cisco PIX 506e

[newkid123]

Hello Everyone

I have a small network at home, which consists of a linksys cable modem, linksys wireless router and 2 desktop connected directly to the wireless router and 2 other desktop which are conneected through wireless router. Now I like to add a Cisco PIX 506e firewall to my network, I am very new with cisco network, I appreciate if someone can let me know how to set this PIX back to original factory default. I do not know any password.

Thanks
newkid123

 

[newkid123]

Here is the config screen for the wireless router:

Lan IP address
Device IP Address:
Subnet Mask:

Wan Connection Type: Static IP
Wan IP:
Subnet Mask:
Default Gateway Address:
DNS(required):1.
2.
3.

For device IP address I put 192.168.250.0
For subnet 255.255.255.0
For Wan IP:192.168.233.2
For default gateway:192.168.233.1

I am getting error after device IP address(192.168.250.0)and the error is: IP value is out of range

 

[Supergrrover]

Yes, you can't have an IP address of 192.168.250.0. That is the network. All you need to do is make it 192.168.250.1.

Can you post the config of the pix?
Also, is the ip address given to you by your isp a static one or is it dhcp?
Can you ping 68.48.48.1 from the pc attached to the switch?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[newkid123]

Brent

Here is the update:

From pix :
I can ping 68.48.50.237
I can not ping 68.48.48.1
I can not ping my PC 192.168.233.10.

From PC:
I can ping pix 192.168.233.1
I can not ping 68.48.50.237
I can not ping 68.48.48.1

Therefore I can not access Internet from any PCs, they do get the IP address from pix.

and here is the summary of the pix config:


interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

ip address outside 68.48.50.237 255.255.248.0

ip address inside 192.168.233.1 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 68.48.48.1 1

route inside 192.168.250.0 255.255.255.0 192.168.233.2 1

http server enable

http 192.168.233.0 255.255.255.0 inside

http 192.168.250.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.233.0 255.255.255.0 inside

telnet 192.168.250.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.233.10-192.168.233.254 inside

dhcpd dns 68.87.73.242 68.87.71.226

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

The IP address from my ISP is a dynamic IP address, it should change weekly.

Thanks
newkid123

 

[NetworkGhost]

Wait. You have cable right? Do you pay for a static IP address? or Does the cable provider automagically assign you a IP?

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx:8080

 

[newkid123]

Comcast, is my ISP and they do not provide static IP address to residential customers.

 

[NetworkGhost]

Try this for your outside interface:

no ip address outside 68.48.50.237 255.255.248.0

ip address outside dhcp setroute

This will allow your outside interface to retrieve a IP address and default route from your ISP.

So the beginning of your network should be:

cable modem --> e0 PIX --> INSIDE NETWORK

Power down the cable modem for 10 minutes after you do this. Bring it back up. Log into the pix and do a "sh ip address" should see a IP assigned.

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx:8080

 

[newkid123]

what do you mean by:
cable modem --> e0 PIX --> INSIDE NETWORK

here is the current cable installation:

cable modem ----> pix e0

pix e1 ----> switch

switch ----> linksys wireless router

two PCs ----> switch

 

[NetworkGhost]

That will work. You just need to do what I said earlier in order for your outside address to get a valid IP. I have the same setup at my home.

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx:8080

 

[newkid123]

I followed your instructions, and somehow is not working.
Still I am unable to access Internet from PCs, now I got this error on the pix:

dhcp failed to add default route entry, allocated IP address:68.48.59.241

netmask:255.255.248.0
gateway:68.48.56.1

 

[NetworkGhost]

Make sure you remove the existing default route in the config.

Do:

sh route

should see route like

route outside 0.0.0.0 0.0.0.0 x.x.x.x

remove it.

no route outside 0.0.0.0 0.0.0.0 x.x.x.x

then reload


Free Firewall/Network/Systems Support-

http://firewalls.ath.cx:8080

 

[newkid123]

can anybody help me on this?

I am still unable to access Internet from PC.


Thanks

 

[Supergrrover]

Re-post your config.

Connect a pc to the switch and the switch to the pix.

1. Can you ping a remote site (ie. google.com or cisco.com) from the pix?
2. Does the pc get an ip address from the pix?
3. Can the pc ping the pix?
4. Can the pc ping the site #1?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[NetworkGhost]

dhcp failed to add default route entry, allocated IP address:68.48.59.241

netmask:255.255.248.0
gateway:68.48.56.1"

That was part of you problem. Ligke Grrover said. Post a config. Also post a "sh int e0" and "sh route"

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx

 

[larsdemoo]

Good morning guys,

I have one hell of a problem.
I am pulling my hairs out for several day's now on this one.
I have the same problem that you guys where talking about.
I bought a pix 501 and have no password....
When i boot the basterd in monitoring mode and i do the tftp trick i get the same error as you.
tftp np63.bin@192.168.1.101
TFTP failed (return:-1 arg:0x0)

I have done all i could think off for several day's and no luck, i would be so happy to have some feetback from you guys.

Best regards Lars de Mooy.

 

[NetworkGhost]

Please post exactly what you are typing. You can copy and paste from the terminal

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx

 

[newkid123]

Hello NetworkGhost & SuperGrrover

Here are more info:

pix101# sh int e0
interface ethernet0 "outside" is up, line protocol is down
Hardware is i82559 ethernet, address is 0013.80b7.4510
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
9 packets output, 5310 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
9 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/1) software (0/1)

pix101# sh route
outside 0.0.0.0 0.0.0.0 68.48.48.1 1 OTHER static
inside 192.168.233.0 255.255.255.0 192.168.233.1 1 CONNECT static
inside 192.168.250.0 255.255.255.0 192.168.233.2 1 OTHER static


Still no connection
Thanks
Newkid123

 

[newkid123]

here is my config:
pix101# show run
: Saved
:
PIX Version 6.3(4)nside secu
interface ethernet0 autop protoco
D
interface ethernet1 auto
pix101(conf
nameif ethernet0 outside security0te
nameif ethernet1 inside security100 80
pix101(co

B
hostname pix101
Cryp
fixup protocol dns maximum-length 512
fixup protocol sip
fixup protocol ftp 21
[OK]
pix101
fixup protocol h323 h225 1720


ip audi
f
fixup protocol skinny 2000-1719
fixup protocol smtp 25g infor
fixup protocol sqlnet 1521
pdm
fixup protocol tftp 69rror
names
arp
pager lines 24
logging onotocol rsh
logging timestampinterfac
logging buffered notifications
fixup protocol rtsp 554
mtu outside 1500
nat (inside
mtu inside 1500
fixup p
ip address outside dhcp setroute
fixup protocol sip udp 50
ip address inside 192.168.233.1 255.255.255.0p protocol skinny 200068.250.0 255.255.255.0
ip audit info action alarm
ip audit attack actio
aaa-server RADIUS protoc
timeout xlate 0:05:00ional 100
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
arp timeout 14400
aaa-serve
globa
aaa-server LOCAL protocol local
http server enable
http 192.168.233.0 255.255.255.0 inside
http 192.168.250.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.233.0 255.255.255.0 inside
telnet 192.168.250.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.233.10-192.168.233.254 inside
dhcpd dns 68.87.73.242 68.87.71.226
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end
pix101#


Thanks
Newkid123

 

[NetworkGhost]

Wait. It looks like you are at a enable prompt.

"interface ethernet0 "outside" is up, line protocol is down"

Means that either there is a physical cable problem " 9 lost carrier" or you need to adjust your duplex/speed settings. Is this the case? Do you not need password recovery?

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx

 

[Supergrrover]

I agree, hard set your interface speed.
"BW 10000 Kbit half duplex" - The pix falls back to this if it can't negotiate the speed/duplex.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[newkid123]

Hello Guys

I think we have to go back to basics, something is not right, here is the latest update:


ix101# sh route
outside 0.0.0.0 0.0.0.0 68.48.48.1 1 OTHER static
inside 192.168.233.0 255.255.255.0 192.168.233.1 1 CONNECT static
inside 192.168.250.0 255.255.255.0 192.168.233.2 1 OTHER static

pix101# sh int e0
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0013.80b7.4510
MTU 1500 bytes, BW 100000 Kbit full duplex
36974 packets input, 2253134 bytes, 0 no buffer
Received 36974 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
405 packets output, 238950 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
9 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/1)
output queue (curr/max blocks): hardware (0/1) software (0/1)

pix101# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix101
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
logging on
logging timestampem Flash=E28F640J
logging buffered notifications
0: i8255X
mtu outside 1500er
BI
mtu inside 15000b @ 0xd8000tt
ip address outside dhcp setroute ------------------------------
ip address inside 192.168.233.1 255.255.255.0

Private Int
ip audit info action alarm
ip audit attack action alarmd ping_timeout 750
pdm logging informational 100-----------------------------
pdm history enable--------pd enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Cr
C
route outside 0.0.0.0 0.0.0.0 68.48.48.1 1

Cisco PIX Firewall V
route inside 192.168.250.0 255.255.255.0 192.168.233.2 1
Licensed Featur
timeout xlate 0:05:00
aaa-server LOCAL protocol local
http server enable
http 192.168.233.0 255.255.255.0 inside
http 192.168.250.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.233.0 255.255.255.0 inside
telnet 192.168.250.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.233.10-192.168.233.254 inside
dhcpd dns 68.87.73.242 68.87.71.226
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:e0a724de1714771ddc2e3dcebdd70178
: end
pix101#


If you think there is no solution to this, just let me know I stop everything and do write anymore.

Thanks