Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 515e basic config

Hi,

I got a PIX and here is the config:

sh run

PIX Version 8.0(3)

hostname pixfirewall

enable password 8Ry2YjIyt7RRXU24 encrypted

names

interface Ethernet0

shutdown

nameif Outside

security-level 0

no ip address

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.51 255.255.255.0

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

mtu Outside 1500

mtu inside 1500

no failover

            
icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

        
  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

service-policy global_policy global

prompt hostname context

Cryptochecksum:6ba6ce7d4cbacfeafbc90a2ed9b0d923

: end

My LAN is 192.168.1.0/24 and I gave the PIX IP as 192.168.1.51. My machine IP is 192.168.1.64 and 192.168.1.1 is the vlan IP of our Layer 3 switch. i am not able to ping 192.168.1.1 from the PIX. What could be the issue?

- Ribin

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: PIX 515e basic config


Hi Ribin,


Here is more details on the issue:


Since the platform has a Failover Only-Active/Standby (FO) license, your PIX cannot be used as standalone unit unless you
change the type of license it has to an either Restricted or an Unrestricted license. You can still give it a try by enabling Failover on your device, but the device may reboot by itself every 24 hours since it is to detecting a mate (failover pair).
In order to enter these commands you need to make sure you are in configuration mode:

> pixfirewall# config t > pixfirewall(config) failover > pixfirewall(config) failover active

In case you are still unable to pass traffic, or the unit reboot every 24 hours, you  will need to obtain a new license for
your device. In order to do that, you will need to  contact your Account Manager or the Point of Sales where you got the
device from, or you can call the TAC front line at 1800 553 2447 and obtain the required license.

Also one more question before you opt for a seperate license. Do you have another PIX that you are willing to use in Active and Standby failover
mode (with 2 PIX) ? If yes then the PIXs will pass traffic once they are configured for failover.

Cheers,
Rudresh V
25 REPLIES

Re: PIX 515e basic config

Hi

could you try :

icmp permit any echo-reply inside

icmp permit any echo inside

policy-map gloval_policy
class class-default
  inspect icmp

HTH

Dan

New Member

Re: PIX 515e basic config

No luck with those commands.

- Ribin

Re: PIX 515e basic config

Could you enable logging and see what messages do you receive :

logging buffered 7

ping

then show logg

Dan

New Member

Re: PIX 515e basic config

Nothing happens.

- Ribin

New Member

Re: PIX 515e basic config

Hi,

Is this the full configuration that you have pasted ? Have you configured any access lists on the PIX ?

As per your description the switch seems to be the next hop on the PIX.

Check the default gateway on the switch.

Do a "debug icmp trace" on the PIX to see if the packets are even reaching the firewall.

Another way to check if the pings are even reaching the firewall is by putting captures.

Check the steps document to see if it helps you isolate the issue

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009402f.shtml

Regards,

Sindhuja

New Member

Re: PIX 515e basic config

Yes Sindhuja, this is the full config I have pasted here. I have not added any acl on the PIX.

What do you meant by "Check the default gateway on the switch." ? I have other devices in the network with gw as 192.168.1.1 which works fine. I think I am missing some basic thing in the PIX initial configuration.

- Ribin

New Member

Re: PIX 515e basic config

Hi,

When I meant default gateway on the switch I meant to see if the traffic is being routed back to the PIX.

Lets just revisit your topology real quick here

host ----- --------------switch ------------------(192.168.1.51) PIX

(192.168.1.64)   (192.168.1.1)

Please correct me if this is wrong.

I understand you are unable to ping the 192.168.1.1 ip address.

The only issue on the pix that could be causing this is that the pix is dropping incoming icmp and this can be done by access lists.

Since that option has been eliminated let us look at it from the routing point of view.

1. Are you able to ping from 192.168.1.64 to 192.168.1.51 and vice versa ?

2. What is the output of the debug icmp trace on the firewall when you try to ping 192.168.1.1?

3. Also check that when you do a show route on the PIX you are able to see a directly connected route to the 192.168.1.0 subnet.

Regards,

Sindhuja

New Member

Re: PIX 515e basic config

Hi Ribin,

Also check for any interface access lists on the L3 switch for dropping ICMP

Regards,

Sindhuja

New Member

Re: PIX 515e basic config

Hi,

The topology is right.

My issue is not with the icmp alone. I am unable to make any kind of communication to or from the PIX. I think we can leave out the Layer 3 concept here (since the PC and the PIX sits in the same network). There is no acl in the L3 to block icmp.

1. Are you able to ping from 192.168.1.64 to 192.168.1.51 and vice versa ?

   - No

2. What is the output of the debug icmp trace on the firewall when you try to ping 192.168.1.1?

pixfirewall(config)# debug icmp trace
debug icmp trace enabled at level 1
pixfirewall(config)# 
pixfirewall# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

3. Also check that when you do a show route on the PIX you are able to see a directly connected route to the 192.168.1.0 subnet.

pixfirewall# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.1.0 255.255.255.0 is directly connected, inside

New Member

Re: PIX 515e basic config

Hi Ribin,

Check your physical connectivity. Change the interface that your have connected to on the pix.

Regards,

Sindhuja

New Member

Re: PIX 515e basic config

No luck. My config oncemore:

sh run

: Saved

:

PIX Version 8.0(3)

!

hostname pixfirewall

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

shutdown

nameif Outside

security-level 0

no ip address

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.51 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

logging buffered debugging

mtu Outside 1500

mtu inside 1500

<--- More --->
             
no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply inside

icmp permit any echo inside

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

username ribin password 4PKgAdpUwCY7ZdMA encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

<--- More --->
             
!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map gloval_policy

class class-default

  inspect icmp

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

<--- More --->
             
!

service-policy global_policy global

prompt hostname context

Cryptochecksum:6ba6ce7d4cbacfeafbc90a2ed9b0d923

: end

- Ribin

New Member

Re: PIX 515e basic config

Ok ... Lets try capturing the traffic.

access-list capin permit icmp host 192.168.1.51 host 192.168.1.1

access-list capin permit icmp host 192.168.1.1 host 192.168.1.51

capture capin interface inside access-list capin.

Then initiate the ping.

Then check the output of 'show cap capin'

Since we are not able to ping even directly connected hosts I am suspecting an issue with the connectivity.

Regards,

Sindhuja

New Member

Re: PIX 515e basic config

Hmm..It is zero packet captured.

pixfirewall# sh capture capin
0 packet captured
0 packet shown

What could be the issue with the connectivity? Just now I connected a laptop (with IP 192.168.1.90) directly to the pix using a straight cable and even these can't ping each other.

- Ribin

New Member

Re: PIX 515e basic config

Just now noticed that the PIX doesn't even give reply to self ping.

- Ribin

Cisco Employee

Re: PIX 515e basic config

Hi Ribin,

Do you see a Solid Green light or an Amber light on the interface at the PIX when you connect a PC direclty or the switch ?

Cheers,

Rudresh V

Cisco Employee

Re: PIX 515e basic config

Hi Ribin,

From one of the previous messages from, you mentioned we saw the following route present on the PIX:

C    192.168.1.0 255.255.255.0 is directly connected, inside

This means to say that the interface inside is up, physical and layer 2 connectivity should be good. So i think the config on the PIX is fine.

The next place to look at is, the config at the switch. Can you please make sure the PIX interface and the port to which the PC connects to are in the same VLAN... Because the issue we are facing seems to be caused at the switch.

So please issue the command "sh vlan" on the switch and verify that the 2 ports (connecting the PIX and the PC) are in the same vlan.


But it is surprising though that it does not work even with a pc connected directly to PIX. Please do this test: When you connect the PC to the PIX directly, issue the command show route on the PIX and make sure you see one connected route for 192.168.1.0 and that you see a solid Green light at the PIX interface connected to the ASA, and perform a ping. Also issue the command "sh interface" on the PIX and paste the output here.

Let me know if this works,

Cheers,

Rudresh V

New Member

Re: PIX 515e basic config

I see one connected route for 192.168.1.0 and I see a solid Green light at the PIX interface when connecting the PIX directly to the PC.

PIX# sh interface

Interface Ethernet0 "", is administratively down, line protocol is down

  Hardware is i82559, BW 100 Mbps, DLY 100 usec

    Auto-Duplex, Auto-Speed

    Available but not configured via nameif

    MAC address 0013.7fdd.2671, MTU not set

    IP address unassigned

    7 packets input, 0 bytes, 0 no buffer

    Received 0 broadcasts, 0 runts, 0 giants

    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

    0 L2 decode drops

    0 packets output, 0 bytes, 0 underruns

    0 output errors, 0 collisions, 0 interface resets

    0 babbles, 0 late collisions, 0 deferred

    0 lost carrier, 0 no carrier

    input queue (curr/max packets): hardware (0/0) software (0/0)

    output queue (curr/max packets): hardware (1/0) software (0/0)

Interface Ethernet1 "inside", is up, line protocol is up

  Hardware is i82559, BW 100 Mbps, DLY 100 usec

    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

    MAC address 0013.7fdd.2672, MTU 1500

    IP address unassigned

    1160 packets input, 97593 bytes, 0 no buffer

    Received 1159 broadcasts, 0 runts, 0 giants

    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

    0 L2 decode drops

<--- More --->
             
    0 packets output, 0 bytes, 0 underruns

    0 output errors, 0 collisions, 0 interface resets

    0 babbles, 0 late collisions, 0 deferred

    0 lost carrier, 0 no carrier

    input queue (curr/max packets): hardware (0/1) software (0/2)

    output queue (curr/max packets): hardware (0/0) software (0/0)

  Traffic Statistics for "inside":

    1145 packets input, 80375 bytes

    0 packets output, 0 bytes

    371 packets dropped

      1 minute input rate 0 pkts/sec,  43 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  73 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec


PIX#

Any idea why there is no self ping for the PIX?

- Ribin

Cisco Employee

Re: PIX 515e basic config

Hi Ribin,

From the show interface output you have pasted, i see the following segment:

Interface Ethernet1 "inside", is up, line protocol is up

  Hardware is i82559, BW 100 Mbps, DLY 100 usec

    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

    MAC address 0013.7fdd.2672, MTU 1500

    IP address unassigned

....

--So we are seeing ip address un-assigned, can you please confirm if we have assigned the ip address 192.168.1.51 255.255.255.0 to the inside interface (ethenet 1) ? Because the above output is saying ip address is somehow not reflected on the interface. I think this is why we cannot ping the PIX interface itself...

Cheers,

Rudresh V

New Member

Re: PIX 515e basic config

Yes. I confirmed using sh run that we have an IP configured for Ethernet 1 interface.

It shows "Interface Ethernet1 "inside", is up, line protocol is up". How can these be shown "up" if there is no IP address configured.

But as you found out, "IP address unassigned"   is something odd.

- Ribin

Cisco Employee

Re: PIX 515e basic config

Hi Ribin,

This is interestingly odd. We see no output packets but only input packets as seen below:

1160 packets input, 97593 bytes, 0 no buffer

0 packets output, 0 bytes, 0 underruns

Traffic Statistics for "inside":

    1145 packets input, 80375 bytes

     0 packets output, 0 bytes

This is very odd. Would it be possible to probably shut and no shut the inside interface ? We can also consider a reboot as an option, since there seems this seems to be a at a very basic layer issue. If this does not work, please try using ethernet 0 interface for inside, or any other free interface. I think there could be something wrong with the cable or the interface ehtenet 1 interface itself. Also please let me know what verison of code are u running on the PIX.

Cheers,

Rudresh V

New Member

Re: PIX 515e basic config

I tried rebooting. I even tried configuring the IP in the other interface available (Ethernet 0), but still no luck.

Below is my sh version output:

sh ver


Cisco PIX Security Appliance Software Version 8.0(3)

Device Manager Version 6.0(2)


Compiled on Tue 06-Nov-07 19:50 by builders

System image file is "flash:/pix803.bin"

Config file at boot was "startup-config"


PIX up 1 hour 14 mins


Hardware:   PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB


Encryption hardware device : VAC+ (Crypto5823 revision 0x1)

0: Ext: Ethernet0           : address is 0013.7fdd.2671, irq 10

1: Ext: Ethernet1           : address is 0013.7fdd.2672, irq 11


Licensed features for this platform:

Maximum Physical Interfaces  : 6       

Maximum VLANs                : 25      

Inside Hosts                 : Unlimited

Failover                     : Active/Standby

VPN-DES                      : Enabled 

VPN-3DES-AES                 : Enabled 

<--- More --->
             
Cut-through Proxy            : Enabled 

Guards                       : Enabled 

URL Filtering                : Enabled 

Security Contexts            : 2       

GTP/GPRS                     : Disabled

VPN Peers                    : Unlimited


This platform has a Failover Only-Active/Standby (FO) license.


Serial Number: 809093457

Running Activation Key: 0x41cbbc86 0x489404df 0x3884a4c8 0x9aae1f2a

Configuration last modified by enable_15 at 17:00:36.576 UTC Fri Oct 15 2010


- Ribin

Cisco Employee

Re: PIX 515e basic config

Hi Ribin,

I think we would have found the issue with your last post. From the sh version output i see that this PIX has the license "Failover only". So this is a possible reason for our normal traffic to not work. Try enabling failvoer on the pix with the command "failover" in conf t mode. This should get the ping and other traffic working.

But please remember that this PIX has a failover license, so it needs to be used in a failover pair (with another pix). So if u did not want to have Failvoer only feature, i would suggest you apply for a new license for normal connections.

Let me know if this works,

Cheers,

Rudresh V

Cisco Employee

Re: PIX 515e basic config


Hi Ribin,


Here is more details on the issue:


Since the platform has a Failover Only-Active/Standby (FO) license, your PIX cannot be used as standalone unit unless you
change the type of license it has to an either Restricted or an Unrestricted license. You can still give it a try by enabling Failover on your device, but the device may reboot by itself every 24 hours since it is to detecting a mate (failover pair).
In order to enter these commands you need to make sure you are in configuration mode:

> pixfirewall# config t > pixfirewall(config) failover > pixfirewall(config) failover active

In case you are still unable to pass traffic, or the unit reboot every 24 hours, you  will need to obtain a new license for
your device. In order to do that, you will need to  contact your Account Manager or the Point of Sales where you got the
device from, or you can call the TAC front line at 1800 553 2447 and obtain the required license.

Also one more question before you opt for a seperate license. Do you have another PIX that you are willing to use in Active and Standby failover
mode (with 2 PIX) ? If yes then the PIXs will pass traffic once they are configured for failover.

Cheers,
Rudresh V
New Member

Re: PIX 515e basic config

Thanks Rudresh..I will look into those details. I need to add one more thing here.

This PIX interface was working earlier when I tried to configure this interface some 1 month back. I did a write erase on the PIX recently to do a fresh config and after that only this issue arose.

- Ribin

New Member

Re: PIX 515e basic config

Hey Rudresh,

I did a failover command and then I could get the self ping and other IP's. So I think my issue is sorted out. Thanks everyone for all the help.

Ribin

2863
Views
5
Helpful
25
Replies
CreatePlease to create content