PIX questions

Discussion in 'Cisco' started by David Smith, Dec 8, 2003.

  1. David Smith

    David Smith Guest

    Hello all,

    I have two PIX firewall:

    PIX 515 IOS PIX 5.2 (6) , VPN -DES enabled (never use the vpn
    feature. with unlimited LIC
    2 NICs

    PIX 520 IOS PIX 6.3 (1), VPN -DES and VPN-3DES enabled (never use VPN
    feature) , with unlimited LIC

    4 NICs

    Pix 515 is production Firewall, it's working fine.

    PIX 520 is in my LAB.

    We need some redundancy with these two firewalls. Is it possible for
    Failover configuration with PIX failover cable or I have to buy pix
    primary and failover pix in pair to make failover work?

    most likely failover won't work for these two PIX, I tried to
    configure the secondary PIX 520 as a standby firewall. I shutdown the
    last 2 NICs manually. and copy my production PIX (PIX515)'s config to
    my PIX 520.

    Network behind Pix a single network 192.168.1.0 with netmask
    255.255.192.0 without router

    I configure inside interface IP as

    ip address inside 192.168.34.1 255.255.192.0

    in pix 515 with IOS version of 5.2(6) with no problem.

    in Pix 520 with IOS version 6.3 (1)

    I got the following warning with

    warning: unable to add route to OSPF RIB

    when I keyed in

    ip address inside 192.168.34.1 255.255.192.0

    It seemed PIX doesn't support the above configuration. It only
    accepted

    ip address inside 192.168.34.1 255.255.255.0

    Erveryone tell me why?

    I ignore the warning since I can still ping 192.168.44. X hosts from
    pix.

    Everything looks fine in LAB.

    However, I unplugged two firewall connection cables from production
    firewall to my pix 520 firewall, and make sure I plug the cable into
    the right NIC.

    I rebooted my pix 520, rebooted switches. however, inside client
    cannot connect to Internet. however, from pix 520, I can ping Internet
    with no problem. I can ping my inside clients too. I rebooted client
    PC with no help either.

    Anything wrong here?

    I use PAT to translate inside client. it works fine with production
    firewall.

    I check sh xlate from my pix 520 firewall, only very limited numbers
    of entry generated. I use clear xlate, then sh xlate, only about five
    of 100 static NAT ip shows up. Once I switched back to production
    firewall, rebooted both pix 515 and switches, everything is ok. I
    checked sh xlate, clear xlate sh xlate again, the entries will be
    established quickly?

    What wrong with my PIX 520? any idea or suggestion. Thank you very
    much in advance.

    David
    David Smith, Dec 8, 2003
    #1
    1. Advertising

  2. In article <>,
    David Smith <> wrote:
    :I have two PIX firewall:
    :pix 515 is production Firewall, it's working fine.
    :pIX 520 is in my LAB.

    :We need some redundancy with these two firewalls. Is it possible for
    :Failover configuration with PIX failover cable or I have to buy pix
    :primary and failover pix in pair to make failover work?

    The failover devices must be identical. For example, you could not
    even failover between a 515 and 515E.
    --
    Look out, there are llamas!
    Walter Roberson, Dec 8, 2003
    #2
    1. Advertising

  3. David Smith

    David Smith Guest

    Thanks for your answer. Can you or someone give me some inside of this

    I configure inside interface IP as

    ip address inside 192.168.34.1 255.255.192.0

    in pix 515 with IOS version of 5.2(6) with no problem.

    in Pix 520 with IOS version 6.3 (1)

    I got the following warning with

    warning: unable to add route to OSPF RIB

    when I keyed in

    ip address inside 192.168.34.1 255.255.192.0

    It seemed PIX doesn't support the above configuration. It only
    accepted

    ip address inside 192.168.34.1 255.255.255.0

    Erveryone tell me why?

    Thanks again.

    On 8 Dec 2003 06:25:49 GMT, -cnrc.gc.ca (Walter
    Roberson) wrote:

    >In article <>,
    >David Smith <> wrote:
    >:I have two PIX firewall:
    >:pix 515 is production Firewall, it's working fine.
    >:pIX 520 is in my LAB.
    >
    >:We need some redundancy with these two firewalls. Is it possible for
    >:Failover configuration with PIX failover cable or I have to buy pix
    >:primary and failover pix in pair to make failover work?
    >
    >The failover devices must be identical. For example, you could not
    >even failover between a 515 and 515E.
    David Smith, Dec 8, 2003
    #3
  4. In article <>,
    David Smith <> wrote:
    :Thanks for your answer. Can you or someone give me some inside of this
    :I got the following warning with

    :warning: unable to add route to OSPF RIB

    :when I keyed in

    :ip address inside 192.168.34.1 255.255.192.0

    Sorry, nothing comes to mind. Are you clearing the entire 520 configuration
    at the beginning? If you erase the entire configuration and
    configure just that line, do you get the warning?

    --
    Come to think of it, there are already a million monkeys on a million
    typewriters, and Usenet is NOTHING like Shakespeare. -- Blair Houghton.
    Walter Roberson, Dec 8, 2003
    #4
  5. David Smith

    Rik Bain Guest

    On Mon, 08 Dec 2003 13:25:30 -0600, David Smith wrote:

    > Thanks for your answer. Can you or someone give me some inside of this
    >
    > I configure inside interface IP as
    >
    > ip address inside 192.168.34.1 255.255.192.0
    >
    > in pix 515 with IOS version of 5.2(6) with no problem.
    >
    > in Pix 520 with IOS version 6.3 (1)
    >
    > I got the following warning with
    >
    > warning: unable to add route to OSPF RIB
    >
    > when I keyed in
    >
    > ip address inside 192.168.34.1 255.255.192.0
    >
    > It seemed PIX doesn't support the above configuration. It only accepted
    >
    > ip address inside 192.168.34.1 255.255.255.0
    >
    > Erveryone tell me why?
    >
    > Thanks again.


    Cosmetic bug. Ignore the message and verify that
    the ip address was in fact accepted by issuing "show ip" after entering
    it.

    Rik Bain
    Rik Bain, Dec 8, 2003
    #5
  6. David Smith

    David Smith Guest

    On Mon, 08 Dec 2003 16:55:53 -0600, Rik Bain <>
    wrote:

    >On Mon, 08 Dec 2003 13:25:30 -0600, David Smith wrote:
    >
    >> Thanks for your answer. Can you or someone give me some inside of this
    >>
    >> I configure inside interface IP as
    >>
    >> ip address inside 192.168.34.1 255.255.192.0
    >>
    >> in pix 515 with IOS version of 5.2(6) with no problem.
    >>
    >> in Pix 520 with IOS version 6.3 (1)
    >>
    >> I got the following warning with
    >>
    >> warning: unable to add route to OSPF RIB
    >>
    >> when I keyed in
    >>
    >> ip address inside 192.168.34.1 255.255.192.0
    >>
    >> It seemed PIX doesn't support the above configuration. It only accepted
    >>
    >> ip address inside 192.168.34.1 255.255.255.0
    >>
    >> Erveryone tell me why?
    >>
    >> Thanks again.

    >
    >Cosmetic bug. Ignore the message and verify that
    >the ip address was in fact accepted by issuing "show ip" after entering
    >it.
    >
    >Rik Bain


    I guess it's bug too. Actually it takes the IP. I config my next
    switch IP as 192.168.44.254. it's pingable from PIX.

    However, when I unplugged two firewall connection cables from
    production
    firewall to my pix 520 firewall, and make sure I plug the cable into
    the right NIC.

    I rebooted my pix 520, rebooted switches. however, inside client
    cannot connect to Internet. however, from pix 520, I can ping Internet
    with no problem. I can ping my inside clients too. I rebooted client
    PC with no help either.

    Anything wrong here?

    I use Static command to match each server to host and PAT for other
    clients to translate inside client. it works fine with production
    firewall.

    I check sh xlate from my pix 520 firewall, only very limited numbers
    of entry generated. I use clear xlate, then sh xlate, only about five
    of 100 static NAT ip shows up. Once I switched back to production
    firewall, rebooted both pix 515 and switches, everything is ok. I
    checked sh xlate, clear xlate sh xlate again, the entries will be
    established quickly?

    What wrong with my PIX 520? any idea or suggestion. Thank you very
    much in advance.
    David Smith, Dec 9, 2003
    #6
  7. David Smith

    Rik Bain Guest

    On Tue, 09 Dec 2003 07:13:44 -0600, David Smith wrote:

    >
    > I guess it's bug too. Actually it takes the IP. I config my next switch
    > IP as 192.168.44.254. it's pingable from PIX.
    >
    > However, when I unplugged two firewall connection cables from production
    > firewall to my pix 520 firewall, and make sure I plug the cable into the
    > right NIC.
    >
    > I rebooted my pix 520, rebooted switches. however, inside client cannot
    > connect to Internet. however, from pix 520, I can ping Internet with no
    > problem. I can ping my inside clients too. I rebooted client PC with no
    > help either.
    >
    > Anything wrong here?
    >
    > I use Static command to match each server to host and PAT for other
    > clients to translate inside client. it works fine with production
    > firewall.
    >
    > I check sh xlate from my pix 520 firewall, only very limited numbers of
    > entry generated. I use clear xlate, then sh xlate, only about five of
    > 100 static NAT ip shows up. Once I switched back to production firewall,
    > rebooted both pix 515 and switches, everything is ok. I checked sh
    > xlate, clear xlate sh xlate again, the entries will be established
    > quickly?
    >
    > What wrong with my PIX 520? any idea or suggestion. Thank you very much
    > in advance.



    A common issue when people replace existing pix with new one is ARP.
    Chances are the headend router has the old pix mac address associated
    with the ip addresses used for NAT. Check the ARP table on neighboring
    devices.

    Rik Bain
    Rik Bain, Dec 9, 2003
    #7
  8. David Smith

    David Smith Guest

    On Tue, 09 Dec 2003 09:12:11 -0600, Rik Bain <>
    wrote:

    >On Tue, 09 Dec 2003 07:13:44 -0600, David Smith wrote:
    >
    >>
    >> I guess it's bug too. Actually it takes the IP. I config my next switch
    >> IP as 192.168.44.254. it's pingable from PIX.
    >>
    >> However, when I unplugged two firewall connection cables from production
    >> firewall to my pix 520 firewall, and make sure I plug the cable into the
    >> right NIC.
    >>
    >> I rebooted my pix 520, rebooted switches. however, inside client cannot
    >> connect to Internet. however, from pix 520, I can ping Internet with no
    >> problem. I can ping my inside clients too. I rebooted client PC with no
    >> help either.
    >>
    >> Anything wrong here?
    >>
    >> I use Static command to match each server to host and PAT for other
    >> clients to translate inside client. it works fine with production
    >> firewall.
    >>
    >> I check sh xlate from my pix 520 firewall, only very limited numbers of
    >> entry generated. I use clear xlate, then sh xlate, only about five of
    >> 100 static NAT ip shows up. Once I switched back to production firewall,
    >> rebooted both pix 515 and switches, everything is ok. I checked sh
    >> xlate, clear xlate sh xlate again, the entries will be established
    >> quickly?
    >>
    >> What wrong with my PIX 520? any idea or suggestion. Thank you very much
    >> in advance.

    >
    >
    >A common issue when people replace existing pix with new one is ARP.
    >Chances are the headend router has the old pix mac address associated
    >with the ip addresses used for NAT. Check the ARP table on neighboring
    >devices.
    >
    >Rik Bain


    The outside default gateway router was managed by our ISP. Our PIX is
    connected directly to ISP's backbone. How can I change Pix
    configuration in my side to address the issue without rebooting the
    headend router or switch which is controlled by my ISP? I even tried
    use different outside ip of my new PIX. I used Static NAT for inside
    server s and PAT for other device if any in future. Thanks again.
    David Smith, Dec 9, 2003
    #8
  9. David Smith

    Rik Bain Guest

    On Tue, 09 Dec 2003 09:27:44 -0600, David Smith wrote:

    >
    > The outside default gateway router was managed by our ISP. Our PIX is
    > connected directly to ISP's backbone. How can I change Pix configuration
    > in my side to address the issue without rebooting the headend router or
    > switch which is controlled by my ISP? I even tried use different outside
    > ip of my new PIX. I used Static NAT for inside server s and PAT for
    > other device if any in future. Thanks again.


    Well, if it /is/ an ARP issue, you can either reboot the router, or wait
    for it to time out (default 4 hours on cisco equip).

    To test that theory, if you are overloading the pix ip address for PAT
    and those hosts do not work, then the pix itself should not be able to
    ping outside hosts.
    Rik Bain, Dec 9, 2003
    #9
  10. David Smith

    David Smith Guest

    On Tue, 09 Dec 2003 09:54:38 -0600, Rik Bain <>
    wrote:

    >On Tue, 09 Dec 2003 09:27:44 -0600, David Smith wrote:
    >
    >>
    >> The outside default gateway router was managed by our ISP. Our PIX is
    >> connected directly to ISP's backbone. How can I change Pix configuration
    >> in my side to address the issue without rebooting the headend router or
    >> switch which is controlled by my ISP? I even tried use different outside
    >> ip of my new PIX. I used Static NAT for inside server s and PAT for
    >> other device if any in future. Thanks again.

    >
    >Well, if it /is/ an ARP issue, you can either reboot the router, or wait
    >for it to time out (default 4 hours on cisco equip).
    >
    >To test that theory, if you are overloading the pix ip address for PAT
    >and those hosts do not work, then the pix itself should not be able to
    >ping outside hosts.


    Besides rebooting the router or switches in front of the PIX, will
    clear arp from the outside router or switch help solve the issue? most
    (actually all of hosts) inside use static NAT, as I mentioned before,
    I can ping outside hosts (outside default gateway or internet) and
    inside hosts from PIX with no problem. Only inside hosts cannot get in
    to outside. thus I believe this is due to arp issue since changing
    outside ip address of pix only help pix itself be able to ping
    outside, NAT hosts (ouside IPs) may still associate with old MAC of
    pix in headend router or switch. Thanks.
    David Smith, Dec 9, 2003
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Richard

    PIX to PIX to PIX meshed VPN

    Richard, Nov 13, 2003, in forum: Cisco
    Replies:
    1
    Views:
    597
    Richard
    Nov 15, 2003
  2. Remco Bressers
    Replies:
    1
    Views:
    505
    Jyri Korhonen
    Nov 21, 2003
  3. Bill F
    Replies:
    1
    Views:
    433
    Walter Roberson
    Nov 25, 2003
  4. J Bard
    Replies:
    2
    Views:
    409
    J Joyce
    Dec 11, 2003
  5. Patrick Michael

    Re: Questions....questions....questions

    Patrick Michael, Jun 16, 2004, in forum: A+ Certification
    Replies:
    0
    Views:
    809
    Patrick Michael
    Jun 16, 2004
Loading...

Share This Page