PIX 525 and accessing PDM within LAN

(C) Cisco -

PDM has the following system requirements:

PDM Version 2.1 is available on all PIX 501, PIX 506/506E, PIX 515/515E, PIX 520, PIX 525, and PIX 535 platforms that are running PIX Firewall software Version 6.2. PDM Version 2.1 requires PIX Firewall software Version 6.2. If you are using PIX Firewall software Version 6.0 or 6.1, use PDM Version 1.1. For instructions on installing PDM Version 1.1, please refer to the Cisco PIX Device Manager Installation Guide, Version 1.1, at the following website:


http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_11/pdmig/index.htm

Thanks for this feedback , but the output for the command below tells me that PDM is already installed,,,,Am I right ?

show version
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

...and you've done the 'setup' thing?

http://www.cisco.com/en/US/products/sw/netmgtsw/ps2032/products_installation_guide_chapter09186a008017a422.html

[cut]
...and you've done the 'setup' thing?
[/cut]

I have not configured the PIX, the configuration was there, now I went through the link that you have posted the only thing that I could not find is :

pdm location 192.168.1.10  255.255.255.0 inside-------------------The id address is my PC ip adress that i want from it to access PIX

Do I need to add this ?

There were many configuration lines of :
pdm location 192.168.x.x  255.255.255.0 inside

Don't worry about those lines - these are just placeholders that PDM uses, so it's evident that PDM has already been setup and used on this machine at some point.
Perhaps you could post up your configuration - maybe there's an ACL in there that's preventing your access?

[cut]
erhaps you could post up your configuration -
[/cut]
The whole configuration , because it is too lengthy , or only the part which has the access-list ?

Just put up the whole lot (take out your password hashes and DNS names) - I'll work it out...  :)
You can leave out the 'pdm location' lines if you like.

Do you have any lines like this?

http x.x.x.x 255.255.255.0 inside

In order for you to access the PDM, your IP address has to be "allowed", i.e.

http 192.168.1.10 255.255.255.255 inside

tim_holman - WELCOME BACK! Seems like you took a little vacation away from E-E ?
Good to see you back around!

Looks like I've got some catching up to do...  ;)

Just a little .... <8-}

[cut]
In order for you to access the PDM, your IP address has to be "allowed", i.e.

http 192.168.1.10 255.255.255.255 inside
[/cut]
I have got this one was already allowed :
http 192.168.1.0 255.255.255.0 inside

Do I need to enable my ip address (192.1681.10) as well ?

No. the mask includes your IP address
Do you have this in your config?
  http server enable

Do you have the Java JRE installed on your PC?

And you are accessing it with https://192.168.1.1/pdm.html
 

[cut]
Do you have this in your config?
http server enable
[/cut]
Yes

[cut]
Do you have the Java JRE installed on your PC?
[/cut]
Yes

Do you get any result at all when you try to connect? Do you have popups disabled on your browser? Do you get a security alert popup? Do you get a username/login prompt? Or do you just get a page not found error?

I am getting the error below, kindly see the link below

(link deleted by request from the user)

OK, if you click on "Continue to this Website (not recommended)"
What happens then?

Do you have another PC that does not have IE7 installed on it?
What version Java Runtime do you have? The version that you have may not be compatible with IE7

[cut]
OK, if you click on "Continue to this Website (not recommended)"
What happens then?
[/cut]

Thanks lrmoore, when I clicked "Continue to this Website (not recommended)" , Screen poped up asking me about username and password, but I do not know what they are (since I had not configured them), is there  a way to find out what are they from telnet command, or I have to reset them , because they are encrypted ?

Regards

First try blank username/blank password (default)
Else, use "enable" as username and the enable password

[cut]
First try blank username/blank password (default)
[/cut]
No it did not work.

[cut]
Else, use "enable" as username and the enable password
[/cut]
It didn't work as well.

blank username, enable password...

[cut]
blank username, enable password...
[/cut]
I tried to use balnk username , and word "enable" for password field without any success

Do not enter a username.  If you have an enable password, enter it.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/pdm_ig/pdm_inst.htm#xtocid2

I'm assuming you DO have the enable password, right?  Via telnet can you login to the PIX and type 'enable', and does the enable password work?

[quote]
I'm assuming you DO have the enable password, right?
[/quote]
Yes i do have one and I use that one when I enter privilege level, when I telnet to the PIX

[quote]
Via telnet can you login to the PIX and type 'enable', and does the enable password work?
[/quote]
Yes it does work

Please see these steps that I have tried it

http://img138.imageshack.us/img138/4448/pdmandstepstoaccessitca9.jpg

Reagrds  

I forgot to mention that the option in the second screen shot which is :
"Go to 192.168.100.1 and look for the information you want",,,,,,,do nothing

When you do 'show version', are any encryption licenses activated?  Follow the steps here to activate one if not:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdm_ig/pdm30ch2.htm#1035740

Otherwise, could you post up the whole config please?  This will be the easiest and quickest way of seeing what's up.

[cut]
Otherwise, could you post up the whole config please?  This will be the easiest and quickest way of seeing what's up.
[/cut]

i have deleted :

1- pdm location

2- access-list outside (not inside) permit ip



PIX Version 6.3(5)

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
interface ethernet6 auto shutdown
interface ethernet7 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
nameif ethernet6 intf6 security12
nameif ethernet7 intf7 security14
enable password ASM111/AREf60fAH encrypted
passwd lHANYDOGSBBoZj encrypted

hostname Firewall

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

 
access-list inside permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list inside permit ip 192.168.4.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list inside permit tcp 192.168.1.0 255.255.255.0 any eq 2186
access-list inside permit tcp 192.168.1.0 255.255.255.0 any eq 2187
access-list inside deny ip 192.168.1.0 255.255.255.0 any
access-list inside deny ip 192.168.4.0 255.255.255.0 any
access-list inside permit tcp host 192.168.1.1 any
access-list inside permit tcp host 192.168.1.2 any
access-list inside permit tcp host 192.168.1.3 any
access-list inside permit tcp host 192.168.1.15 any
access-list inside permit tcp host 192.168.1.100 any
access-list inside permit tcp host 192.168.100.1 any
access-list inside permit tcp host 192.168.100.2 any
access-list inside permit tcp host 192.168.100.3 any
access-list inside permit tcp host 192.168.2.11 any
access-list inside permit tcp host 192.168.2.10 any
access-list inside permit tcp 192.168.0.0 255.255.0.0 any eq www
access-list inside permit tcp 192.168.0.0 255.255.0.0 any eq 8080
access-list inside permit tcp 192.168.0.0 255.255.0.0 any eq domain
access-list inside permit tcp any 192.168.101.0 255.255.255.0
access-list inside permit ip any any

mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
mtu intf6 1500
mtu intf7 1500
ip address outside 10.1.1.130 255.255.255.0
ip address inside 192.168.100.1 255.255.255.0
ip address dmz 192.168.101.1 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
no ip address intf6
no ip address intf7
ip audit info action alarm
ip audit attack action alarm

pdm history enable
arp timeout 14400
global (outside) 1 10.1.1.150-10.1.1.155
global (outside) 1 10.1.1.156
global (dmz) 1 interface
nat (inside) 1 10.2.2.0 255.255.255.0 0 0
nat (inside) 1 172.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
nat (dmz) 1 192.168.101.0 255.255.255.0 0 0
alias (dmz) 192.168.101.210 192.168.2.10 255.255.255.255
static (inside,dmz) exchange exchange_pvt netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.101.211 192.168.2.11 netmask 255.255.255.255 0 0
static (dmz,outside) mail_relay mail_relay_pvt netmask 255.255.255.255 0 0
static (dmz,outside) webserver webredline netmask 255.255.255.255 0 0
static (dmz,outside) blackboard blackboard_dmz netmask 255.255.255.255 0 0
static (dmz,outside) Dns_Outside Dns_Dmz netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.101.33 192.168.2.34 netmask 255.255.255.255 0 0
static (dmz,outside) 10.1.1.141 192.168.101.16 netmask 255.255.255.255 0 0
static (dmz,outside) 10.1.1.142 192.168.101.15 netmask 255.255.255.255 0 0
static (dmz,outside) 10.1.1.143 192.168.101.14 netmask 255.255.255.255 0 0
static (dmz,outside) 10.1.1.146 192.168.101.250 netmask 255.255.255.255 0 0
static (dmz,outside) intranet_web intranet_vip netmask 255.255.255.255 0 0
static (dmz,outside) rees_out rees_redline netmask 255.255.255.255 0 0
static (inside,outside) cv_outside cv_inside netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.101.212 192.168.2.12 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.101.210 192.168.2.10 netmask 255.255.255.255 0 0
static (dmz,inside) 192.168.2.10 192.168.101.210 dns netmask 255.255.255.255 0 0
static (dmz,inside) 192.168.2.11 192.168.101.211 dns netmask 255.255.255.255 0 0
static (dmz,outside) web_outlook redlineOWA netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 10.1.1.129 1
route inside 10.2.2.0 255.255.255.0 192.168.55.254 1
route inside 172.168.1.0 255.255.255.0 192.168.100.3 1
route inside 192.168.0.0 255.255.0.0 192.168.100.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute

http server enable
http 192.168.1.0 255.255.255.0 inside

no snmp-server location
no snmp-server contact
snmp-server community etqm2004pub
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 dmz
ssh 0.0.0.0 0.0.0.0 intf3
ssh 0.0.0.0 0.0.0.0 intf4
ssh 0.0.0.0 0.0.0.0 intf5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:698a1119ea93fc554bbdc34562966503
: end

...and the FULL output from these commands?

show version
show http

if no encryption licenses are activated, you may need to download a new one:

A DES (free), or 3DES/AES license is required. PDM only supports encrypted communication.
Registered Cisco.com users can request a DES (free), 3DES/AES activation key from the following URL:
http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324 

New Cisco.com users can complete the form at this URL before requesting a DES (free), 3DES/AES activation key:
http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl 

3DES/AES activation keys are available as part of a feature license upgrade and are not free.

PIX# show version

Cisco PIX Firewall Version 6.3(5)

Compiled on Thu 05-Oct-05 21:40 by anyname
PIX up 200 days 10 hours


Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: ethernet0: address is 000a.4525.36ce, irq 10
1: ethernet1: address is 000a.5425.36cf, irq 11
2: ethernet2: address is 000a.45ee.f1a8, irq 11
3: ethernet3: address is 000f.88ff.f1a9, irq 10
4: ethernet4: address is 000a.ccee.f1aa, irq 9

Licensed Features:
Failover:                    Enabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Disabled
Maximum Physical Interfaces: 8
Maximum Interfaces:          12
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has a Failover Only (FO) license.

Serial Number: 814454100 (0x3020e85a)
Running Activation Key: 0x653d44bd 4x0a504571 4x72gg27b0 0xaacdebde
Configuration last modified by enable_15 at 06:02:35.396 UTC Sun Nov 26 2006



PIX# show http
http server enabled
192.168.1.0 255.255.255.0 inside
PIX#

You're getting there, just not past the username login prompt

Try blank username and the enable password - not the word "enable" as the password, rather the same one you use to get into priv mode from the telnet/console.

>VPN-DES:                     Enabled
DES is all you need for http

>This PIX has a Failover Only (FO) license
Could be part of the problem. Is this FW connected to the primary FW?
FO license appliance cannot run in stand-alone mode

[cut]
Try blank username and the enable password - not the word "enable" as the password, rather the same one you use to get into priv mode from the telnet/console.
[/cut]
Yes, this is what i did.

[cut]
Could be part of the problem. Is this FW connected to the primary FW?
[/cut]
This is the primary PIX not the secondary one.

Try creating a username/password
firewall(config)#username zillah password MyG00dPa$$word

Add this command to use the local username/password for http access
firewall(config)#aaa authentication http console LOCAL

Now try it with that username/password

If that still does not work, then it may be an issue with IE7 and/or the JRE version that you're using.
If you have access to another PC that still has IE6, try it from there

[cut]
If you have access to another PC that still has IE6, try it from there
[/cut]
I could not.

[cut]
Try creating a username/password
[/cut]
I just want to confirm, Will that affect PIX , because it is a production device (online) ?

Thanks

This would be non-service affecting

This is exactly what I have done :

PIX(config)# username admin password nicecity
PIX(config)# aaa authentication http console LOCAL
PIX(config)# write mem
Building configuration...
Cryptochecksum: af1cd762 d173e435 739993fe 95f835ef

Then I could not access neither from my PC, nor from my colleague PC which has got IEv6 not 7 and JRE

Regards

Can you get rid of this line in your ACL?

access-list inside deny ip 192.168.1.0 255.255.255.0 any

It's possible this ACL is blocking access to PDM

This is exactly what I have done :

PIX(config)# no access-list inside deny ip 192.168.1.0 255.255.255.0 any
PIX(config)# write mem
Building configuration...
Cryptochecksum: d1cfbc34 aed92170 d7f77458 c2605f08

No progress

Regards

Can you reboot the PIX?

[cut]
Can you reboot the PIX?
[/cut]

Unfortunately I can not reboot it

Try re-applying the acl to the interface
>access-group inside in interface inside

This will not affect the service of the PIX at all

This is exactly what I have done :

PIX(config)# access-group inside in interface inside
PIX(config)# write mem
Building configuration...
Cryptochecksum: d1aaac34 afg92170 d7888458 c2675f08

No progress

Regards

Kindly, is there any other suggestions ?

Regards

One more suggestion - remove the access-list from the inside interface and try again:
  no access-group inside in interface inside

Does it make any difference?

It should not make any difference if you are actually getting a username/password login prompt from the PIX FW

Are you sure this FO unit is still primary? Can you sho result of "show failover"

[cut]
Are you sure this FO unit is still primary? Can you sho result of "show failover"
[/cut]
This is what I have been told (ip address that I am using ) when I have joined them, but not sure.

I am not at work right now , but may be you are right , I will check that and I let you know as soon as possible.

Warm regards

[cut]Are you sure this FO unit is still primary?[/cut]
Output :

PIX# show failover
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 15 seconds
Last Failover at: 00:53:35 UTC Sat Nov 11 2006
        This host: Secondary - Active
                Active time: 4705650 (sec)
                Interface outside (10.1.1.130): Normal (Waiting)
                Interface inside (192.168.100.1): Normal
!
!
!
        Other host: Primary - Standby
                Active time: 15838095 (sec)
                Interface outside (192.168.105.2): Normal (Waiting)
                Interface inside (192.168.100.2): Normal

Do I need to repeat same steps on primary firewall ?

No, since this host is Active it is the Primay

Try accessing the Primary PIX with the PDM - https://192.168.100.2/pdm.html

Could you please check my other thread (related to username that we had created here) because it is related to this thread

https://www.experts-exchange.com/questions/22075944/PIX-add-username-and-remove.html

Do I need add belwo to 192.168.100.2 as well  ?

Try creating a username/password
firewall(config)#username zillah password MyG00dPa$$word

Add this command to use the local username/password for http access
firewall(config)#aaa authentication http console LOCAL

No. Only make changes to the Active PIX, then "write standby" from the Active pix. This syncronizes the configs. Then try accessing the standby pix

I just checked the failover (show failover) again and I found the output is different  from previous post :

in previous it was : This host: Secondary - Active  
Now :                    This host: Primary - Active

Is this normal ?


PIX# show failover
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 15 seconds
Last Failover at: 02:46:02 UTC Mon Oct 4 1993
        This host: Primary - Active
                Active time: 15931095 (sec)
                Interface outside (10.1.1.130): Normal (Waiting)
                Interface inside (192.168.100.1): Normal
               

        Other host: Secondary - Standby
                Active time: 4761990 (sec)
                Interface outside (192.168.105.2): Normal (Waiting)
                Interface inside (192.168.100.2): Normal
               
Stateful Failover Logical Update Statistics
        Link : Unconfigured.

PIX#

If you  mean is it normal for them to flop back/forth between active and standay - no it is not normal some even must take place to cause the failover in the first place and needs to be investigated.

Try accessing each one and see if you can get one but not the other. It may be a corrupted PDM on the standby unit. Sometimes we forget that when we update the primary PDM we don't also update the secondary's PDM at the same time

[cut]
Try accessing each one and see if you can get one but not the other.
[/cut]
I am not  quite sure what you meant ?do you mean :
[cut]
Only make changes to the Active PIX, then "write standby" from the Active pix. This syncronizes the configs. Then try accessing the standby pix
[/cut]

On 192.168.100.1

PIX# config ter
PIX(config)# username nice password class
PIX(config)# aaa authentication http console LOCAL
PIX(config)# write mem
Building configuration...
Cryptochecksum: 5eb44a1f 320f650e 4328bf55 eb467d55
[OK]
PIX(config)# write standby,,,,,,,to be written to 192.168.100.2 as you have explained
Building configuration...
[OK]
PIX(config)# Sync Started
..
Sync Completed

Then : https://192.168.100.2/pdm.html,,,,,,,,,,,,,,,,,,,,I was able to see the message below

(link removed)

Shall I click run on the warning message (Hostname mismatch) in the link above ?

Yes! Just say yes!

Try accessing each one and see if you can get one but not the other.
For example, do you get different results from

https://192.168.100.1/pdm.html
https://192.168.100.2/pem.html

Or can you now access them both?

I note you that each PIX is connected to a different external subnet (10.1.1.130 and 192.168.105.2).  Furthermore, your second PIX has both interfaces on potentially the same subnet.
What are you trying to do with these PIXies?  It's evidently more than just plain redundancy?

[cut]
I note you that each PIX is connected to a different external subnet (10.1.1.130 and 192.168.105.2).  Furthermore, your second PIX has both interfaces on potentially the same subnet.
[/cut]
I have not configured the PIXies, the configurations were there, let me check them and I will let you know

Is PDM working now?

[cut]
Is PDM working now?
[/cut]
I am not at work right now, but the link that I posted , it is a good indictore that it should work (I hope so)

I was able to access the primary one (192.168.100.1).

But not 192.168.100.2 ,,,,,,,,,,This is the message that I have received:
http://img179.imageshack.us/img179/2788/secondpixpv6.jpg

Regards

For primary

PIX#  show version

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
Compiled on Thu 04-Aug-05 21:40 by mrlaa

[cut]
<== does not show PDM
[/cut]
For secondary

PIX# show version

Cisco PIX Firewall Version 6.3(5)
Compiled on Thu 04-Aug-05 21:40 by mrlaa
<====Yes you are lrmoore it is missing

[cut]
It would not hurt to re-install the PDM files onto the secondary PIX.
[/cut]
is there any precaution i have to take in consideration in order not to affect the PIXes configurations ?  

Regards

No. Loading the PDM has no affect on running configurations

copy tftp://1.2.3.4/pdm-304.bin flash:pdm

where 1.2.3.4 = your local tftp server

I am greatfull to you lrmoore and to you tim

If there is possibility to increase the points more that 500 (I had already increased from 250 to 500), i would do it , but unfortunately there is not.

Warm regards for your time and efforts.

Thanks

Can I upload pdm-304.bin from the primary pix to the loacl tftp,,,,,,,,,and them copy the same bin from local tftp to the secondary pix ?
Thanks

No. You cannot upload files from PIX's, only to them. It's not just one file, it is a whole directory structure that is created when you install the PDM from the single file.

I see,
In this case, I have to search where is PDM.bin file

Regards