I am new to firewalls, so please excuse my ignorance. My company has several PIX 501 firewalls in place for a SCADA project. We have 2 more to add in. I have used the same configuration from one of the known-good PIXs for my new PIXs aside from putting the correct inside/outside IP addresses, access-lists and PDMs. I cannot ping the new PIX (inside/outside IP addresses) nor can the new PIX ping anything beyond it's own inside/outside IP addresses. As I said, everything is identical, so I'm not sure what is wrong. Can anyone offer any suggestions?
Thanks in advance,
Mark, you did not say where are you pinging from, if you console to the pix can you ping its interfaces? can you post output status for the inside & outside interfaces. From within pix issue" show interfaces" and post info, could you also provide physical connectivity information such as where does PIX inside interface connects to e.g. switch , vlans.. , as well as outside interface ect..
The pix is sitting on my desk, and I am trying to ping it from my computer across the network back to the PIX. I try to ping from the PIX using my HyperTerminal through the console cable into the PIX. Putting the PIX in the correct building makes no difference. The PIX cannot ping anything inside or outside. As far as the infrastructure between my computer and a PIX that is working correctly, my computer goes to a switch in my building to a router in my building, across a T1 to the remote building into it's router, then it's switch and then into the remote PIX. I have tried this with my PIX that won't work and have brought it back to my desk to try to figure out what the problem is.
The attached text is the "Show Interface" information.
What is your PC ip configuration, are you in the same segment as the inside pix interface 10.26.0.0/16?, or is the PIX inside interface connected to the correct vlan on switch carring 10.26.0.0/16 network, can you post the complete pix configuration.
PC gets IP from DHCP and always gets the same IP on the 10.1.60 subnet. I am able to ping all our other PIX's from my desk and remote into them through the web. I've attached the config of this PIX, which aside from everything being for the 10.21 outside and 10.26 inside and related access-list's and PDM's it matches all our "live" PIX's.
Mark, is there another router device inside your LAN that is routing 10.26.0.0/16 network , if you are unable to ping the inside PIX interface 10.26.0.2, either the inside PIX interface is not connected in the right vlan in your inside switch for 10.26.0.0/16 subnet , or there is no route to 10.26.0.0/16 subnet from whichever router is carring 10.1.60.0 subnet, can you verify this is the case.
Over the weekend I was starting to think that this might be a routing issue as well. I didn't see your reply back until now (Tues morning), but I think you may be right. I'll check things out and get back to you.
This was in fact a router issue. Both the closest-hop router and the main router needed the route defined and it's working like a charm now. Thanks so much for your help!
Mark, you are always welcome..thanks for your update.. as I suspected a routing problem.. I am glad tha it was resolved and again thank you for your update.
The 2nd PIX is on a different subnet which means that it has a different router associated with it.
You will need to change your route outside statement or your route inside statement to reflect the correct next hop router.
For my PIX that can't ping anything the routes are as follows:
outside 0.0.0.0 0.0.0.0 10.21.0.1 1 OTHER static
outside 10.21.0.0 255.255.0.0 10.21.0.2 1 CONNECT static
inside 10.26.0.0 255.255.0.0 10.26.0.2 1 CONNECT static
The router that this PIX is supposed to go to is the 10.21.0.1, the outside ip of the PIX is 10.21.0.2 and inside IP of PIX is 10.26.0.2
I know the outside route is correct, so I'm not sure a change needs to occur there. Given that, I should be able to ping this PIX from my desk which is outside the PIX and vice-versa, right?
Mark, in order to ping the oustide interface 10.21.0.2 you need icmp permit any outside statement in your firewall configuration which you dont have, by default outside interface blocks ICMP.
If your PC in office and network is the outside in relation to the PIX and your network does have a route to get to 10.21.0.0/16 network, with above icmp permit any outside statement you should be able to ping the PIX outside interface.
I still think we are not getting the complete picture of your topology other than the PIX configuration outside interface IP and inside interface IP.
Try the above and post results.
Adding the statement in did not change my ability to ping the PIX. I'm still trying to check the router situation out. The person I replaced had not documented the password to access the router so I am trying to get that information from them. I'm not ready to wipe out a router config just to gain access to it quite yet.