harrymill
asked on
Enabling PDM for 515e
Hi,
I need to enable pdm on my pix 515e so that a remote outside user as well as inside user can acces
Here is my current config. Please let me know of changes to be made. ATM I get a prompt for user/pss for inside but I get a 'page cannot be displayed' box when I enter the credentials. I do not get any when i try from outside.
Please help
: Written by harry at 22:34:16.637 UTC Tue Oct 17 2006
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname mypix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit esp host x.x.x.x any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 55.22.22.243 255.255.255.0
ip address inside 192.168.30.1 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.15.105 255.255.255.255 inside
pdm history enable
arp timeout 14400
static (inside,outside) 55.22.22.244 192.168.30.2 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 55.22.22.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http x.x.x.x 255.255.255.255 outside
http 192.168.30.2 255.255.255.255 inside
http 192.0.0.0 255.0.0.0 inside
http 192.168.15.105 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
telnet 192.168.30.0 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.255 outside
ssh 192.168.30.2 255.255.255.255 inside
ssh timeout 5
console timeout 0
I need to enable pdm on my pix 515e so that a remote outside user as well as inside user can acces
Here is my current config. Please let me know of changes to be made. ATM I get a prompt for user/pss for inside but I get a 'page cannot be displayed' box when I enter the credentials. I do not get any when i try from outside.
Please help
: Written by harry at 22:34:16.637 UTC Tue Oct 17 2006
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname mypix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit esp host x.x.x.x any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 55.22.22.243 255.255.255.0
ip address inside 192.168.30.1 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.15.105 255.255.255.255 inside
pdm history enable
arp timeout 14400
static (inside,outside) 55.22.22.244 192.168.30.2 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 55.22.22.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http x.x.x.x 255.255.255.255 outside
http 192.168.30.2 255.255.255.255 inside
http 192.0.0.0 255.0.0.0 inside
http 192.168.15.105 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
telnet 192.168.30.0 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.255 outside
ssh 192.168.30.2 255.255.255.255 inside
ssh timeout 5
console timeout 0
Hello,
Do you have JRE installed on the workstation?
Cause the PDM use Java and need Java Run Time Envoronnements.
Regards,
Do you have JRE installed on the workstation?
Cause the PDM use Java and need Java Run Time Envoronnements.
Regards,
ASKER
i've enabled jre on IE. it says JRE 1.5.0_06
Planoit you meant to add like the following?
mypix(config)# http x.x.x.x 255.255.255.255 management
Unknown interface name: management
Usage: [no] http <local_ip> [<mask>] [<if_name>]
[no] http server enable
mypix(config)#
does'nt work that way
Planoit you meant to add like the following?
mypix(config)# http x.x.x.x 255.255.255.255 management
Unknown interface name: management
Usage: [no] http <local_ip> [<mask>] [<if_name>]
[no] http server enable
mypix(config)#
does'nt work that way
Hi
Can you try this .
Assuming 55.22.22.x a free ip from outside interface subnet and mapping it to the pdm location inside interface
access-list 101 permit ip host x.x.x.x host 55.22.22.x
static (inside,outside) 55.22.22.x 192.168.15.105 netmask 255.255.255.255 0 0
http 55.22.22.x 255.255.255.255 outside
pdm location 192.168.15.105 255.255.255.255 inside
And try accessing the PDM using https://55.22.22.x
Just a thought and give it a try :)
Afi
Can you try this .
Assuming 55.22.22.x a free ip from outside interface subnet and mapping it to the pdm location inside interface
access-list 101 permit ip host x.x.x.x host 55.22.22.x
static (inside,outside) 55.22.22.x 192.168.15.105 netmask 255.255.255.255 0 0
http 55.22.22.x 255.255.255.255 outside
pdm location 192.168.15.105 255.255.255.255 inside
And try accessing the PDM using https://55.22.22.x
Just a thought and give it a try :)
Afi
Can you post result of 'show ver'
Your PDM version may be incompatible with JRE 1.5
The latest 3.04 is fully compatible
>http x.x.x.x 255.255.255.255 outside
>http 192.168.30.2 255.255.255.255 inside
These should be the only commands that you need to add to support access to the PIX
>aaa authentication http console LOCAL
I don't see any username/password entries
username <yourusername> password <your password> priv 15
Your PDM version may be incompatible with JRE 1.5
The latest 3.04 is fully compatible
>http x.x.x.x 255.255.255.255 outside
>http 192.168.30.2 255.255.255.255 inside
These should be the only commands that you need to add to support access to the PIX
>aaa authentication http console LOCAL
I don't see any username/password entries
username <yourusername> password <your password> priv 15
ASKER
mypix# sh ver
Cisco PIX Firewall Version 6.3(4)
Compiled on Fri 02-Jul-04 00:07 by morlee
mypix up 2 days 10 hours
Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
0: ethernet0: address is 0050.xxxx.ecee, irq 10
1: ethernet1: address is 0050.xxxx.ecef, irq 7
2: ethernet2: address is 00d0.b707.71d5, irq 9
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 3
Maximum Interfaces: 5
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Restricted (R) license.
Serial Number: 403320023 (0x180a2cd7)
Running Activation Key: 0x6cf91026 0x64e31afb 0xfff6d5b1 0xe4821333
Configuration last modified by harry at 12:00:42.766 UTC Wed Oct 18 2006
Cisco PIX Firewall Version 6.3(4)
Compiled on Fri 02-Jul-04 00:07 by morlee
mypix up 2 days 10 hours
Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
0: ethernet0: address is 0050.xxxx.ecee, irq 10
1: ethernet1: address is 0050.xxxx.ecef, irq 7
2: ethernet2: address is 00d0.b707.71d5, irq 9
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 3
Maximum Interfaces: 5
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Restricted (R) license.
Serial Number: 403320023 (0x180a2cd7)
Running Activation Key: 0x6cf91026 0x64e31afb 0xfff6d5b1 0xe4821333
Configuration last modified by harry at 12:00:42.766 UTC Wed Oct 18 2006
It does not look like PDM is even installed. The version should show up right under the PIX Firewall Version
ASKER
So commands work without PDM being installed?
How do i install a PDM ? Is there any way I could do the installation without going thru the entire process of registration.
How do i install a PDM ? Is there any way I could do the installation without going thru the entire process of registration.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks a lot. But please provide me the command to backup my current IOS also
If you have a tftp server:
pix#write net
Follow the prompts for the tftp server IP and the file name that you want to save it as
Else, just use show run in hyperterminal and copy/paste the screens into notepad/wordpad
pix#write net
Follow the prompts for the tftp server IP and the file name that you want to save it as
Else, just use show run in hyperterminal and copy/paste the screens into notepad/wordpad
ASKER
this is just to backup current configuration, right?
wht about the whole of IOS
wht about the whole of IOS
Just the config. You cannot backup the OS from a PIX like you can from a router.
ASKER
I ran out into trouble.
I tried the installation of 7.06 through TFTP server. The installation failed as I had only 32mb of RAM.It says to upgrade to 64.
Is there any method I can go back to the old IOS to make it work?
i can only see "monitor> " now.
I do not have the old IOS as well...deep in trouble
I tried the installation of 7.06 through TFTP server. The installation failed as I had only 32mb of RAM.It says to upgrade to 64.
Is there any method I can go back to the old IOS to make it work?
i can only see "monitor> " now.
I do not have the old IOS as well...deep in trouble
You only need 32mb to run 7.0
You probably don't have enough room on flash for both 6.x and 7.0
Call Cisco and ask them to let you download erasedisk622.bin
This will completely erase/reformat your flash disk and let you continue with the update to 7.0
You probably don't have enough room on flash for both 6.x and 7.0
Call Cisco and ask them to let you download erasedisk622.bin
This will completely erase/reformat your flash disk and let you continue with the update to 7.0
ASKER
i may get erasedisk622.bin but will take 2 days...meantime i've to make the firewall up
ok i managed to get 6.3.5 ios and now for this also show version does not give pdm version.
my vendor gave me a pdm image called pdm-304.bin
I did copy tftp://192.168.30.5/pdm-304.bin flash
as i have done for 6.3.5...
it copied from the tftp...but it gave the following error. the md5 checksum had matched
Received 3152452 bytes
No PIX image found in downloaded file
Image not installed
ok i managed to get 6.3.5 ios and now for this also show version does not give pdm version.
my vendor gave me a pdm image called pdm-304.bin
I did copy tftp://192.168.30.5/pdm-304.bin flash
as i have done for 6.3.5...
it copied from the tftp...but it gave the following error. the md5 checksum had matched
Received 3152452 bytes
No PIX image found in downloaded file
Image not installed
ASKER
ASKER
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_upgrade_guides09186a0080369ee2
as for cisco 64MB is necessary for 7.0
If you are a PIX 515 or PIX 515E user with a PIX Version 6.3, you will need to upgrade your memory before performing an upgrade to PIX Security appliance Version 7.0. PIX Security appliance Version 7.0 requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses (see Table 42).
This will specify that IP address as a management interface.