Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

cannot get 515E to operate

Status
Not open for further replies.

mikelehnert

Technical User
Oct 17, 2002
14
US
I have a 515E that I am trying to get functioning. It's intended use is to isoloate a University dept from the rest of campus and the internet.Initially I would like to open it up to any type of traffic from both the inside and the outside interface. At this point nothing passes thru in either direction.

Pleas help, I am new here and need to get this working. Here is the current config file

: Saved
: Written by enable_15 at 14:41:27.096 CDT Tue May 20 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Cs.iyusd8iMa0zvR encrypted
passwd dVyxMh5AOSXjcWiv encrypted
hostname ISPIX
domain-name is.uwlax.edu
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_access_in permit ip any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit tcp any any
pager lines 24
logging on
logging monitor warnings
logging buffered warnings
interface ethernet0 auto
interface ethernet1 auto
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 138.49.38.239 2
ip address inside 138.49.24.1 255.255.255.240 Turn on privileged commands
ip verify reverse-path interface outside Help list
lo
ip verify reverse-path interface insider
ip audit info action alarmfrom current user profile,
ip audit attack action alarm drop
pdm location 138.49.24.2 255.255.255.255 insideontrol page length for pagination
pdm location 138.49.132.1 255.255.255.255 inside Quit from the current mode, end configuratio
pdm location 138.49.0.0 255.255.0.0 inside
IS
pdm location 138.49.132.1 255.255.
Invalid password
Password:
pdm location 138.49.34.112 255.255.255.255 outside
Invalid password
Access
pdm location 138.49.24.0 255.255.255.0 inside
Password: *****
Invalid pas
pdm logging warnings 100sword:
Invalid
pdm history enable

route inside 138.49.24.0 255.255.255.0 138.49.24.2 1
nameif ethernet1 inside secu
timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
passwd dVyxMh5AOSXjcWiv encrypted
hostname
p 0:30:00 sip_media 0:02:00ame is.uwlax.edu
timeout uauth 0:05:00 absoluteT -6
cloc
aaa-server TACACS+ protocol tacacs+
fixup protoc
aaa-server RADIUS protocol radiusup protocol http 80
aaa-server LOCAL protocol local5 1720
http server enabl
telnet 138.49.132.1 255.255.255.255 outsideny
telnet 138.49.34.112 255.255.255.255 outsidecmp any any
telnet 138.49.24.2 255.255.255.255 insides_in permit udp any any
telnet timeout 5
ac
ssh timeout 5ide_access_in
terminal width 80y
Cryptochecksum:79f43c99bf492a5b4600e276c9bb1812
logging on
logging moni
ISPIX#nings
ISPIX#
ISPIX#
lo
ISPIX#uffere
ISPIX#ngs

CISCO SYSTEMS PIX FIREWALLface ethernet0 auto
00 07 01 8086 7111 IDE Controllererse-path interface inside
00 07 02 8086 7112 Serial Bus 9arm
ip audit attack a
00 07 03 8086 7113 PCI Bridge
pdm location 138.49.24.2
00 0D 00 8086 1209 Ethernet 11
pdm location 138.49.132.1 2
00 0E 00 8086 1209 Ethernet 10
pdm location 138.49.0.0 255

Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 20n 138.49.132.1 255
Use SPACE to begin flash boot immediately.
pdm history enable
Reading 1536512 bytes of image from flash.ic (inside,outside) 138.49.0.0 138.49.0.0
################################################################################
access-group outside_access_in in interface outside
##
32MB RAM
System Flash=E28F128J3 @ 0xfff00000.0.0.0 138.49.32.1 1
BIOS Flash=am29f400b @ 0xd8000ute inside 138.49.24.0 255.255
mcwa i82559 Ethernet at irq 11 MAC: 000b.5fea.c17a
timeout xlate 3:00:00
mcwa i82559 Ethernet at irq 10 MAC: 000b.5fea.c1790 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

---------------------------------------------------------------------0:30:00 sip_media 0:02:00


..:||||||:..:||||||:..24.2 255.255.255.255 inside
c i s c o S y s t e m sment - Wing
Private Internet eXchange
snmp-server community ISPIX515TN
-----------------------------------------------------------------------
floodguard enable
no sysopt rout
Cisco PIX Firewall.255 outside

Cisco PIX Firewall Version 6.2(2)255.255.255.255 outside
Licensed Features:
te
Failover: Disabled255 inside
VPN-DES: Enabledet timeout 5
URL-filtering: Enabled
Inside Hosts: Unlimitede is i82559 ethernet, address
Throughput: Unlimited
IKE peers: Unlimited38.49.38.239, subnet mask 255


****************************** Warning *******************************bytes, BW 100000 Kbit half duplex
Compliance with U.S. Export Laws and Regulations - Encryption.
Rece

This product performs encryption and is regulated for export
0 input errors, 0 CRC, 0
by the U.S. Government.d, 0 abort

This product is not authorized for use by persons located 1873 packets output, 112380 by
This product may not be exported outside the U.S. and Canada(curr/max blocks): hardware (128/128) software (0/1)
either by physical or electronic means without PRIOR approval output queue (curr/max block
of Cisco Systems, Inc. or the U.S. Government.uffer
or transfer this product by either physical or electronic means
0 input e
without prior approval of Cisco Systems, Inc. or the U.S.
Government.ackets output
******************************* Warning ******************************* 0 output errors, 0 collisions, 0 interface resets

Copyright (c) 1996-2002 by Cisco Systems, Inc. 0 babbles, 0 late collisions, 0 deferred

Restricted Rights Legend
0 lost carrier, 0 no carrier

Use, duplication, or disclosure by the Government is (curr/max blocks): hardware (128/128) software (0/1
subject to restrictions as set forth in subparagraph
output queue (curr/max
(c) of the Commercial Computer Software - Restricted
nameif ethernet0 ou
Software clause at DFARS sec. 252.227-7013.
nameif ethernet1 inside security100

Cisco Systems, Inc.ble password Cs.iyusd8iMa0zvR encry
170 West Tasman Drive
passwd dVyxMh5AOSXjcWiv encr
San Jose, California 95134-1706ISPIX
domain-name is.uwlax.edu

.
Cryptochecksum(unchanged): 79f43c99 bf492a5b 4600e276 c9bb1812ock summer-time CDT recurring
f
Type help or '?' for a list of available commands.tocol http 80
fixup protocol
ISPIX>225 17

ISPIX>
ISPIX> enable
fixup pro
Password: ***********19
ISPIX# sho confixup protocol i
: Saved
: Written by enable_15 at 14:41:27.096 CDT Tue May
fixup protocol rtsp 55
domain-name is.uwlax.edu
acc
clock timezone CST -6s_in permit udp any a
clock summer-time CDT recurring
access-list
fixup protocol ftp 21it tcp any any
fixup protocol http 80
pag
fixup protocol h323 h225 1720ing on
logging moni
fixup protocol h323 ras 1718-1719
logging buffered warnings
fixup protocol ils 389terface ethernet0 auto
fixup protocol rsh 514
interface ethernet1
fixup protocol rtsp 554
icmp permit any ou
fixup protocol smtp 25
icmp permit any
fixup protocol sqlnet 1521
mtu outside 1500
fixup protocol sip 5060

icmp permit any outside
pdm l
icmp permit any inside5.255.255.255 outside
mtu outside 1500
mtu inside 1500pdm location 13
ip address outside 138.49.38.239 255.255.248.0
pdm loc
ip address inside 138.49.24.1 255.255.
static (inside,outside) 138.49.0.0 138
ip audit info action alarm 0 0
ip audit attack action alarm drop
access-group outsid
pdm location 138.49.24.2 255.255.255.255 inside
route outsi
pdm location 138.49.132.1 255.255.255.255 inside
route inside 138.49.2
pdm location 138.49.0.0 255.255.0.0 inside
t
pdm location 138.49.132.1 255.255.255.255 outsideconn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc
pdm location 138.49.34.112 255.255.255.255 outside
pdm location 138.49.24.0 255.255.255.0 inside
route inside 138.49.24.0 255.255.255.0 138.49.24.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 138.49.24.2 255.255.255.255 inside
snmp-server location IS Department - Wing
snmp-server contact Dan Abts
snmp-server community ISPIX515TN
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 138.49.132.1 255.255.255.255 outside
telnet 138.49.34.112 255.255.255.255 outside
telnet 138.49.24.2 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:79f43c99bf492a5b4600e276c9bb1812
 
Here is the config file without all the other garbage
ISPIX# sho conf
: Saved
: Written by enable_15 at 14:41:27.096 CDT Tue May 20 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Cs.iyusd8iMa0zvR encrypted
passwd dVyxMh5AOSXjcWiv encrypted
hostname ISPIX
domain-name is.uwlax.edu
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_access_in permit ip any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit tcp any any
pager lines 24
logging on
logging monitor warnings
logging buffered warnings
interface ethernet0 auto
interface ethernet1 auto
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 138.49.38.239 255.255.248.0
ip address inside 138.49.24.1 255.255.255.240
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm drop
pdm location 138.49.24.2 255.255.255.255 inside
pdm location 138.49.132.1 255.255.255.255 inside
pdm location 138.49.0.0 255.255.0.0 inside
pdm location 138.49.132.1 255.255.255.255 outside
pdm location 138.49.34.112 255.255.255.255 outside
pdm location 138.49.24.0 255.255.255.0 ins
pdm logging warnings 100
pdm history enable
arp timeout 14400
static (inside,outside) 138.49.0.0 138.49.0.0 netmask 255.255.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 138.49.32.1 1
route inside 138.49.24.0 255.255.255.0 138.49.24.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 138.49.24.2 255.255.255.255 inside
snmp-server location IS Department - Wing
snmp-server contact Dan Abts
snmp-server community ISPIX515TN
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 138.49.132.1 255.255.255.255 outside
telnet 138.49.34.112 255.255.255.255 outside
telnet 138.49.24.2 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:79f43c99bf492a5b4600e276c9bb1812
 
You shouldnt post the encrypted password or your ip. Someone can copy and paste the encrypted password and get in. You might want to change it.
 
mikelehnert,

You don't have a "nat" or "global" statement in the configuration. Given that, the PIX doesn't know how to move packets from the inside to the outside. These statements determine if the PIX uses real IPs (which I think you want), NAT (Network Address Translation), or PAT (Port Address translation).

I suggest loading PDM (PIX Device Manager) and then doing a "write erase" and "reload". On a blank PIX you'll be prompted to build a config first at the command line, and then you can complete the configuration via PDM.

Liberty for All,

Brian
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top