PDM unreachable in PIX 501

[N0Tworking]

Hello,

1st off , ive never configed a Cisco Pix firewall before. I have configed a Cisco 2500 series router and am familliar with the Cisco CLI.

I am trying to open up PDM in my PIX 501 FW using IE on a beater Win 98 pc desktop. My java version is current. I do have PDM pre-loaded when i did a Show ver. I am consoled into it no problem with the rollover cable on serial A.
I have a ethernet cable inserted into the E1 port with dual green flashing LEDs on both it and the NIC.

My question to any of you is: What would be a cause of my not getting the PDM activated through my browser? I cant ping it. Is it an IP thing? I have no device conflicts in Device Manager. These instructions that came with it are sort of vague ( IE: no troubleshooting help ). Ive been at this all day and am getting tired surfing around for clues. I did manage to find a .PDF troubleshooting guide online. But everything was as it said it was supposed to be when i checked it out. Im stumped here.......any ideas?

Thanks,
NOTworking

 

[Fritjof]

Hi,

1) You can't ping the pix because icmp ist not alowed by default.
2) Have you tried connecting to the pix with a crosslink ethernet cable or a hub or switch between you Computer and the pix?
3) To open the pdm you have to use a secure http connection like

https://mypix

(with mypix = ip-number)

HTH

Fritjof

 

[N0Tworking]

Fritjof,

Thanks for the response! I do have a cross-over cable plugged into the PIX e0 port and into my PC NIC. Ive tried the

HTTPS://"Dotted

decimal ip number" with no luck. Should i somehow tweak the ICMP feature to open the port up?

Thanks,
N0Tworking

 

[gbiello]

Make sure DES is enabled by doing a show vers.
Make sure you have the following lines in the pix config:
"http server enable"
&quot;http <ip addr network> <netmask> inside&quot;

if it doesn't work, from (config)# prompt, type &quot;ca zeroize rsa&quot;

hope this helps,
-gbiello

 

[yizhar]

HI.

Don't worry about the ICMP things. By default the pix will allow you to ping its internal interface.

Some problems with PDM are related to the browser. Maybe you have tweaked some security or other settings in IE that block PDM (Java)?
Try with a different workstation.

You should be able to ping the pix from the workstation and vice versa.
If not, check ip addressing on both pix and workstation.

Check the pix configuration - your workstation ip address should be specified to allow it to PDM.

You can either clear the pix configuration and start fresh, or restore to factory defaults.
To start &quot;fresh&quot; with no config, issue the commands:
write erase
reload

To restore factory defaults for pix501, use the commands:
configure factory-default
reload

Note that by factory default the pix 501 acts as a DHCP serevr on the &quot;inside&quot; - so don't just plug it to an active network without reconfiguration.

Here are some commands to help you around:
show config (like &quot;show start&quot
write term (like &quot;show run&quot
show ?

And some useful links:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/qref.htm

http://teachers.sivan.co.il/yizhar/files/pixlinks.htm

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[N0Tworking]

Yizhar and Gbiello,

Thanks for the advice. I think one of things i dont understand is what to give as an ip address for both the web browser and the inside pix. Are these both the exact same IP or are they both of the same subnet (IE: 192.168.0.1 Browser - 192.168.1.1 inside pix ip?) I have the inside pix at 192.168.1.1. As for the web browser , i dont know how to check it for sure. I believe that would be my TCP/IP settings in Network properties? If so, then i have that automatically assigned. Also, when i console and do a Show tech, i see that i have HTTP enabled. HTTP 192.168.1.1 255.255.255.0 inside. Mind you, this is for a bigger network , not here in my home on my peer to peer. It consoled into my win 98 beater pc and crossovered into my nic from e1 on the pix.


I know this is going to boil down to being one small stupid config i missed as to why i cant use the PDM. Aside from using the PDM, does anyone know of where i can find a basic setup config for a small network using this 501 pix?

Thanks,
N0Tworking

 

[gbiello]

> I have the inside pix at 192.168.1.1
Therefore, browse to

https://192.168.1.1,

the inside interface of the PIX.

> HTTP 192.168.1.1 255.255.255.0 inside
Should be &quot;HTTP 192.168.1.0 255.255.255.0 inside&quot;. I don't know if it will cause a problem as you have it or not, but you should fix it.

If this doesn't help, do a &quot;write term&quot; and &quot;show vers&quot; and paste the results.

-gbiello

 

[N0Tworking]

Gbbiello,
O.K. heres my results from show ver, show term and even show tech.

Please let me know what you see wrong!

Thanks,
NOTworking

..........................................

Pixfirewall# show ver

Cisco PIX Firewall Version 6.1(4)
Cisco PIX Device Manager Version 1.1(2)

Compiled on Tue 21-May-02 08:40 by morlee

Pixfirewall up 5 mins 52 secs

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 000a.f4d5.f20a, irq 9
1: ethernet1: address is 000a.f4d5.f20b, irq 10

Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES: Enabled
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
Websense: Enabled
Inside Hosts: 10
Throughput: Limited
ISAKMP peers: 5

Serial Number: 806390141 (0x3010897d)
Activation Key: 0x952766b8 0x6a2f71cc 0x3a170e2b 0xab1e0497


Pixfirewall# show term

Width = 80, monitor

Pixfirewall# show tech

Cisco PIX Firewall Version 6.1(4)
Cisco PIX Device Manager Version 1.1(2)

Compiled on Tue 21-May-02 08:40 by morlee

Pixfirewall up 6 mins 7 secs

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 000a.f4d5.f20a, irq 9
1: ethernet1: address is 000a.f4d5.f20b, irq 10

Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES: Enabled
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
Websense: Enabled
Inside Hosts: 10
Throughput: Limited
ISAKMP peers: 5

Serial Number: 806390141 (0x3010897d)
Activation Key: 0x952766b8 0x6a2f71cc 0x3a170e2b 0xab1e0497

------------------ show config (run time) ------------------

:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Pixfirewall
domain-name

http://www.gunton.com

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 10baset shutdown
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 127.0.0.1 255.255.255.255
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:f3df2483bf14c6a33c01f972f4594efd

------------------ show blocks ------------------

SIZE MAX LOW CNT
4 1600 1600 1600
80 400 400 400
256 500 500 500
1550 932 676 676

------------------ show interface ------------------

interface ethernet0 &quot;outside&quot; is administratively down, line protocol is down
Hardware is i82559 ethernet, address is 000a.f4d5.f20a
IP address 127.0.0.1, subnet mask 255.255.255.255
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
interface ethernet1 &quot;inside&quot; is up, line protocol is up
Hardware is i82559 ethernet, address is 000a.f4d5.f20b
IP address 192.168.1.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 10000 Kbit full duplex
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)

------------------ show process ------------------


PC SP STATE Runtime SBASE Stack Process
Hsi 8007a8b2 80833bd8 8047fe90 0 80832c18 4008/4096 arp_timer
Lsi 8007e083 80856ccc 8047fe90 0 80855d10 4004/4096 FragDBGC
Lwe 8000c158 8085a1c0 804835b0 0 80859300 3760/4096 dbgtrace
Lwe 8016196a 8085c33c 8045d9e0 0 8085a390 8092/8192 Logger
Hwe 80164d07 8085f3e8 8045dc90 0 8085d428 8092/8192 tcp_fast
Hwe 80164c8f 80861474 8045dc90 0 8085f4b8 8088/8192 tcp_slow
Lsi 800cb39e 8086c4c0 8047fe90 0 8086b500 4008/4096 xlate clean
Lsi 800cb2c4 8086d54c 8047fe90 0 8086c590 4004/4096 uxlate clean
Mwe 800c892d 8088344c 8047fe90 0 80881480 8008/8192 tcp_intercept_timer
_process
Lsi 801a020a 80890ed8 8047fe90 0 8088ff18 3908/4096 route_process
Hsi 800bb019 80891f64 8047fe90 1230 80890fa8 3884/4096 Hosts conn cleaner
Hwe 800923f1 808be488 8047fe90 0 808ba4d8 16168/16384 isakmp_time_keepe
r
Lsi 800bf0bd 808cb168 8047fe90 0 808ca1a8 4008/4096 perfmon
Hwe 8008f996 808d2f68 803c84c8 0 808d1fc8 3984/4096 IPsec response hand
ler
Mwe 8008b851 808d5014 8047fe90 0 808d3058 8000/8192 IPsec timer handler

Hwe 8012c9be 808e5634 804916d0 0 808e36b0 7320/8192 qos_metric_daemon
Lwe 800c9314 808e6604 8048ea50 0 808e5740 3764/4096 pix/trace
Lwe 800c9514 808e7694 8048ebf0 0 808e67d0 3764/4096 pix/tconsole
Hwe 8007c57b 808e97d4 8082bfa4 0 808e7860 7532/8192 pix/intf1
Hwe 8007c57b 808eb898 8082bf60 130 808e98f0 5644/8192 pix/intf0
H* 80010731 7ffffe64 8047fe78 7840 808ed990 12768/16384 ci/console
Csi 800c41ec 808f29bc 8047fe90 0 808f1a20 3520/4096 update_cpu_usage
Hwe 800b9e6f 80912330 803c97a0 0 80910428 7796/8192 uauth0
Hwe 800b9e6f 809143d0 803c97b0 0 809124c8 7796/8192 uauth1
Hwe 80163aa3 809164a8 80704b1c 0 80914558 8000/8192 uauth
Hwe 80172cb1 809175a4 8045df70 0 809165e8 4012/4096 udp_timer
Hsi 80074c8c 80918ee4 8047fe90 0 80917f28 4004/4096 557mcfix
Crd 80074c4c 80919f8c 804802f8 167820 80918fb8 3884/4096 557poll
Lsi 80074ce2 8091b004 8047fe90 0 8091a048 3940/4096 557timer
Hwe 8007c5a3 8091c074 80859100 0 8091b0d8 3980/4096 fover_ip1
Cwe 800763e7 8091d0d4 807b809c 0 8091c168 3932/4096 ip/1:1
Hwe 8007c5a3 8091e19c 808590d8 0 8091d1f8 3988/4096 icmp1
Mwe 80172a76 8091f21c 8073c02c 0 8091e288 3972/4096 riprx/1
Msi 80132402 809202cc 8047fe90 0 8091f318 3980/4096 riptx/1
Hwe 8007c5a3 80921354 808590b0 0 809203c0 3972/4096 udp_thread/1
Hwe 8007c5a3 809223cc 80859088 0 80921468 3924/4096 tcp_thread/1
Hwe 8007c5a3 809234a4 80859060 0 80922508 3980/4096 fover_ip0
Cwe 8007c644 80924554 8082bf60 0 80923598 4012/4096 ip/0:0
Hwe 8007c5a3 809255cc 80859038 0 80924628 3988/4096 icmp0
Mwe 80172a76 8092665c 8073bfec 0 809256c8 3972/4096 riprx/0
Msi 80132402 8092771c 8047fe90 0 80926768 3980/4096 riptx/0
Hwe 8007c5a3 809287a4 80859010 0 80927810 3972/4096 udp_thread/0
Hwe 8007c5a3 8092981c 80858fe8 0 809288b8 3924/4096 tcp_thread/0
Hwe 80163c92 80941f10 806f0e44 0 80941be0 608/1024 listen/http1
Mwe 8010b047 809441b0 8047fe90 0 809421f8 7780/8192 Crypto CA

------------------ show failover ------------------

No license for Failover

 

[yizhar]

HI.

> http 192.168.1.1 255.255.255.255 inside
This is wrong.
Here you specify the ip address of the management workstation:
http 192.168.1.X 255.255.255.255 inside
Or you can allow PDM access from the whole internal subnet:
http 192.168.1.0 255.255.255.0 inside

The ip address on the management workstation should be in the same subnet, for example 192.168.1.5

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[N0Tworking]

Yizhar,

Ive had it as

HTTP://192.168.1.0

255.255.255.0 inside and still can not get PDM opened. Im bouncing around here and nothings working.

Is there a place were i can download a basic outline of how to config a PIX via the CLI? Im more comfortable with command lines anyway.

Thanks
NOTworking

 

[yizhar]

HI.

I suggest that you read the printed manual that comes with the pix.

You can find a lot of info here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

You can also use pixcript from my site - it will help you generate a basic configuration to start with:

http://teachers.sivan.co.il/yizhar#pixcript

You can also try my previous suggestions to restore the pix to factory default, or to clear the configuration and follow the setup prompts.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[N0Tworking]

Yizhar,

Yea, i think ill read the manual and other materials some more. Ive downloaded your pixscript, thanks!

Have a nice Holiday!
NOTworking