cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1451
Views
0
Helpful
12
Replies

Cannot Ping PIX 525 inside interface

gibsthomas
Level 1
Level 1

Hi, I cannot ping the e1 interace of a new PIX 525 running V6.35. I configured e1 address and tried but I cannot ping the laptop directly connected to it or viceversa.. added ACL to allowing icmp any any and IP any any and applied the e1 interface. Still cannot ping.. any clue about why thats happening?.. i'm suspecting cable or hardware problem.. does the cable have to be crossver or straight through.. i tired connecting to a switch also but same result.. interface e1 is up/up and doesnot show any problem.. nor does log show any info as to why this is happening.. any suggestions appreciated.

Thanks,

GT

1 Accepted Solution

Accepted Solutions

mstubbers
Level 1
Level 1

Hello,

A failover license only pix does not function as a normal pix, so you can not "test" with it before connecting. Once you connect to your primary pix it will automatically upgrade the IOS on the failover unit and replicate the config, so none of this is required by you before hand. I found this process much easier by using the serial cable failover first, completing setup and then in my case I use LAN based failover which I later migrated to. Here are a couple of helpful documents you can review. Your software version may require updated documentation.

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/failover.htm#1076500

View solution in original post

12 Replies 12

jmia
Level 7
Level 7

If you've got your laptop cable directly connected to the PIX interface then you'll need a cross-over cable but if your connecting PIX ethernet to switch then you can use straight through.

Also make sure that you haven't got Win XP firewall enabled on your laptop when you ping from the PIX to laptop!! If you issue sho arp on the PIX can the PIX pick up the inside IP/MAC address of your laptop?

Jay

haithamnofal
Level 3
Level 3

In addition to verifying the cable is cross and no FW is enables on your PC, make sure that you are on the same subnet where the PIX interface is.

Regards,

Haitham

Hi guys.. thanks for the reply.. I'm using straight though cable so connection through the switch would have worked. Pix does see the switch and laptop on its arp table.. i clear arp and then it takes a while for it to appear again.. i can ping the switch from my laptop so i.m not sure if its a windows firewall issue... also, i have all three devices in the same VLAN & subnet address.

are there any other commands we need to allow pings other than ACLs??

m.sir
Level 7
Level 7

Try following command

icmp permit 0 0 inside

M.

a.kiprawih
Level 7
Level 7

Hi,

The ACL you confired is to allow ICMP to pass through PIX inside (e1) interface, NOT to ping the inside interface itself.

Use 'icmp permit any inside' to allow any inside/internal host to ping the e1 interface. You can narrow this later by replacing 'any' with your permitted internal address.

Rgds,

AK

I configured icmp permit any inside, icmp permit any echo inside & icmp permit any echo-reply inside but I still cannot ping the switch or mylaptop. pinging from my laptop to the pix also doesnot work. I can see the laptop IP on PIX when i do show arp..

Do we need to have atleast 2 interfaces on the PIX up and running inorder to ping inside interface??

By defult (without any ACLs) you should be able to ping the inside interface of the PIX from a LAN device.

As a test take out any ACLs for ICMP and see if this helps.

If your PIX is not in production, you can try Ethereal on your PC and "debug icmp tr" on PIX, then ping from both side see what it show on both box. Before you do this, reboot both machines first. good luck

Hi,

this PIX is not in production yet and I wanted to upgrade the IOS image before putting this on production. I did wr erase on the PIX and reloaded it to see if it makes any difference. Also included icmp permit any any inside but I still cannot ping the inside interface.

I dont know if this makes any difference, but this PIX has a Fail-Over license. Do I need to have the active PIX connected if I just want to ping and run TFTP on the inside interface?

Thanks,

GT

mstubbers
Level 1
Level 1

Hello,

A failover license only pix does not function as a normal pix, so you can not "test" with it before connecting. Once you connect to your primary pix it will automatically upgrade the IOS on the failover unit and replicate the config, so none of this is required by you before hand. I found this process much easier by using the serial cable failover first, completing setup and then in my case I use LAN based failover which I later migrated to. Here are a couple of helpful documents you can review. Your software version may require updated documentation.

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/failover.htm#1076500

Hi, thanks for the reply. Active PIX is in production and runs IOS V6.3.4 and this fail-over pix is running V6.3.5. Will it cause any problems since the fail-over PIX has an upgraded version than the active PIX??

Hi,

Both units should be identical in terms of HW and SW. So, either to upgrade your primary or to downgrade your secondary.

Good Luck,

Haitham

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: