I have been facing a problem since 2 weeks with a brand new PIX 515e. I cannot ping from or to the PIX even from or to an inside host !! I tried every configuration I've managed to find on Internet with no success.. Also, I am not able to telnet to the unit.. I enabled the debugging for ICMP and for packets, and when I ping to the inside interface from an inside host, I get debugging messages for the packets but not for ICMP.. All the needed information is in the attached file.
I am connecting to the firewall by console only, and I tried all the ICMP permit commands, access-lists, static and dynamic natting, and everything else with no success. Any idea about fixing the problem? I am really out of ideas
I am also facing a similar problem with the PIX515E with 7.2(2).I am not able to assign an IP address for the inside interface,it shows ip address on the running config,but on show interface output it shows "ip address unassigned".
Linking my query at netpro to this post.
It is not the same.. I am able to assign the IP addresses, and they show up through the debug command.. The interfaces recieve the packets, but it stops there !!
Is your host machine connected directly to the PIX interface ethernet1 via straight-thru cat5? If you are then its not possible and you would need a crossover cable in order to be able to connect directly to the PIX interface.
You test config looks fine to me. Its probably a layer 1 issue. Also try using acces-list capture to debug the situation, it would ease on the main focus which is the transversing packets not the packet details themselves.
If you like the review please provide some level of rating.
I used a cross cable for the direct connection.. Then I connected them through straight cables and a switch.. Do you have any suggestions to check the root of the problem?
Try configuring dhcpd on your PIX and then try to obtain an IP via your host machine. Make sure you are on a dhcp client not hard-coded static IP on your host machine.
This is the example from Cisco for dhcpd configuration on PIX 6.3:
The below is the output of sh ver command:
Cisco PIX Firewall Version 6.3(5)
Compiled on Thu 04-Aug-05 21:40 by morlee
pix up 1 hour 23 mins
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 1100.1cbb.48d4, irq 10
1: ethernet1: address is 1100.1cbb.49d4, irq 11
2: ethernet2: address is 0090.2774.d98d, irq 5
Maximum Physical Interfaces: 3
Maximum Interfaces: 5
Cut-through Proxy: Enabled
Inside Hosts: Unlimited
IKE peers: Unlimited
This PIX has a Restricted ? license.
Almost same incident happened to me as well.But it was related to static natting issue. I upgraded the IOS to 7.1 (2)& changed nothing. It started working fine & still going on in a good shape. I would suggest you to try once.
another point: create 1 access list "access-list 10 permit ip any any" & bind this to inside interface by " ip access-group 10 in interface inside)& try to ping the inside interface.
If both the 2 points doesn't make any sense then there must be a problem with the ethernet port (h/w related issue).
i faced the booting problem for consecutive times with a brand new IPS. In trasit it may got faulty.
Since you dont have any ACL's on the inside, i would suggest you to try putting a conduit for icmp..just for testing purposes and see if it works..
conduit permit icmp any any
From the PIX, clear down the ARP cache, ping a known good adfdress and see if the cache gets populated.
If it does, then it is a layer 3 issue, if not layer 1 or 2.
Is it possible to log into the switch where the inside interface is connected?
Check to see if the switch interface becomes active.
If so try a ping from the switch to the PIX and see if the PIX MAC address shows up in the interface MAC address table.
The addresses are there in the debug messages.. Also, the firewall is able to get even the ip addresses of the connected hosts which I used to ping to it from..
i hope that you have NOT been doing the testing using just one laptop. I hope that it is not the personal firewall issue with the laptop. Have you tried using some other machine.
You can try this ;
Restore the box to the factory default config ( do a wr erase) and reload and try and put the config back in before changing to another version of software.
OK, just to summerise
Layer 1 and 2 seem to be operating correctly, as you get the MAC address to populate the ARP cache.
You have tried multiple target devices, so the Layer 3 issue has to be with the PIX itself.
This suggests some sort of hardware issue, has the device ever worked?
Do you have access to another PIX image to reload, either at the same version or upgrade, assuming you have sufficient memory?
Clutching as straws here, but have you tried fixing the Speed/Duplex on both the PIX and the Switch?
Have you tried connecting the device via a hub or not inteligent device? Just in case the switch has ARP issues.
The device is a brand new; it has never worked since we have taken it out of the box !
I don't have another image, and the memory is 64 MB; so it is not too much for an upgrade.
And, yes; I tried fixing Speed/Duplex settings.. Also, I used a switch when the PIX didn't work with the cross cables.. Nothing worked..
My advise is to open a Cisco Tac case and have it RMA asap because you have 90 days of warranty from the day you purchase it.
Before you go in for an RMA just check if you have the sh crash info.It may point to some bug.
I had similar problem with pix 515 e with 6.3.5 but with failover license .
It did not ping tftp server except from the moniter mode.
So I ran failover and once the config sync happned everthing worked like a magic.
But in stand alone mode I tried everything but could not get the box to ping the tftp server.