Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX questions

Reply
Thread Tools

PIX questions

 
 
David Smith
Guest
Posts: n/a
 
      12-08-2003
Hello all,

I have two PIX firewall:

PIX 515 IOS PIX 5.2 (6) , VPN -DES enabled (never use the vpn
feature. with unlimited LIC
2 NICs

PIX 520 IOS PIX 6.3 (1), VPN -DES and VPN-3DES enabled (never use VPN
feature) , with unlimited LIC

4 NICs

Pix 515 is production Firewall, it's working fine.

PIX 520 is in my LAB.

We need some redundancy with these two firewalls. Is it possible for
Failover configuration with PIX failover cable or I have to buy pix
primary and failover pix in pair to make failover work?

most likely failover won't work for these two PIX, I tried to
configure the secondary PIX 520 as a standby firewall. I shutdown the
last 2 NICs manually. and copy my production PIX (PIX515)'s config to
my PIX 520.

Network behind Pix a single network 192.168.1.0 with netmask
255.255.192.0 without router

I configure inside interface IP as

ip address inside 192.168.34.1 255.255.192.0

in pix 515 with IOS version of 5.2(6) with no problem.

in Pix 520 with IOS version 6.3 (1)

I got the following warning with

warning: unable to add route to OSPF RIB

when I keyed in

ip address inside 192.168.34.1 255.255.192.0

It seemed PIX doesn't support the above configuration. It only
accepted

ip address inside 192.168.34.1 255.255.255.0

Erveryone tell me why?

I ignore the warning since I can still ping 192.168.44. X hosts from
pix.

Everything looks fine in LAB.

However, I unplugged two firewall connection cables from production
firewall to my pix 520 firewall, and make sure I plug the cable into
the right NIC.

I rebooted my pix 520, rebooted switches. however, inside client
cannot connect to Internet. however, from pix 520, I can ping Internet
with no problem. I can ping my inside clients too. I rebooted client
PC with no help either.

Anything wrong here?

I use PAT to translate inside client. it works fine with production
firewall.

I check sh xlate from my pix 520 firewall, only very limited numbers
of entry generated. I use clear xlate, then sh xlate, only about five
of 100 static NAT ip shows up. Once I switched back to production
firewall, rebooted both pix 515 and switches, everything is ok. I
checked sh xlate, clear xlate sh xlate again, the entries will be
established quickly?

What wrong with my PIX 520? any idea or suggestion. Thank you very
much in advance.

David
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      12-08-2003
In article <(E-Mail Removed)>,
David Smith <(E-Mail Removed)> wrote:
:I have two PIX firewall:
ix 515 is production Firewall, it's working fine.
IX 520 is in my LAB.

:We need some redundancy with these two firewalls. Is it possible for
:Failover configuration with PIX failover cable or I have to buy pix
rimary and failover pix in pair to make failover work?

The failover devices must be identical. For example, you could not
even failover between a 515 and 515E.
--
Look out, there are llamas!
 
Reply With Quote
 
 
 
 
David Smith
Guest
Posts: n/a
 
      12-08-2003
Thanks for your answer. Can you or someone give me some inside of this

I configure inside interface IP as

ip address inside 192.168.34.1 255.255.192.0

in pix 515 with IOS version of 5.2(6) with no problem.

in Pix 520 with IOS version 6.3 (1)

I got the following warning with

warning: unable to add route to OSPF RIB

when I keyed in

ip address inside 192.168.34.1 255.255.192.0

It seemed PIX doesn't support the above configuration. It only
accepted

ip address inside 192.168.34.1 255.255.255.0

Erveryone tell me why?

Thanks again.

On 8 Dec 2003 06:25:49 GMT, http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter
Roberson) wrote:

>In article <(E-Mail Removed)>,
>David Smith <(E-Mail Removed)> wrote:
>:I have two PIX firewall:
>ix 515 is production Firewall, it's working fine.
>IX 520 is in my LAB.
>
>:We need some redundancy with these two firewalls. Is it possible for
>:Failover configuration with PIX failover cable or I have to buy pix
>rimary and failover pix in pair to make failover work?
>
>The failover devices must be identical. For example, you could not
>even failover between a 515 and 515E.


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      12-08-2003
In article <(E-Mail Removed)>,
David Smith <(E-Mail Removed)> wrote:
:Thanks for your answer. Can you or someone give me some inside of this
:I got the following warning with

:warning: unable to add route to OSPF RIB

:when I keyed in

:ip address inside 192.168.34.1 255.255.192.0

Sorry, nothing comes to mind. Are you clearing the entire 520 configuration
at the beginning? If you erase the entire configuration and
configure just that line, do you get the warning?

--
Come to think of it, there are already a million monkeys on a million
typewriters, and Usenet is NOTHING like Shakespeare. -- Blair Houghton.
 
Reply With Quote
 
Rik Bain
Guest
Posts: n/a
 
      12-08-2003
On Mon, 08 Dec 2003 13:25:30 -0600, David Smith wrote:

> Thanks for your answer. Can you or someone give me some inside of this
>
> I configure inside interface IP as
>
> ip address inside 192.168.34.1 255.255.192.0
>
> in pix 515 with IOS version of 5.2(6) with no problem.
>
> in Pix 520 with IOS version 6.3 (1)
>
> I got the following warning with
>
> warning: unable to add route to OSPF RIB
>
> when I keyed in
>
> ip address inside 192.168.34.1 255.255.192.0
>
> It seemed PIX doesn't support the above configuration. It only accepted
>
> ip address inside 192.168.34.1 255.255.255.0
>
> Erveryone tell me why?
>
> Thanks again.


Cosmetic bug. Ignore the message and verify that
the ip address was in fact accepted by issuing "show ip" after entering
it.

Rik Bain
 
Reply With Quote
 
David Smith
Guest
Posts: n/a
 
      12-09-2003
On Mon, 08 Dec 2003 16:55:53 -0600, Rik Bain <(E-Mail Removed)>
wrote:

>On Mon, 08 Dec 2003 13:25:30 -0600, David Smith wrote:
>
>> Thanks for your answer. Can you or someone give me some inside of this
>>
>> I configure inside interface IP as
>>
>> ip address inside 192.168.34.1 255.255.192.0
>>
>> in pix 515 with IOS version of 5.2(6) with no problem.
>>
>> in Pix 520 with IOS version 6.3 (1)
>>
>> I got the following warning with
>>
>> warning: unable to add route to OSPF RIB
>>
>> when I keyed in
>>
>> ip address inside 192.168.34.1 255.255.192.0
>>
>> It seemed PIX doesn't support the above configuration. It only accepted
>>
>> ip address inside 192.168.34.1 255.255.255.0
>>
>> Erveryone tell me why?
>>
>> Thanks again.

>
>Cosmetic bug. Ignore the message and verify that
>the ip address was in fact accepted by issuing "show ip" after entering
>it.
>
>Rik Bain


I guess it's bug too. Actually it takes the IP. I config my next
switch IP as 192.168.44.254. it's pingable from PIX.

However, when I unplugged two firewall connection cables from
production
firewall to my pix 520 firewall, and make sure I plug the cable into
the right NIC.

I rebooted my pix 520, rebooted switches. however, inside client
cannot connect to Internet. however, from pix 520, I can ping Internet
with no problem. I can ping my inside clients too. I rebooted client
PC with no help either.

Anything wrong here?

I use Static command to match each server to host and PAT for other
clients to translate inside client. it works fine with production
firewall.

I check sh xlate from my pix 520 firewall, only very limited numbers
of entry generated. I use clear xlate, then sh xlate, only about five
of 100 static NAT ip shows up. Once I switched back to production
firewall, rebooted both pix 515 and switches, everything is ok. I
checked sh xlate, clear xlate sh xlate again, the entries will be
established quickly?

What wrong with my PIX 520? any idea or suggestion. Thank you very
much in advance.
 
Reply With Quote
 
Rik Bain
Guest
Posts: n/a
 
      12-09-2003
On Tue, 09 Dec 2003 07:13:44 -0600, David Smith wrote:

>
> I guess it's bug too. Actually it takes the IP. I config my next switch
> IP as 192.168.44.254. it's pingable from PIX.
>
> However, when I unplugged two firewall connection cables from production
> firewall to my pix 520 firewall, and make sure I plug the cable into the
> right NIC.
>
> I rebooted my pix 520, rebooted switches. however, inside client cannot
> connect to Internet. however, from pix 520, I can ping Internet with no
> problem. I can ping my inside clients too. I rebooted client PC with no
> help either.
>
> Anything wrong here?
>
> I use Static command to match each server to host and PAT for other
> clients to translate inside client. it works fine with production
> firewall.
>
> I check sh xlate from my pix 520 firewall, only very limited numbers of
> entry generated. I use clear xlate, then sh xlate, only about five of
> 100 static NAT ip shows up. Once I switched back to production firewall,
> rebooted both pix 515 and switches, everything is ok. I checked sh
> xlate, clear xlate sh xlate again, the entries will be established
> quickly?
>
> What wrong with my PIX 520? any idea or suggestion. Thank you very much
> in advance.



A common issue when people replace existing pix with new one is ARP.
Chances are the headend router has the old pix mac address associated
with the ip addresses used for NAT. Check the ARP table on neighboring
devices.

Rik Bain
 
Reply With Quote
 
David Smith
Guest
Posts: n/a
 
      12-09-2003
On Tue, 09 Dec 2003 09:12:11 -0600, Rik Bain <(E-Mail Removed)>
wrote:

>On Tue, 09 Dec 2003 07:13:44 -0600, David Smith wrote:
>
>>
>> I guess it's bug too. Actually it takes the IP. I config my next switch
>> IP as 192.168.44.254. it's pingable from PIX.
>>
>> However, when I unplugged two firewall connection cables from production
>> firewall to my pix 520 firewall, and make sure I plug the cable into the
>> right NIC.
>>
>> I rebooted my pix 520, rebooted switches. however, inside client cannot
>> connect to Internet. however, from pix 520, I can ping Internet with no
>> problem. I can ping my inside clients too. I rebooted client PC with no
>> help either.
>>
>> Anything wrong here?
>>
>> I use Static command to match each server to host and PAT for other
>> clients to translate inside client. it works fine with production
>> firewall.
>>
>> I check sh xlate from my pix 520 firewall, only very limited numbers of
>> entry generated. I use clear xlate, then sh xlate, only about five of
>> 100 static NAT ip shows up. Once I switched back to production firewall,
>> rebooted both pix 515 and switches, everything is ok. I checked sh
>> xlate, clear xlate sh xlate again, the entries will be established
>> quickly?
>>
>> What wrong with my PIX 520? any idea or suggestion. Thank you very much
>> in advance.

>
>
>A common issue when people replace existing pix with new one is ARP.
>Chances are the headend router has the old pix mac address associated
>with the ip addresses used for NAT. Check the ARP table on neighboring
>devices.
>
>Rik Bain


The outside default gateway router was managed by our ISP. Our PIX is
connected directly to ISP's backbone. How can I change Pix
configuration in my side to address the issue without rebooting the
headend router or switch which is controlled by my ISP? I even tried
use different outside ip of my new PIX. I used Static NAT for inside
server s and PAT for other device if any in future. Thanks again.
 
Reply With Quote
 
Rik Bain
Guest
Posts: n/a
 
      12-09-2003
On Tue, 09 Dec 2003 09:27:44 -0600, David Smith wrote:

>
> The outside default gateway router was managed by our ISP. Our PIX is
> connected directly to ISP's backbone. How can I change Pix configuration
> in my side to address the issue without rebooting the headend router or
> switch which is controlled by my ISP? I even tried use different outside
> ip of my new PIX. I used Static NAT for inside server s and PAT for
> other device if any in future. Thanks again.


Well, if it /is/ an ARP issue, you can either reboot the router, or wait
for it to time out (default 4 hours on cisco equip).

To test that theory, if you are overloading the pix ip address for PAT
and those hosts do not work, then the pix itself should not be able to
ping outside hosts.
 
Reply With Quote
 
David Smith
Guest
Posts: n/a
 
      12-09-2003
On Tue, 09 Dec 2003 09:54:38 -0600, Rik Bain <(E-Mail Removed)>
wrote:

>On Tue, 09 Dec 2003 09:27:44 -0600, David Smith wrote:
>
>>
>> The outside default gateway router was managed by our ISP. Our PIX is
>> connected directly to ISP's backbone. How can I change Pix configuration
>> in my side to address the issue without rebooting the headend router or
>> switch which is controlled by my ISP? I even tried use different outside
>> ip of my new PIX. I used Static NAT for inside server s and PAT for
>> other device if any in future. Thanks again.

>
>Well, if it /is/ an ARP issue, you can either reboot the router, or wait
>for it to time out (default 4 hours on cisco equip).
>
>To test that theory, if you are overloading the pix ip address for PAT
>and those hosts do not work, then the pix itself should not be able to
>ping outside hosts.


Besides rebooting the router or switches in front of the PIX, will
clear arp from the outside router or switch help solve the issue? most
(actually all of hosts) inside use static NAT, as I mentioned before,
I can ping outside hosts (outside default gateway or internet) and
inside hosts from PIX with no problem. Only inside hosts cannot get in
to outside. thus I believe this is due to arp issue since changing
outside ip address of pix only help pix itself be able to ping
outside, NAT hosts (ouside IPs) may still associate with old MAC of
pix in headend router or switch. Thanks.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Pix-to-Pix and Client-to-Pix VPN AlanP Cisco 3 04-07-2004 05:06 AM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM
vpnclient access to remote pix via pix-pix tunnel Bill F Cisco 1 11-25-2003 06:03 AM
[pix] desperatly need help with PIX-to-PIX config Remco Bressers Cisco 1 11-21-2003 08:58 PM
PIX to PIX to PIX meshed VPN Richard Cisco 1 11-15-2003 07:41 AM



Advertisments