?
Solved

Cisco pix problem connecting to https interface to config pix

Posted on 2006-05-15
14
Medium Priority
?
8,751 Views
Last Modified: 2013-11-16
Hello i am trying to get a little practice with a pix 515. I would like to enable the web interface but i am having problems doing so.

I want to use http (but only https gets a reply) my guess is ther eis something wrong with the ssl cert. I would have no problem using normal http to get this working.

https://192.168.50.253/

When i try to connect via www i get the password box. I leave username blank and put my enable password in there. it goes the the next page and says

404 Not Found
The requested URL / was not found on this server.

I am stumped. Also i can not connect via ssh (do i need to enable that)

thanks

I have included my config below

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8JkmeYOodD/bOziu encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
domain-name erased
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto shutdown
interface ethernet1 auto
ip address outside 127.0.0.1 255.255.255.255
ip address inside 192.168.50.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.50.252 255.255.255.255 inside
http 192.168.50.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 60
ssh timeout 5
terminal width 80
Cryptochecksum:a74e3f5ac231d12446ed55e3e30472c1
: end
0
Comment
Question by:bilbus
  • 4
  • 4
  • 3
  • +2
14 Comments
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 800 total points
ID: 16691670
Ok first, web GUI access to the PIX is only via HTTPS, HTTP would not work. So if you would like to access the PIX
via GUI, you need to do https://192.168.50.253.

For SSH, you need to enable it. But before that, generate an RSA key first. This will also help you reset the rsa key for
the web GUI access. So do the following command:

ca zeroize rsa
ca generate rsa key 512
ca save all

After doing the ca commands, try to access the GUI again.

Then to enable SSH, the command would be:

ssh 192.168.50.0 255.255.255.0 inside

The above ssh command will allow anybody on the entire subnet to be able to SSH into the PIX inside interface. It will
ask you for a username, this time you have to enter the default username which is pix.
0
 
LVL 8

Author Comment

by:bilbus
ID: 16693416
Ok, thanks

i was able to get ssh working, but it would not let me in. I used "pix" as the username and my enable password as the password.

Also the webpage still does not work, any ideas?

thanks!

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8JlmeYOodD/bOziu encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
domain-name erased
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto shutdown
interface ethernet1 auto
ip address outside 127.0.0.1 255.255.255.255
ip address inside 192.168.50.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.50.252 255.255.255.255 inside
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 60
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
terminal width 80
Cryptochecksum:281776c4046b9564171984ff17a19896
: end
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16693651
Leave the username blank and just put in your enable password in the password field
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16693917
PS  That is for the PDM, not ssh
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 400 total points
ID: 16693921
OK. yes. I die of embarrassment in not reading your question properly....
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16694738
For SSH, the default username is pix and the password is cisco.  However, I see that you have telnet already enable and I am not sure if you have the telnet password modified. So if thats the case, for ssh access, still use pix for username and use the same password you are using for telnet.

Now for PDM access, can you post the output of show version.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 800 total points
ID: 16698461
Couple of points on the PDM:
Be sure your IE is not setup to use a proxy.
Be sure you have the latest JRE1.42. I don't think your version of PDM works with JRE5
If you upgrade the PIX to 6.3(5) and pdm 305, and your PC updated to latest JRE 1.5.6, your experience will be much enhanced.. The 2.x PDM is pretty useless.

>404 Not Found
>The requested URL / was not found on this server.
Looks like you would need to re-install the PDM anyway...

0
 
LVL 8

Author Comment

by:bilbus
ID: 16701921
ah great ok ssh works with the cisco/pix

on my pc i have

J2SE
Version 1.5.0 (build 1.5.0_06-b05)

how do i tell the version of my PDM?
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16702894
Just access the pix via telnet/ssh, and just do "show version"
0
 
LVL 8

Author Comment

by:bilbus
ID: 16705701
Ya i did that but it does not ay pdm version, does that mean i have no pdm?

I just upgraded the pix from 6.2 to 6.3

PIX# show version

Cisco PIX Firewall Version 6.3(5)

Compiled on Thu 04-Aug-05 21:40 by morlee

PIX up 7 hours 32 mins

Hardware:   PIX-515, 32 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0001.64ff.ceda, irq 10
1: ethernet1: address is 0001.64ff.cedb, irq 7
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Disabled
Maximum Physical Interfaces: 3
Maximum Interfaces:          5
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has a Restricted (R) license.

Serial Number:
Running Activation Key:
Configuration has not been modified since last system restart.
PIX#
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16705716
Since it does not show the PDM version, and you get that error that you posted, it is obvious that the PDM is not loaded at all. You need to download the pdm file and load it.
Download pdm-304.bin to your tftp server.
Almost just like upgrading the OS:
 pix#copy tftp://server/pdm-304.bin flash:pdm


0
 
LVL 8

Author Comment

by:bilbus
ID: 16712224
thanks, i will have to locate a PDM version, do you know what version need for my 6.35 os?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16712277
As per lrmoores post

<<< 
Since it does not show the PDM version, and you get that error that you posted, it is obvious that the PDM is not loaded at all. You need to download the pdm file and load it.
Download pdm-304.bin to your tftp server.
Almost just like upgrading the OS:
 pix#copy tftp://server/pdm-304.bin flash:pdm
>>>
0
 
LVL 3

Expert Comment

by:paul1gilbert
ID: 16757494
Hi,

For that version you can use PDM version 3.0.4. On the Cisco download page it will appear as pdm-304.bin.
Here is the link for that software:
http://www.cisco.com/cgi-bin/tablebuild.pl/pix 

You will need a TFTP server and I suggest you to use:
http://tftpd32.jounin.net/ 

The command will be:
copy tftp flash:pdm

Then just follow the steps.

This will install the PDM and then you can try it.
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month16 days, 20 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question