in the network statement enable to ping all devices on the network?

Only the 192.168.2.0/24

Can you ping the 3745 from the pix ( they are directly connected so they should)?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Config Help

No I can't ping any network.

PIX - Config:

PIX Version 8.0(4)32

!

hostname PIX515E

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.4.1 255.255.255.0

!

interface Ethernet2

shutdown

nameif DMZ

security-level 50

ip address 192.168.4.2 255.255.255.0

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object-group icmp-type ICMP-INBOUND

description Permit necessary inbound ICMP traffic

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND

pager lines 24

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

router eigrp 1

network 192.168.2.0 255.255.255.0

network 192.168.4.0 255.255.255.0

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd ping_timeout 750

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

!

prompt hostname context

Cryptochecksum:9251654182c76b63f56201b20219052a

: end

Config Help

Hello Jonathan,

I do not understand, on the first post you only have 2 interfaces now you have 3!!

Why are they on the same subnet!!

router eigrp 1

network 192.168.2.0 255.255.255.0

network 192.168.4.0 255.255.255.0

!

So outside interface network is 192.168.2.0 and inside interface network is 192.168.4.0

Please check the status of the interface on the ASA and the directly connected device.

I need the ASAs inside ip address ( the right one not 2 of them as on this post) and also the ip address of the device directly connected to the ASA...

Because as I can see the Cisco 3640 is not on the same subnet than the ASA

Cable Modem----->Pix----->Cisco 3640----->Cisco 3745-----Cisco 2610

3640 ip :

ip address 192.168.2.1 255.255.255.0

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Config Help

I am just trying to troubleshoot, trying to figure out how to get this device to work right.  Like I stated in the begining this is a home lab, so no IP address is firm.  I am trying different IPs out until someone can help me with the config.

What IP subnet should I use for the PIX?

Config Help

Hello Jonathan,

If we troubleshoot it and each single post you change it there is no future on this discussion..

What IP subnet should I use for the PIX?

The same one that you have on the device directly connected, so they can exchange hello packets,EIGRP packets, etc,etc.......

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Config Help

Ok, IP address will be 192.168.2.5.

Config Help

Sure,

Let me know if you can ping the directly connected device!!

Regards,

Do rate all the helpful posts!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Config Help

Still not able to ping from my PC (192.168.2.122) to the PIX (192.168.2.5) also can't ping from PIX to 3640 (192.168.2.1)

Current show run:

PIX Version 8.0(4)32

!

hostname PIX515E

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.2.5 255.255.255.0

!

interface Ethernet2

nameif DMZ

security-level 50

ip address 192.168.2.6 255.255.255.0

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object-group icmp-type ICMP-INBOUND

description Permit necessary inbound ICMP traffic

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND

pager lines 24

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

router eigrp 1

network 192.168.2.0 255.255.255.0

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd ping_timeout 750

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

!

prompt hostname context

Cryptochecksum:68f53bfe67a6272a7406881d204a69d4

Config Help

Hello,

Provide:

show interface ip brief on the pix

and sh ip interface brief on the 3640

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Config Help

PIX: - Not sure why is says IP address uassigned.... any idea?

So looking at this, my connection could be wrong - PIX Ethernet 1 connected to Switch, does it need to be connected directly to the 3640, if so, what type to cable? Roll-Over, Crossover or straigh through?

PIX515E# show interface ip brief

Interface                  IP-Address      OK? Method Status                Protocol

Ethernet0                  unassigned      YES DHCP   down                  down

Ethernet1                  unassigned      YES manual up                    up

Ethernet2                  unassigned      YES manual down                  down

Ethernet3                  unassigned      YES unset  administratively down down

Ethernet4                  unassigned      YES unset  administratively down down

Ethernet5                  unassigned      YES unset  administratively down down

3640:

3640-Internet#show ip interface brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            68.224.240.31   YES DHCP   up                    up 

Serial0/0                  10.0.1.9        YES NVRAM  up                    up 

FastEthernet0/1            192.168.2.1     YES NVRAM  up                    up 

Serial0/1                  10.0.1.5        YES NVRAM  up                    up 

Ethernet1/0                192.168.4.10    YES manual up                    down

Ethernet1/1                unassigned      YES NVRAM  administratively down down

Ethernet3/0                unassigned      YES NVRAM  administratively down down

Ethernet3/1                unassigned      YES NVRAM  administratively down down

3640-Internet#

Config Help

Hello,

You can connect it to the switch, but as you can see the unassigned is the issue

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.2.5 255.255.255.0

!

interface Ethernet2

nameif DMZ

security-level 50

no ip address 192.168.2.6 255.255.255.0

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
345
Views
0
Helpful
13
Replies
CreatePlease to create content