10-09-2003 07:31 AM - edited 03-09-2019 05:05 AM
I cannot access the PDM anymore. It was working until yesterday. I was repeatedly prompted for a password; I checked & reset the PIX clock to the correct GMT as per the troubleshooting guide (it had lost 8 hours). I still cannot bring up the pdm. Here's some of our configuration:
Cisco PIX Firewall Version 6.1(4)
Cisco PIX Device Manager Version 1.1(2)
Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 000c.85ba.a18b, irq 10
1: ethernet1: address is 000c.85ba.a18c, irq 11
2: ethernet2: address is 0002.b3ca.9e6a, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES: Disabled
Maximum Interfaces: 3
Cut-through Proxy: Enabled
Guards: Enabled
Websense: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
ISAKMP peers: Unlimited
Serial Number: 807141699 (0x301c0143)
http server enabled
Thanks in advance.
10-09-2003 10:32 AM
Hi!
With that configuration you can't do nothing with the PIX:))
Please give us more details (configuration).
Can you ping the PIX? In what interface are you? Don't you have any ACL applyed to that interface? Is the PIX clock up to date?
Regards.
10-09-2003 11:14 AM
I can ping the real address of the pix, and access the web server inside the DMZ from an outside box using the static address for the DMZ, from the inside using the address assigned to the inside interface, from one DMZ box to another. I can run a TTY session and log in to the PIX. The clock is using the correct time (4 hours greater than EST, which is right since we're still under daylight savings), I just can't launch a PDM session. Here's all of my configuration, copied & pasted from a write terminal command:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxxencrypted
passwd xxxxencrypted
hostname DWRpix
domain-name ehnr.state.nc.us
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name x.x.114.19 Lee
access-list into_outside permit tcp any host 149.168.114.99 eq www
access-list into_outside permit tcp any host 149.168.114.99 eq ftp
access-list into_outside permit tcp host 149.168.114.92 host 149.168.114.99 eq 10945
access-list into_outside permit tcp host Lee host 149.168.114.99 eq 10945
access-list into_outside permit tcp host 149.168.114.92 host 10.1.114.65 eq 10000
access-list into_outside permit tcp host 149.168.114.52 any eq 6101
access-list no_nat_inside permit ip x.x.x.0 255.255.255.0 10.1.114.0 255.255.255.0
access-list no_nat_dmz permit ip x.x.x.0 255.255.255.0 10.2.114.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.x.2 255.255.255.0
ip address inside 10.2.114.1 255.255.255.0
ip address dmz 10.1.114.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.2.114.90 255.255.255.255 inside
pdm location 10.2.114.91 255.255.255.255 inside
pdm location 10.2.114.92 255.255.255.255 inside
pdm location 10.2.114.93 255.255.255.255 inside
pdm location 10.2.114.94 255.255.255.255 inside
pdm location 10.2.114.95 255.255.255.255 inside
pdm location 10.1.114.60 255.255.255.255 dmz
pdm location x.x.x.96 255.255.255.224 outside
pdm location x.x.x.92 255.255.255.255 outside
pdm location Lee 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 x.x.114.100-149.168.114.198
global (outside) 1 x.x.114.199
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 10.2.114.0 255.255.255.0 0 0
nat (dmz) 0 access-list no_nat_dmz
static (dmz,outside) x.x.x.99 10.1.114.60 netmask 255.255.255.255 0 0
access-group into_outside in interface outside
route outside 0.0.0.0 0.0.0.0 149.168.114.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media
0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.2.114.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh x.x.x.92 255.255.255.255 outside
ssh x.x.x.96 255.255.255.224 outside
ssh x.x.x.0 255.255.255.0 outside
ssh 10.2.114.90 255.255.255.255 inside
ssh 10.2.114.91 255.255.255.255 inside
ssh 10.2.114.92 255.255.255.255 inside
ssh 10.2.114.93 255.255.255.255 inside
ssh 10.2.114.94 255.255.255.255 inside
ssh 10.2.114.95 255.255.255.255 inside
ssh timeout 5
dhcpd address 10.2.114.100-10.2.114.199 inside
dhcpd dns 149.168.11.11 192.101.21.1
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxx
: end
[OK]
I didn't want to include all of this info in a clear text message, but there it is. Do I need to install a newer version of PDM, or just tweak the acl for the inside interface?
thanks.
10-09-2003 11:54 AM
Hi Charles,
1st, is the config you posted above the actual config from the PIX, if so you have left your network to open abuse, I hope that the above config is not the real config of your PIX.
2nd, What happens if your use a static (reserved) IP for your inside PDM access i.e.
> http server enable
> http
save with command: write memory
and open up IE on the inside of the above IP address client with https://
Hope this helps and let me know how you get on - Thanks.
10-09-2003 12:44 PM
Still not working - I even issued a clear http, enalbe http, specified an internal static address with the netmask of all 255's, saved it to memory, and then tried to access the PDM, to no avail.
10-23-2003 08:20 AM
I had the same problem, one day it worked fine, the other day it didn't. Till I cleared the cache (temp files) in MS Internet Explorer, then it worked again.
Still I don't know it's a known problem.
Regards
Aad
12-18-2003 07:53 AM
Could you elaborate how the network is open to abuse. What lines are incorrect and how would you fix them,
Thanks,
Scott
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: