My employer is small and wants to use a Failover Only PIX by itself. They had it as part of their network, obviously as a Failover to another PIX. I can connect through the console cable and IP's are in place but I can't ping or tftp to the inside port. I see it up/up.
Please help me and tell me that I need to upgrade to at least a restricted license.
Here is from PIX Configuration Guide:
The PIX Firewall with the FO license is intended to be used solely for failover and not in standalone mode. If a failover unit is used in standalone mode, the unit will reboot at least once every 24 hours until the unit is returned to failover duty.
I know that it will reboot every 24 hours, but what I'm having a problem with is that I can't even ping the inside interface. The laptop and interface are on the same subnet so I should at least get a ping. What am I doing wrong? Should I post my config?
Here it is. As you can see there are a few lines that aren't necessary but I was trying anything.
PIX Version 6.3(4)
interface ethernet0 auto shutdown
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password xxxxxxx encrypted
passwd xxxxxxx encrypted
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
icmp permit 192.168.0.0 255.255.0.0 inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
no ip address outside
ip address inside 192.168.9.135 255.255.255.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.10 255.255.255.255 inside
http 192.168.9.136 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.1.10 255.255.255.255 inside
telnet 192.168.9.136 255.255.255.255 inside
telnet 192.168.9.104 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username xxxxxxx password xxxxxx encrypted privilege 15
terminal width 80
What is the IP address and subnet mask on your laptop?
Enable the debug " debug icmp trace"
then try to ping see if the PIX does see the icmp and does it reply?
Hope this helps.
IP address on my laptop is 192.168.9.136 255.255.255.0
I did the debug command before and again this time and same thing. 0 responses. I get up/up on the interface and I get a connection on the laptop interface (so I know that electricity is flowing). Does it have to be a crossover cable? I put a linksys workgroup switch between them and got the same result.
Here is my IPconfig for my laptop.
IP Address. . . . . . . . . . . . : 192.168.9.136
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.9.135
Thanks again for your suggestions.
Can you issue the command "interface ethernet1 100full"
And also, plug the PC directly into the inside interface of the PIX firewall.
After that, can you issue the command " sh interface" on the PIX and see if the interface is UP and the protocol is UP.
Gilbert or anyone,
I tried this before and it still didn't work. I tried it again just now and now it shows up/down. I hook it up to the switch and it shows up/up. Ay Caramba!!
Tried it with a whole new server (brand new) same IP address. Interface shows up/up but I still can't ping. I even moved the cable, IP address, and all reference to the inside interface to intf5 (4 port ethernet card is in the PIX) and it still didn't work.
Is anyone 100% sure a Failover ONLY license will work by itself? I'm willing to sell the new license to my bosses IF I know it's that and not them just throwing $400 away and the config was wrong.
The answer is an emphatic no!
You will need to upgrade the license.
Probably not worth it, look at an ASA5505 or 5510.
Mate - you can run this fine (I have one at home ;-) ).
Sounds like your failover is activing like the failover unit - you need to make this the primary, can you enter "failover" in global config, this will then make the unit the primary and this will work ;-)