+ Reply to Thread
Results 1 to 23 of 23
  1. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #1

    Default Issues with Cisco PIX 515e

    So, i am trying just to do the initial setup of a Cisco PIX515e 6.3, and I am hitting a brick wall.

    I got the console up, thought that I had everything configured correctly (Like internal IP and such), but I can't ping to or from, with a crossover cable from inside/ethernet0 to a PC.
    Need some help/advise.
    I would also like to get it set up for management via ASDM.

    It is a base config, nothing else.

    Thanks
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member SubnetZero's Avatar
    Join Date
    Jan 2012
    Location
    Las Vegas
    Posts
    123

    Certifications
    CCIE #32840 (RS), CCNP, CCNA (RS/SEC), FNCNE, BCNE, MCSE, MCSA, MCTS, MCITP:SA, C|EH, CCA, A+, Network+ [working on CCIE SPv3]
    #2
    What's the security level on your inside interface? It should be setup to a 100 and named "inside"

    Code:
    pixfirewall# conf t
    pixfirewall(config)# int e0
    pixfirewall(config-if)# ip address 192.168.1.1 255.255.255.0
    pixfirewall(config-if)# nameif inside
    INFO: Security level for "inside" set to 100 by default.
    Code:
    interface Ethernet0
     nameif inside
     security-level 100
     ip address 192.168.1.1 255.255.255.0
    Also check "show arp" on the PIX, do you see the PC? Is the firewall enabled on the PC?
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #3
    Interface is set correctly. Named and Security 100.
    No ARP entries.
    No firewall on the PC, it is turned off.
    Reply With Quote Quote  

  5. Senior Member SubnetZero's Avatar
    Join Date
    Jan 2012
    Location
    Las Vegas
    Posts
    123

    Certifications
    CCIE #32840 (RS), CCNP, CCNA (RS/SEC), FNCNE, BCNE, MCSE, MCSA, MCTS, MCITP:SA, C|EH, CCA, A+, Network+ [working on CCIE SPv3]
    #4
    Do you have green link lights?

    Please post the output from the following two commands:

    show run interface
    show interface ip brief

    Thanks
    Reply With Quote Quote  

  6. Went to the dark side.... Moderator networker050184's Avatar
    Join Date
    Jul 2007
    Posts
    11,680

    Certifications
    CCNA, CCNP, CCIP, JNCIA-JUNOS, JNCIS-SP, JNCIP-SP, MCA200
    #5
    Are you sure the cable is good? If you can't get arp you aren't going to ping.
    An expert is a man who has made all the mistakes which can be made.
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #6
    Quote Originally Posted by SubnetZero View Post
    Do you have green link lights?

    Please post the output from the following two commands:

    show run interface
    show interface ip brief

    Thanks
    Yep, link light solid.


    PIX# show run interface

    : Saved

    :

    PIX Version 6.3(5)

    interface ethernet0 auto shutdown

    interface ethernet1 auto

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    enable password 8Ry2YjIyt7RRXU24 encrypted

    passwd 2KFQnbNIdI.2KYOU encrypted

    hostname PIX

    domain-name MAIN

    fixup protocol dns maximum-length 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    <--- More --->

    names

    pager lines 24

    mtu outside 1500

    mtu inside 1500

    no ip address outside

    ip address inside 192.168.1.2 255.255.255.0

    ip audit info action alarm

    ip audit attack action alarm

    no failover

    failover timeout 0:00:00

    failover poll 15

    no failover ip address outside

    no failover ip address inside

    pdm history enable

    arp timeout 14400

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout sip-disconnect 0:02:00 sip-invite 0:03:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server TACACS+ max-failed-attempts 3

    aaa-server TACACS+ deadtime 10

    aaa-server RADIUS protocol radius

    <--- More --->

    aaa-server RADIUS max-failed-attempts 3

    aaa-server RADIUS deadtime 10

    aaa-server LOCAL protocol local

    http server enable

    http 192.168.1.1 255.255.255.255 inside

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    terminal width 80

    Cryptochecksum:bed2c9124913b21045d28930a785d464

    : end


    PIX# show interface ip brief

    Usage: interface <hardware_id> [<hw_speed> [shutdown]]

    [no] interface <hardware_id> <vlan_id> [logical|physical] [shutdown]

    interface <hardware_id> change-vlan <old_vlan_id> <new_vlan_id>

    show interface
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #7
    Quote Originally Posted by networker050184 View Post
    Are you sure the cable is good? If you can't get arp you aren't going to ping.
    Yep, factory made cross over cable.
    Reply With Quote Quote  

  9. Senior Member SubnetZero's Avatar
    Join Date
    Jan 2012
    Location
    Las Vegas
    Posts
    123

    Certifications
    CCIE #32840 (RS), CCNP, CCNA (RS/SEC), FNCNE, BCNE, MCSE, MCSA, MCTS, MCITP:SA, C|EH, CCA, A+, Network+ [working on CCIE SPv3]
    #8
    OK looks like you're running super old code on that PIX...

    Please post the result from "show interface" please
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #9
    So, looked at the version settings, and found this statement:
    "This PIX has a Failover Only Lincense"

    Set the Failover Ip address and now I can ping between.
    What gives?
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #10
    PIX>


    PIX>


    PIX> en

    Password:


    PIX# show u interface

    interface ethernet0 "outside" is administratively down, line protocol is down

    Hardware is i82559 ethernet, address is 000d.bdbb.b6c9

    MTU 1500 bytes, BW 10000 Kbit half duplex

    0 packets input, 0 bytes, 0 no buffer

    Received 0 broadcasts, 0 runts, 0 giants

    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

    0 packets output, 0 bytes, 0 underruns

    0 output errors, 0 collisions, 0 interface resets

    0 babbles, 0 late collisions, 0 deferred

    0 lost carrier, 0 no carrier

    input queue (curr/max blocks): hardware (128/12 software (0/0)

    output queue (curr/max blocks): hardware (0/0) software (0/0)

    interface ethernet1 "inside" is up, line protocol is up

    Hardware is i82559 ethernet, address is 000d.bdbb.b6ca

    IP address 192.168.1.2, subnet mask 255.255.255.0

    MTU 1500 bytes, BW 100000 Kbit full duplex

    2125 packets input, 171033 bytes, 0 no buffer

    Received 657 broadcasts, 0 runts, 0 giants

    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

    2161 packets output, 2179625 bytes, 0 underruns

    0 output errors, 0 collisions, 0 interface resets

    0 babbles, 0 late collisions, 0 deferred

    0 lost carrier, 0 no carrier

    input queue (curr/max blocks): hardware (128/12 software (0/43)

    <--- More --->

    output queue (curr/max blocks): hardware (0/63) software (0/1)


    PIX# show version



    Cisco PIX Firewall Version 6.3(5)

    Cisco PIX Device Manager Version 3.0(1)



    Compiled on Thu 04-Aug-05 21:40 by morlee



    PIX up 38 mins 53 secs



    Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

    Flash E28F128J3 @ 0x300, 16MB

    BIOS Flash AM29F400B @ 0xfffd8000, 32KB



    Encryption hardware device : VAC+ (Crypto5823 revision 0x1)

    0: ethernet0: address is 000d.bdbb.b6c9, irq 10

    1: ethernet1: address is 000d.bdbb.b6ca, irq 11

    Licensed Features:

    Failover: Enabled

    VPN-DES: Enabled

    VPN-3DES-AES: Enabled

    Maximum Physical Interfaces: 6

    Maximum Interfaces: 10

    Cut-through Proxy: Enabled

    Guards: Enabled

    URL-filtering: Enabled

    <--- More --->

    Inside Hosts: Unlimited

    Throughput: Unlimited

    IKE peers: Unlimited



    This PIX has a Failover Only (FO) license.



    Serial Number: 807333777 (0x301eef91)

    Running Activation Key: 0xf69b4354 0x57e53122 0xc84bc0e0 0xfc9d5cf9

    Configuration last modified by enable_15 at 16:48:51.907 UTC Thu Feb 9 2012


    PIX# show ri un

    : Saved

    :

    PIX Version 6.3(5)

    interface ethernet0 auto shutdown

    interface ethernet1 auto

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    enable password 8Ry2YjIyt7RRXU24 encrypted

    passwd 2KFQnbNIdI.2KYOU encrypted

    hostname PIX

    domain-name MAIN

    fixup protocol dns maximum-length 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    <--- More --->

    names

    pager lines 24

    mtu outside 1500

    mtu inside 1500

    no ip address outside

    ip address inside 192.168.1.2 255.255.255.0

    ip audit info action alarm

    ip audit attack action alarm

    no failover

    failover timeout 0:00:00

    failover poll 15

    no failover ip address outside

    failover ip address inside 192.168.1.4

    pdm history enable

    arp timeout 14400

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout sip-disconnect 0:02:00 sip-invite 0:03:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server TACACS+ max-failed-attempts 3

    aaa-server TACACS+ deadtime 10

    aaa-server RADIUS protocol radius

    <--- More --->

    aaa-server RADIUS max-failed-attempts 3

    aaa-server RADIUS deadtime 10

    aaa-server LOCAL protocol local

    http server enable

    http 192.168.1.1 255.255.255.255 inside

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    terminal width 80

    Cryptochecksum:7152eb4962675a1e97ada571a58be396

    : end


    PIX#
    Last edited by kmcintosh78; 02-09-2012 at 05:25 PM. Reason: Correction
    Reply With Quote Quote  

  12. Senior Member SubnetZero's Avatar
    Join Date
    Jan 2012
    Location
    Las Vegas
    Posts
    123

    Certifications
    CCIE #32840 (RS), CCNP, CCNA (RS/SEC), FNCNE, BCNE, MCSE, MCSA, MCTS, MCITP:SA, C|EH, CCA, A+, Network+ [working on CCIE SPv3]
    #11
    Your PIX is in failover mode

    Code:
    pixfirewall(config)# no failover
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #12
    Quote Originally Posted by SubnetZero View Post
    Your PIX is in failover mode

    Code:
    pixfirewall(config)# no failover
    Did that, removed the failover IP statement and now link is down.

    Putting the failover IP statement back, ping and arp good.
    Reply With Quote Quote  

  14. Senior Member SubnetZero's Avatar
    Join Date
    Jan 2012
    Location
    Las Vegas
    Posts
    123

    Certifications
    CCIE #32840 (RS), CCNP, CCNA (RS/SEC), FNCNE, BCNE, MCSE, MCSA, MCTS, MCITP:SA, C|EH, CCA, A+, Network+ [working on CCIE SPv3]
    #13
    That's odd it worked for me. Basically I just ran the "no failover" command and then set the IP under the interface. You may also think about clearing the config out and starting fresh?

    Code:
    pixfirewall# write erase 
    Erase configuration in flash memory? [confirm]
    Reply With Quote Quote  

  15. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #14
    Quote Originally Posted by SubnetZero View Post
    That's odd it worked for me. Basically I just ran the "no failover" command and then set the IP under the interface. You may also think about clearing the config out and starting fresh?

    Code:
    pixfirewall# write erase 
    Erase configuration in flash memory? [confirm]
    Could it be an issue with the 6.3 version?
    Reply With Quote Quote  

  16. Went to the dark side.... Moderator networker050184's Avatar
    Join Date
    Jul 2007
    Posts
    11,680

    Certifications
    CCNA, CCNP, CCIP, JNCIA-JUNOS, JNCIS-SP, JNCIP-SP, MCA200
    #15
    I believe the "failover only" license means that it can only be used as the standby device in a pair when the other device has the licensing you need. So it must be in failover mode, but I'm not sure what kind of restrictions you will run into if you don't have another licensed device to link it with.
    An expert is a man who has made all the mistakes which can be made.
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #16
    Quote Originally Posted by SubnetZero View Post
    That's odd it worked for me. Basically I just ran the "no failover" command and then set the IP under the interface. You may also think about clearing the config out and starting fresh?

    Code:
    pixfirewall# write erase 
    Erase configuration in flash memory? [confirm]
    What about the statement from the show version command: "This PIX has a Failover Only License"
    Does that then mean that it will only operate as a failover?
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #17
    Quote Originally Posted by networker050184 View Post
    I believe the "failover only" license means that it can only be used as the standby device in a pair when the other device has the licensing you need. So it must be in failover mode, but I'm not sure what kind of restrictions you will run into if you don't have another licensed device to link it with.

    Yep, numerous Cisco Tech Notes state it requires a License Key upgrade.

    Ok, thanks for the help guys.
    Learned alot just from this and you both.
    I appreciate the responses.
    Reply With Quote Quote  

  19. Went to the dark side.... Moderator networker050184's Avatar
    Join Date
    Jul 2007
    Posts
    11,680

    Certifications
    CCNA, CCNP, CCIP, JNCIA-JUNOS, JNCIS-SP, JNCIP-SP, MCA200
    #18
    You might be able to trick it into thinking its the standby and the primary has failed. Not sure how that will work for you though.
    An expert is a man who has made all the mistakes which can be made.
    Reply With Quote Quote  

  20. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #19
    Quote Originally Posted by networker050184 View Post
    You might be able to trick it into thinking its the standby and the primary has failed. Not sure how that will work for you though.
    From what I have read, I might be able to do that, if I had the paired unit it shared the license key with.
    But, I don't.

    It is for a side-job project, where the customer did not really consult me first.
    So, back to the purchasing board for him.

    That show version statement stuck out like sore thumb, and if I had reviewed the device before purchase, I would have walked away.

    Thanks again guys.
    Reply With Quote Quote  

  21. Senior Member SubnetZero's Avatar
    Join Date
    Jan 2012
    Location
    Las Vegas
    Posts
    123

    Certifications
    CCIE #32840 (RS), CCNP, CCNA (RS/SEC), FNCNE, BCNE, MCSE, MCSA, MCTS, MCITP:SA, C|EH, CCA, A+, Network+ [working on CCIE SPv3]
    #20
    Quote Originally Posted by networker050184 View Post
    I believe the "failover only" license means that it can only be used as the standby device in a pair when the other device has the licensing you need. So it must be in failover mode, but I'm not sure what kind of restrictions you will run into if you don't have another licensed device to link it with.
    Yup you're spot on, good catch
    Reply With Quote Quote  

  22. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #21
    Quote Originally Posted by SubnetZero View Post
    Yup you're spot on, good catch
    Don't take this the wrong way, but I feel pretty damn good right now, having caught that.
    While I learn everyday something new from my team lead, who is a CCIE, I always feel good, and it justifies my skills and abilities to catch something that is missed by people who have been in the game longer then I.

    Again, I truly appreciate the help from you and networker050184.

    Thanks again.
    Reply With Quote Quote  

  23. Senior Member JeanM's Avatar
    Join Date
    Mar 2012
    Location
    California
    Posts
    1,105

    Certifications
    CCNA, MCP, S+, N+, A+
    #22
    set up a default route

    then #failover active

    that worked for me.
    Reply With Quote Quote  

  24. Junior Member Registered Member
    Join Date
    Apr 2013
    Posts
    1
    #23
    You can simply define the failover IP address for your config for inside and outside interfaces as shown in ex below.
    it will solve the issue.

    failover ip address inside a.b.c.d

    and your ping will start working.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks