Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Can't access PIX 501 after switch from dsl to cable

Hi--

I have two small offices and recently switched from dsl to cable internet. the two pix501 f/w units worked fine on dsl, but for the life of me I cannot even access the units now from the inside as I was able to do before when on dsl signal. I know I need to change the configuration from PPPoe to DHCP, but I can't get access to do it.

Any suggestions?

I believe I have 6.2 software, but I'm not sure. The Inside address is 10.8.6.1 now.

thanks--jb

30 REPLIES

Re: Can't access PIX 501 after switch from dsl to cable

First can you actually ping the PIX inside interface ip 10.8.6.1?

Generally to access the PIX for management you need instruct the PIX which hosts or networks are allowed to manage the firewall.

so you need to make sure of couple of things

1- Confirm physical connectivity for the PIX inside interface and your PC , are they connected to a switch same vlan? hub ?

2- Confirm the PIX has at least these statements by accessing the device through local console if you cannot still telnet or http to the device.

to allow admin access from any host on 10.8.6.0

pix(config)#http 10.8.6.0 255.255.255.0 inside

pix(config)#telnet 10.8.6.0 255.255.255.0 inside

or any network from the inside

pix(config)#http 0 0 inside

pix(config)#telnet 0 0 inside

Try confirming the above and post results

Rgds

Jorge

New Member

Re: Can't access PIX 501 after switch from dsl to cable

Jorge--

I wonder if my basic connectivity is a problem. I have the PIXfw connected directly to the cable modem,(tried straight and crossed ethernet cables) and the PC connected directly to the PiXfw.

Power light and link light(1) are on. Link(0)is flashing. VPN is off and 100mps(1) is on. I cannot https access, and I tried telnet but no connect. I don't have the console connector. Rebooting modem and Pix hasn't helped.

I am sure that the inside is 10.8.6.1

Any thoughts?

Thanks,

JB

Re: Can't access PIX 501 after switch from dsl to cable

OK but can you at least ping the inside interface from your PC, is the PC under the same 10.8.6.0 subnet? in any case you will need to console to find out what is going on in PIX config or PIX start-up process.

New Member

Re: Can't access PIX 501 after switch from dsl to cable

Jorge--

Some success. I was able to ping the 10.8.6.1 successfully and am also able now to https into the manager.

Pixfw is connected directly to cable modem, and to pc.

I have configured the outside to DHCP obtain ip automatically. The inside is 10.8.6.1. I enabled Easy VPN.

I still do not get internet on the pc. lights are on as noted above. The vpn tunnel (0) is not on.

I ran network diagnostics from the pc XP(3) and received the error message that my DNS Server Search Order failed when pinging 151.203.0.84

Everything else checked out.

Thoughts, Jorge? It must be something silly I'm omitting.

Thanks, JB

Re: Can't access PIX 501 after switch from dsl to cable

Can you post the PIX config.

make sure PIX is geting default route

e.i

pix(config)#ip address outside dhcp setroute

also post the output of

pix#show route | inc 0.0.0.0

Re: Can't access PIX 501 after switch from dsl to cable

Jeffrey, have you been able to resolve the issue?

can you confirm from the PIX that you can ping by IP to any host outside internet, for eample you can ping yahoo.com @ 69.147.76.15, if you do get a reply you can then rule out routing , without confirming this part you will not be able to connect outbound for eny other connections.

New Member

Re: Can't access PIX 501 after switch from dsl to cable

Jorge--

Thanks for your note. I have been busy with other matters--the medical practice is relentless. I will get to that question soon and let you know. Thanks for your support.

Jeffrey

New Member

Re: Can't access PIX 501 after switch from dsl to cable

Hi Jorge--

I'm back and have more info.

to review for you:

-Pix501 direct connected to dhcp router (ip 192.168.1.1)

Cat5 connection to my laptop. no connection obtained.

yet the lights on the pix are on and steady, except VPN tunnel light is off.

I did get console cable and can access the pix.

When I ping from console to 192.168.1.1 i get positive reply.

when I ping Yahoo from the console, I am successful too.

When I ping from laptop to pix,(10.8.6.1) I am unsuccessful. no connection. I also cannot http into the manager from laptop.

Here is the pixconfig show run:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password PVSASRJovmamnVkD encrypted

passwd PVSASRJovmamnVkD encrypted

hostname pixMDC

domain-name keene.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 198.169.188.0 GE

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.8.6.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location GE 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.8.6.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.0.0.0 255.0.0.0 inside

http 10.8.6.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.8.6.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.8.6.2-10.8.6.33 inside

dhcpd dns 151.203.0.84 151.202.0.84

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:54d397db26abf93abfd2cf32ced06ba1

: end

Here is pixconfig show ip:

pixMDC(config)# show ip

System IP Addresses:

ip address outside 192.168.1.5 255.255.255.0

ip address inside 10.8.6.1 255.255.255.0

Current IP Addresses:

ip address outside 192.168.1.5 255.255.255.0

ip address inside 10.8.6.1 255.255.255.0

thats all I can think of for now. I much appreciate your thoughts.

Jeffrey

Re: Can't access PIX 501 after switch from dsl to cable

When I ping from laptop to pix,(10.8.6.1) I am unsuccessful. no connection. I also cannot http into the manager from laptop

Jeffrey,

1- make sure you are using regular cat5 cable to connect from laptop to one of the ports in 501 built in swith 1 to 4 it should give you solid green LINK LED,

2- On laptop are you geting IP assigment from PIX dhcp? issue c:\ipconfig /all to verify, and try c:\ipconfig /renew.

If you're not geting IP but get green led on the port put a temporary static IP on the laptop to like 10.8.6.10/25 with DG 10.8.6.1, we can troubleshoot dhcp later but first get IP connectivity to pix.

once you get IP connectivity configure pix for telnet access from inside management, it already has http access for inside net

pix>enable

pix#config t

pix(config)#telnet 10.8.6.0 255.255.255.0 inside

to access the pix via browser

https:\\10.6.8.1

yet the lights on the pix are on and steady, except VPN tunnel light is off.

there is not vpn tunnel configuration on the pix, you need to build one.

Rgds

Jorge

Re: Can't access PIX 501 after switch from dsl to cable

Also can you post the output of show interface

New Member

Re: Can't access PIX 501 after switch from dsl to cable

Jorge--

Thanks for your instructions. Here are results:

1. CAT5 cable is correct.

2. Laptop is not getting ip assignment from pix dhcp. ipconfig /renew does not help.

3. green lights steady on pix, but laptop icon says can't acquire connection.

4. I placed tcpip properties to static ip address 10.8.6.10 255.0.0.0 and DG as 10.8.6.1 and the laptop icon now says connected, but browser does not bring up internet pages. cmd ipconfig /all shows ip address and DG as those entered.

4. I also reset the stack for tcpip with the command netsh int ip reset c:\resetlog.txt and rebooted, but no change.

Jorge, it would appear that I have a connectivity problem from laptop to pix, and yet I know the equipment works.

I can, however, now get to the device manager via https, and have that open now. I have built an EasyVPN, but I'm not sure I did it correctly. But still no laptop to pix connectivity.

Next steps?

Thanks,

Jeffrey

New Member

Re: Can't access PIX 501 after switch from dsl to cable

Jorge--

Also, here is the result of show interface;

Result of firewall command: "show interface"

interface ethernet0 "outside" is up, line protocol is up

Hardware is i82559 ethernet, address is 0016.c7f9.f673

IP address 192.168.1.5, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

4544 packets input, 692736 bytes, 0 no buffer

Received 4524 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

28 packets output, 8409 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

9 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/2)

output queue (curr/max blocks): hardware (0/2) software (0/1)

interface ethernet1 "inside" is up, line protocol is up

Hardware is i82559 ethernet, address is 0016.c7f9.f674

IP address 10.8.6.1, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

15151 packets input, 1041492 bytes, 0 no buffer

Received 1771 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

22410 packets output, 24533787 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/9)

output queue (curr/max blocks): hardware (5/18) software (0/1)

Thanks--Jeffrey

Re: Can't access PIX 501 after switch from dsl to cable

I placed tcpip properties to static ip address 10.8.6.10 255.0.0.0 and DG as 10.8.6.1 ...

make sure you use 24 bit mask, not 8 bits,

10.8.6.10 255.255.255.0

static ip is a temp fix, we need to get back and try fixing it..

in pix do :

pix#config t

pix(config)#dhcpd enable inside

pix(config)#exit

pix#write mem

then try dhcp from the laptop, if no good place static IP back and we'll get to it later.., ensure you use some type of dns also.

I see pix is geting following dns 151.203.0.84 and 151.202.0.84 , if laptop does not get dhcp use these dns for internet if you do not have done so.

For Easy VPN follow this link, you need to configure the other PIX end as well..

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008019e6d7.shtml

Rgds

Jorge

New Member

Re: Can't access PIX 501 after switch from dsl to cable

Jorge--

I made sure mask was 24 bit as noted

I enabled dhcpd inside and changed the dns as noted.

from laptop I can ping 10.8.6.1

from laptop i cannot ping to yahoo

I cannot get internet on browser

from laptop, i can get http access to pix manager. so it appears that I have connectivity from laptop to pix, but not through the pix.

I set up easy vpn, I think ok, though for my offices, our pc's only need to do local work. probably don't need vpn at all.

Here is updated Show run

pixMDC(config)# show run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password PVSASRJovmamnVkD encrypted

passwd PVSASRJovmamnVkD encrypted

hostname pixMDC

domain-name keene.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.8.6.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.0 255.0.0.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.8.6.0 255.255.255.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.0.0.0 255.0.0.0 inside

http 10.8.6.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.8.6.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.8.6.2-10.8.6.33 inside

dhcpd dns 151.203.0.84 151.202.0.84

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

vpnclient server 10.8.6.0 10.0.0.0

vpnclient mode client-mode

vpnclient vpngroup fnd password ********

vpnclient username fnd password ********

vpnclient enable

terminal width 80

Cryptochecksum:a7e91cb2362ade92b704c61bb06b206d

: end

Thanks, Jorge. Still not sure what I must do to get traffic through the pix.

Jeffrey

Re: Can't access PIX 501 after switch from dsl to cable

you should have been able to browse internet as access from inside to outside is permited by default, can you re-confirm connectivity from the pix itself , try ping from the pix 151.203.0.84 as well as 151.202.0.84.

also to ping from inside to outside you need to allow icmp/traceroute .

configure this access list to permit icmp outbound from inside.

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any source-quench

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

access-group outside_access_in interface outside

icmp reference have a look here

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

once you make above change try ping from inside to outside the dns servers ip addresses you previously configured in laptop for example, then try ping by name yahoo.

c:\ping www.yahoo.com which is pingable .

let us know the results.

Regards

New Member

Re: Can't access PIX 501 after switch from dsl to cable

Jorge--

From the Pix console, I was able to ping dns 151.203.0.84 and 151.202.0.84

From the pix console, I was able to ping the yahoo site.

I entered the access-list commands ok.

The "access-group outside_access_in interface outside" failed because pix tole me "not enough arguments" I looked over the syntax requirements and I don't see the problem. What am I missing?

From the laptop I am still unable to ping to the outside.

For reference, here is current data:

pixMDC# show route | inc 0.0.0.0

outside 0.0.0.0 0.0.0.0 192.168.1.1 1 DHCP static

pixMDC#

pixMDC#

pixMDC# Show run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password PVSASRJovmamnVkD encrypted

passwd PVSASRJovmamnVkD encrypted

hostname pixMDC

domain-name keene.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any source-quench

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.8.6.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.0 255.0.0.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.8.6.0 255.255.255.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.0.0.0 255.0.0.0 inside

http 10.8.6.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.8.6.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.8.6.2-10.8.6.33 inside

dhcpd dns 151.203.0.84 151.202.0.84

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

vpnclient server 10.8.6.0 10.0.0.0

vpnclient mode client-mode

vpnclient vpngroup fnd password ********

vpnclient username fnd password ********

vpnclient enable

terminal width 80

Cryptochecksum:abc03ad913138c14819a5314e35ce837

: end

pixMDC#

Thanks--

Jeffrey

Re: Can't access PIX 501 after switch from dsl to cable

Sorry I missed ( in )

access-group outside_access_in in interface outside

please add above statement and try ping from laptop outside dns, make sure you are in laptop have dns servers configure..

try again

New Member

Re: Can't access PIX 501 after switch from dsl to cable

Thanks Jorge--

That command was accepted.

From laptop I can ping 10.8.6.1 ok

pinging the dns 151.303.0.84 or 151.202.0.84 times out unsuccessfully. yahoo ping also unsuccessful.

Seems there must be some little thing I'm missing.

Jeffrey

Re: Can't access PIX 501 after switch from dsl to cable

pixMDC# show route | inc 0.0.0.0

outside 0.0.0.0 0.0.0.0 192.168.1.1 1 DHCP static

what is the topology, do you have another router in front of the fw then cable modem? or are you connecting straight from fw to cablemodem? the fw is geting private ip for its default route from upstream isp which should be public ip, can you restart the cable modem and the fw as well.

New Member

Re: Can't access PIX 501 after switch from dsl to cable

Jorge--

I did have the Pix connected to router, 192 168.1.1 for convenience, so I could still get internet wirelessly without having to do lots of wire unplugging and plugging.

I have since changed to topology of comcast modem connected directly to pix which in turn connects directly to laptop.

In this configuration, laptop pings 10.8.6.1 ok, but pix has no connectivity to comcast.

When laptop connected directly to comcast modem,(ie pix removed) the ipconfig /all from laptop reads the following from comcast:

ip 71.192.7.130

mask 255.255.252.0

DG 72.192.11.1

DHCP server 68 87 71 52

DNS 68 87 71 226 and 68 87 73 242

Response to pix# show route | inc 0.0.0.0 is nothing.

For reference, here is show run

pixMDC# show run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password PVSASRJovmamnVkD encrypted

passwd PVSASRJovmamnVkD encrypted

hostname pixMDC

domain-name keene.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any source-quench

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.8.6.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.0 255.0.0.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.8.6.0 255.255.255.0 0 0

access-group outside_access_in in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.0.0.0 255.0.0.0 inside

http 10.8.6.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.8.6.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.8.6.2-10.8.6.33 inside

dhcpd dns 151.203.0.84 151.202.0.84

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

vpnclient server 10.8.6.0 10.0.0.0

vpnclient mode client-mode

vpnclient vpngroup fnd password ********

vpnclient username fnd password ********

vpnclient enable

terminal width 80

Cryptochecksum:6ca15e834dc867c6f12b46b2bd28a4a8

: end

pixMDC#

pixMDC#

pixMDC#

pixMDC# ping 71.192.7.130

No route to host 71.192.7.130.

Usage: ping [if_name]

pixMDC#

It appears that the pix is not seeing the comcast dhcp signal and latching onto it.

Thanks,

Jeffrey

Re: Can't access PIX 501 after switch from dsl to cable

Jeffrey, the config is good on the firewall, what you need to do is this and try again.

1- Plug in back the fw outside interface directly yo cable model port

power down the firewall

power down the cable modem

power back on the cable modem wait few seconds until fully up

then power back on the firewall

login to firewall and do show route | inc 0.0.0.0 to make sure is getting default route.

post results, if negative results we'll try different approache.

Regards

New Member

Re: Can't access PIX 501 after switch from dsl to cable

Jorge--

I did the above.

the command show route | inc 0.0.0.0 failed to give a response from the console. when I gave the same command via the https connection I received the response "command sent to firewall" and then nothing further.

from the laptop, I can ping 10.8.6.1 but cannot ping through to the outside.

Maybe a hammer placed smartly between the lcd's would help?

Thanks,

Jeffrey

Re: Can't access PIX 501 after switch from dsl to cable

Jeffrey,

Post updated fw config again to see what you have in firewall.

New Member

Re: Can't access PIX 501 after switch from dsl to cable

Jorge--

Here is the show config data

Result of firewall command: "show config"

: Saved

: Written by enable_15 at 10:21:08.192 UTC Mon Dec 15 2008

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password PVSASRJovmamnVkD encrypted

passwd PVSASRJovmamnVkD encrypted

hostname pixMDC

domain-name keene.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any source-quench

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.8.6.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.0 255.0.0.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.8.6.0 255.255.255.0 0 0

access-group outside_access_in in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.0.0.0 255.0.0.0 inside

http 10.8.6.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.8.6.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.8.6.2-10.8.6.33 inside

dhcpd dns 151.203.0.84 151.202.0.84

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

vpnclient server 10.8.6.0 10.0.0.0

vpnclient mode client-mode

vpnclient vpngroup fnd password ********

vpnclient username fnd password ********

vpnclient enable

terminal width 80

Cryptochecksum:6ca15e834dc867c6f12b46b2bd28a4a8

thanks,

Jeffrey

Re: Can't access PIX 501 after switch from dsl to cable

Jefrey,

Assuming you connected the PIX outside interface to cable modem try this to force it, see what happens, you may want to power cycle the cable modem first before you try bellow statement.

pix(config)#ip address outside dhcp setroute retry 10

let me know how it goes.

Regards

New Member

Re: Can't access PIX 501 after switch from dsl to cable

Jorge--

Laptop connedted to cable modem, confirmed good dhcp signal

Pix connected directly to cable modem, and both re-powered up, lights on pix on and solid,

I accessed the pix via console and entered in

pix(config)#ip address outside dhcp setroute retry 10

there was no response, ie the pix just showed me the command prompt.

What can be the problem?

Re: Can't access PIX 501 after switch from dsl to cable

Jefrey,

It is strange .. it should have picked up IP, can you test with your laptop connecting to cable modem to see if you get dhcp from it?

one question, are you sure you are suppose to be dhcp when connecting to the cable modem or static public Ip?

this is the longest thread I ever done ! turning into a book :)

New Member

Re: Can't access PIX 501 after switch from dsl to cable

Jorge--

when I connect the laptop directly to the cable modem, and make sure the TCP/IP screens are set for "obtain address automatically" the internet comes up fine.

Then when I plug the same cable from modem into the pix, all the right lcds are lit on the pix, but it doesn't play ball. yet from the pix console, i can ping to the outside (yahoo). It's as if the signal doesn't navigate it's way through the pix. Could this have anything to do with EasyVPN that is turned on?

Or should we revert to factory defaults and rebuild the configuration?

Jeffrey

New Member

Re: Can't access PIX 501 after switch from dsl to cable

Jorge--

Any more thoughts about my PIX? I'm frustrated as I'm sure you are, but something inside the system doesn't seem to be playing according to design.

What to do?

Thanks,

Jeffrey

758
Views
0
Helpful
30
Replies
CreatePlease to create content