02-07-2007 08:30 AM - edited 03-11-2019 02:30 AM
While trying to upgrade, I received a timeout error using the copy TFTP command. I am unable to ping any internal host on the LAN from the PIX and cannot ping from any internal host to the PIX. All internal hosts still get internet access. Attached is the config file of the PIX. Any help is greatly appreciated!
02-08-2007 02:04 AM
hello,
I believe you have two question which you want the answers for.
Q1. you cannot upgrade to 7.2.2 from 6.3.4, you get timeout error.
A1. Which tftp are you using? you can use solarwind TFTP server, it is very easy to use. also which ever TFTP you have, check if it is allowed to transmit as well as recevie usually by default TFTP server are only set to recevie.
Q2. You cannot PING from PIX or to PIX from LAN
A2. by default PIX deny all icmp traffic, therefore you can allow this by using correct ACL on your inside interface e.g
//to allow icmp on PIX inside interface
access-list acl_in permit icmp any any unreachable
access-list acl_in permit icmp any any time-exceeded
access-list acl_in permit icmp any any echo-reply
//to apply ACL to inside interface
access-group acl_in in interface inside
HTH, please rate if it do
02-08-2007 07:17 AM
Thanks for the help, but I still can't ping to or from the inside interface to or from the LAN after applying the ACL.
I use solarwind TFTP server and have updated the pix before and the settings are all correct for send and receive.
I do have a new HP 2824 switch between the PIX and TFTP - I do not know if this could be the problem or not.
Any help is greatly appreciated!
02-09-2007 02:45 AM
hello,
tell you what, first upgrade to 7 from 6.3, then go for 7.2
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/pix_upgd/pixupgrd.pdf
as for the icmp, do you think it's possible to connect to PIX using cross cable with a laptop and ping, as i don't know what sort of configuration you have on your HP switch. This would really eliminate the question of doubt.
HTH, PRI
02-11-2007 04:32 AM
Hi, I saw ur configuration. I suggest u to remove this command & check:- ip verify reverse-path interface inside
I hope after removing it u wud b able to ping. Regarding upgradation of Firewall OS from 6.x to 7.2, First update to 7.0 then go for 7.2.2. Before upgrading to 7.0 check the memory of ur firewall. U need atleast 128 Mb RAM if u hv UR license, & 64 MB if u have R license.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: