Solved

PIX 525 and accessing PDM within LAN

Posted on 2006-11-26
69
3,419 Views
Last Modified: 2013-11-16
Referring to my previous post

http://www.experts-exchange.com/Security/Firewalls/Q_22049674.html

Still I can not access the PDM for the PIX 525 at work,although I think I have configured all the instructions in the link above

Regards
0
Comment
Question by:zillah
  • 35
  • 20
  • 14
69 Comments
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
(C) Cisco -

PDM has the following system requirements:

PDM Version 2.1 is available on all PIX 501, PIX 506/506E, PIX 515/515E, PIX 520, PIX 525, and PIX 535 platforms that are running PIX Firewall software Version 6.2. PDM Version 2.1 requires PIX Firewall software Version 6.2. If you are using PIX Firewall software Version 6.0 or 6.1, use PDM Version 1.1. For instructions on installing PDM Version 1.1, please refer to the Cisco PIX Device Manager Installation Guide, Version 1.1, at the following website:


http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_11/pdmig/index.htm
0
 

Author Comment

by:zillah
Comment Utility
Thanks for this feedback , but the output for the command below tells me that PDM is already installed,,,,Am I right ?

show version
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
0
 

Author Comment

by:zillah
Comment Utility
[cut]
...and you've done the 'setup' thing?
[/cut]

I have not configured the PIX, the configuration was there, now I went through the link that you have posted the only thing that I could not find is :

pdm location 192.168.1.10  255.255.255.0 inside-------------------The id address is my PC ip adress that i want from it to access PIX

Do I need to add this ?

There were many configuration lines of :
pdm location 192.168.x.x  255.255.255.0 inside
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Don't worry about those lines - these are just placeholders that PDM uses, so it's evident that PDM has already been setup and used on this machine at some point.
Perhaps you could post up your configuration - maybe there's an ACL in there that's preventing your access?
0
 

Author Comment

by:zillah
Comment Utility
[cut]
erhaps you could post up your configuration -
[/cut]
The whole configuration , because it is too lengthy , or only the part which has the access-list ?
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Just put up the whole lot (take out your password hashes and DNS names) - I'll work it out...  :)
You can leave out the 'pdm location' lines if you like.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Do you have any lines like this?

http x.x.x.x 255.255.255.0 inside

In order for you to access the PDM, your IP address has to be "allowed", i.e.

http 192.168.1.10 255.255.255.255 inside


0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
tim_holman - WELCOME BACK! Seems like you took a little vacation away from E-E ?
Good to see you back around!
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Looks like I've got some catching up to do...  ;)
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Just a little .... <8-}
0
 

Author Comment

by:zillah
Comment Utility
[cut]
In order for you to access the PDM, your IP address has to be "allowed", i.e.

http 192.168.1.10 255.255.255.255 inside
[/cut]
I have got this one was already allowed :
http 192.168.1.0 255.255.255.0 inside

Do I need to enable my ip address (192.1681.10) as well ?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
No. the mask includes your IP address
Do you have this in your config?
  http server enable

Do you have the Java JRE installed on your PC?

And you are accessing it with https://192.168.1.1/pdm.html
 

0
 

Author Comment

by:zillah
Comment Utility
[cut]
Do you have this in your config?
http server enable
[/cut]
Yes

[cut]
Do you have the Java JRE installed on your PC?
[/cut]
Yes
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Do you get any result at all when you try to connect? Do you have popups disabled on your browser? Do you get a security alert popup? Do you get a username/login prompt? Or do you just get a page not found error?
0
 

Author Comment

by:zillah
Comment Utility
I am getting the error below, kindly see the link below

(link deleted by request from the user)

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
OK, if you click on "Continue to this Website (not recommended)"
What happens then?

Do you have another PC that does not have IE7 installed on it?
What version Java Runtime do you have? The version that you have may not be compatible with IE7

0
 

Author Comment

by:zillah
Comment Utility
[cut]
OK, if you click on "Continue to this Website (not recommended)"
What happens then?
[/cut]

Thanks lrmoore, when I clicked "Continue to this Website (not recommended)" , Screen poped up asking me about username and password, but I do not know what they are (since I had not configured them), is there  a way to find out what are they from telnet command, or I have to reset them , because they are encrypted ?

Regards
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
First try blank username/blank password (default)
Else, use "enable" as username and the enable password
0
 

Author Comment

by:zillah
Comment Utility
[cut]
First try blank username/blank password (default)
[/cut]
No it did not work.

[cut]
Else, use "enable" as username and the enable password
[/cut]
It didn't work as well.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
blank username, enable password...
0
 

Author Comment

by:zillah
Comment Utility
[cut]
blank username, enable password...
[/cut]
I tried to use balnk username , and word "enable" for password field without any success
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Do not enter a username.  If you have an enable password, enter it.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/pdm_ig/pdm_inst.htm#xtocid2

I'm assuming you DO have the enable password, right?  Via telnet can you login to the PIX and type 'enable', and does the enable password work?
0
 

Author Comment

by:zillah
Comment Utility
[quote]
I'm assuming you DO have the enable password, right?
[/quote]
Yes i do have one and I use that one when I enter privilege level, when I telnet to the PIX

[quote]
Via telnet can you login to the PIX and type 'enable', and does the enable password work?
[/quote]
Yes it does work

Please see these steps that I have tried it

http://img138.imageshack.us/img138/4448/pdmandstepstoaccessitca9.jpg

Reagrds  
0
 

Author Comment

by:zillah
Comment Utility
I forgot to mention that the option in the second screen shot which is :
"Go to 192.168.100.1 and look for the information you want",,,,,,,do nothing
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
When you do 'show version', are any encryption licenses activated?  Follow the steps here to activate one if not:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdm_ig/pdm30ch2.htm#1035740

Otherwise, could you post up the whole config please?  This will be the easiest and quickest way of seeing what's up.
0
 

Author Comment

by:zillah
Comment Utility
[cut]
Otherwise, could you post up the whole config please?  This will be the easiest and quickest way of seeing what's up.
[/cut]

i have deleted :

1- pdm location

2- access-list outside (not inside) permit ip



PIX Version 6.3(5)

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
interface ethernet6 auto shutdown
interface ethernet7 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
nameif ethernet6 intf6 security12
nameif ethernet7 intf7 security14
enable password ASM111/AREf60fAH encrypted
passwd lHANYDOGSBBoZj encrypted

hostname Firewall

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

 
access-list inside permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list inside permit ip 192.168.4.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list inside permit tcp 192.168.1.0 255.255.255.0 any eq 2186
access-list inside permit tcp 192.168.1.0 255.255.255.0 any eq 2187
access-list inside deny ip 192.168.1.0 255.255.255.0 any
access-list inside deny ip 192.168.4.0 255.255.255.0 any
access-list inside permit tcp host 192.168.1.1 any
access-list inside permit tcp host 192.168.1.2 any
access-list inside permit tcp host 192.168.1.3 any
access-list inside permit tcp host 192.168.1.15 any
access-list inside permit tcp host 192.168.1.100 any
access-list inside permit tcp host 192.168.100.1 any
access-list inside permit tcp host 192.168.100.2 any
access-list inside permit tcp host 192.168.100.3 any
access-list inside permit tcp host 192.168.2.11 any
access-list inside permit tcp host 192.168.2.10 any
access-list inside permit tcp 192.168.0.0 255.255.0.0 any eq www
access-list inside permit tcp 192.168.0.0 255.255.0.0 any eq 8080
access-list inside permit tcp 192.168.0.0 255.255.0.0 any eq domain
access-list inside permit tcp any 192.168.101.0 255.255.255.0
access-list inside permit ip any any

mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
mtu intf6 1500
mtu intf7 1500
ip address outside 10.1.1.130 255.255.255.0
ip address inside 192.168.100.1 255.255.255.0
ip address dmz 192.168.101.1 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
no ip address intf6
no ip address intf7
ip audit info action alarm
ip audit attack action alarm

pdm history enable
arp timeout 14400
global (outside) 1 10.1.1.150-10.1.1.155
global (outside) 1 10.1.1.156
global (dmz) 1 interface
nat (inside) 1 10.2.2.0 255.255.255.0 0 0
nat (inside) 1 172.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
nat (dmz) 1 192.168.101.0 255.255.255.0 0 0
alias (dmz) 192.168.101.210 192.168.2.10 255.255.255.255
static (inside,dmz) exchange exchange_pvt netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.101.211 192.168.2.11 netmask 255.255.255.255 0 0
static (dmz,outside) mail_relay mail_relay_pvt netmask 255.255.255.255 0 0
static (dmz,outside) webserver webredline netmask 255.255.255.255 0 0
static (dmz,outside) blackboard blackboard_dmz netmask 255.255.255.255 0 0
static (dmz,outside) Dns_Outside Dns_Dmz netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.101.33 192.168.2.34 netmask 255.255.255.255 0 0
static (dmz,outside) 10.1.1.141 192.168.101.16 netmask 255.255.255.255 0 0
static (dmz,outside) 10.1.1.142 192.168.101.15 netmask 255.255.255.255 0 0
static (dmz,outside) 10.1.1.143 192.168.101.14 netmask 255.255.255.255 0 0
static (dmz,outside) 10.1.1.146 192.168.101.250 netmask 255.255.255.255 0 0
static (dmz,outside) intranet_web intranet_vip netmask 255.255.255.255 0 0
static (dmz,outside) rees_out rees_redline netmask 255.255.255.255 0 0
static (inside,outside) cv_outside cv_inside netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.101.212 192.168.2.12 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.101.210 192.168.2.10 netmask 255.255.255.255 0 0
static (dmz,inside) 192.168.2.10 192.168.101.210 dns netmask 255.255.255.255 0 0
static (dmz,inside) 192.168.2.11 192.168.101.211 dns netmask 255.255.255.255 0 0
static (dmz,outside) web_outlook redlineOWA netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 10.1.1.129 1
route inside 10.2.2.0 255.255.255.0 192.168.55.254 1
route inside 172.168.1.0 255.255.255.0 192.168.100.3 1
route inside 192.168.0.0 255.255.0.0 192.168.100.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute

http server enable
http 192.168.1.0 255.255.255.0 inside

no snmp-server location
no snmp-server contact
snmp-server community etqm2004pub
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 dmz
ssh 0.0.0.0 0.0.0.0 intf3
ssh 0.0.0.0 0.0.0.0 intf4
ssh 0.0.0.0 0.0.0.0 intf5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:698a1119ea93fc554bbdc34562966503
: end
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
...and the FULL output from these commands?

show version
show http

if no encryption licenses are activated, you may need to download a new one:

A DES (free), or 3DES/AES license is required. PDM only supports encrypted communication.
Registered Cisco.com users can request a DES (free), 3DES/AES activation key from the following URL:
http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324

New Cisco.com users can complete the form at this URL before requesting a DES (free), 3DES/AES activation key:
http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl

3DES/AES activation keys are available as part of a feature license upgrade and are not free.

0
 

Author Comment

by:zillah
Comment Utility
PIX# show version

Cisco PIX Firewall Version 6.3(5)

Compiled on Thu 05-Oct-05 21:40 by anyname
PIX up 200 days 10 hours


Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: ethernet0: address is 000a.4525.36ce, irq 10
1: ethernet1: address is 000a.5425.36cf, irq 11
2: ethernet2: address is 000a.45ee.f1a8, irq 11
3: ethernet3: address is 000f.88ff.f1a9, irq 10
4: ethernet4: address is 000a.ccee.f1aa, irq 9

Licensed Features:
Failover:                    Enabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Disabled
Maximum Physical Interfaces: 8
Maximum Interfaces:          12
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has a Failover Only (FO) license.

Serial Number: 814454100 (0x3020e85a)
Running Activation Key: 0x653d44bd 4x0a504571 4x72gg27b0 0xaacdebde
Configuration last modified by enable_15 at 06:02:35.396 UTC Sun Nov 26 2006



PIX# show http
http server enabled
192.168.1.0 255.255.255.0 inside
PIX#
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You're getting there, just not past the username login prompt

Try blank username and the enable password - not the word "enable" as the password, rather the same one you use to get into priv mode from the telnet/console.

>VPN-DES:                     Enabled
DES is all you need for http

>This PIX has a Failover Only (FO) license
Could be part of the problem. Is this FW connected to the primary FW?
FO license appliance cannot run in stand-alone mode
0
 

Author Comment

by:zillah
Comment Utility
[cut]
Try blank username and the enable password - not the word "enable" as the password, rather the same one you use to get into priv mode from the telnet/console.
[/cut]
Yes, this is what i did.

[cut]
Could be part of the problem. Is this FW connected to the primary FW?
[/cut]
This is the primary PIX not the secondary one.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Try creating a username/password
firewall(config)#username zillah password MyG00dPa$$word

Add this command to use the local username/password for http access
firewall(config)#aaa authentication http console LOCAL

Now try it with that username/password

If that still does not work, then it may be an issue with IE7 and/or the JRE version that you're using.
If you have access to another PC that still has IE6, try it from there
0
 

Author Comment

by:zillah
Comment Utility
[cut]
If you have access to another PC that still has IE6, try it from there
[/cut]
I could not.

[cut]
Try creating a username/password
[/cut]
I just want to confirm, Will that affect PIX , because it is a production device (online) ?

Thanks
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
This would be non-service affecting
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:zillah
Comment Utility
This is exactly what I have done :

PIX(config)# username admin password nicecity
PIX(config)# aaa authentication http console LOCAL
PIX(config)# write mem
Building configuration...
Cryptochecksum: af1cd762 d173e435 739993fe 95f835ef

Then I could not access neither from my PC, nor from my colleague PC which has got IEv6 not 7 and JRE

Regards
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Can you get rid of this line in your ACL?

access-list inside deny ip 192.168.1.0 255.255.255.0 any

It's possible this ACL is blocking access to PDM
0
 

Author Comment

by:zillah
Comment Utility
This is exactly what I have done :

PIX(config)# no access-list inside deny ip 192.168.1.0 255.255.255.0 any
PIX(config)# write mem
Building configuration...
Cryptochecksum: d1cfbc34 aed92170 d7f77458 c2605f08

No progress

Regards

0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Can you reboot the PIX?
0
 

Author Comment

by:zillah
Comment Utility
[cut]
Can you reboot the PIX?
[/cut]

Unfortunately I can not reboot it
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Try re-applying the acl to the interface
>access-group inside in interface inside

This will not affect the service of the PIX at all

0
 

Author Comment

by:zillah
Comment Utility
This is exactly what I have done :

PIX(config)# access-group inside in interface inside
PIX(config)# write mem
Building configuration...
Cryptochecksum: d1aaac34 afg92170 d7888458 c2675f08

No progress

Regards

0
 

Author Comment

by:zillah
Comment Utility
Kindly, is there any other suggestions ?

Regards
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility

One more suggestion - remove the access-list from the inside interface and try again:
  no access-group inside in interface inside

Does it make any difference?

It should not make any difference if you are actually getting a username/password login prompt from the PIX FW

Are you sure this FO unit is still primary? Can you sho result of "show failover"

0
 

Author Comment

by:zillah
Comment Utility
[cut]
Are you sure this FO unit is still primary? Can you sho result of "show failover"
[/cut]
This is what I have been told (ip address that I am using ) when I have joined them, but not sure.

I am not at work right now , but may be you are right , I will check that and I let you know as soon as possible.

Warm regards
0
 

Author Comment

by:zillah
Comment Utility
[cut]Are you sure this FO unit is still primary?[/cut]
Output :

PIX# show failover
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 15 seconds
Last Failover at: 00:53:35 UTC Sat Nov 11 2006
        This host: Secondary - Active
                Active time: 4705650 (sec)
                Interface outside (10.1.1.130): Normal (Waiting)
                Interface inside (192.168.100.1): Normal
!
!
!
        Other host: Primary - Standby
                Active time: 15838095 (sec)
                Interface outside (192.168.105.2): Normal (Waiting)
                Interface inside (192.168.100.2): Normal
0
 

Author Comment

by:zillah
Comment Utility
Do I need to repeat same steps on primary firewall ?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
No, since this host is Active it is the Primay

Try accessing the Primary PIX with the PDM - https://192.168.100.2/pdm.html

0
 

Author Comment

by:zillah
Comment Utility
Could you please check my other thread (related to username that we had created here) because it is related to this thread

http://www.experts-exchange.com/Security/Q_22075944.html

0
 

Author Comment

by:zillah
Comment Utility
Do I need add belwo to 192.168.100.2 as well  ?

Try creating a username/password
firewall(config)#username zillah password MyG00dPa$$word

Add this command to use the local username/password for http access
firewall(config)#aaa authentication http console LOCAL
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
No. Only make changes to the Active PIX, then "write standby" from the Active pix. This syncronizes the configs. Then try accessing the standby pix
0
 

Author Comment

by:zillah
Comment Utility
I just checked the failover (show failover) again and I found the output is different  from previous post :

in previous it was : This host: Secondary - Active  
Now :                    This host: Primary - Active

Is this normal ?


PIX# show failover
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 15 seconds
Last Failover at: 02:46:02 UTC Mon Oct 4 1993
        This host: Primary - Active
                Active time: 15931095 (sec)
                Interface outside (10.1.1.130): Normal (Waiting)
                Interface inside (192.168.100.1): Normal
               

        Other host: Secondary - Standby
                Active time: 4761990 (sec)
                Interface outside (192.168.105.2): Normal (Waiting)
                Interface inside (192.168.100.2): Normal
               
Stateful Failover Logical Update Statistics
        Link : Unconfigured.

PIX#
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
If you  mean is it normal for them to flop back/forth between active and standay - no it is not normal some even must take place to cause the failover in the first place and needs to be investigated.

Try accessing each one and see if you can get one but not the other. It may be a corrupted PDM on the standby unit. Sometimes we forget that when we update the primary PDM we don't also update the secondary's PDM at the same time
0
 

Author Comment

by:zillah
Comment Utility
[cut]
Try accessing each one and see if you can get one but not the other.
[/cut]
I am not  quite sure what you meant ?do you mean :
[cut]
Only make changes to the Active PIX, then "write standby" from the Active pix. This syncronizes the configs. Then try accessing the standby pix
[/cut]
0
 

Author Comment

by:zillah
Comment Utility
On 192.168.100.1

PIX# config ter
PIX(config)# username nice password class
PIX(config)# aaa authentication http console LOCAL
PIX(config)# write mem
Building configuration...
Cryptochecksum: 5eb44a1f 320f650e 4328bf55 eb467d55
[OK]
PIX(config)# write standby,,,,,,,to be written to 192.168.100.2 as you have explained
Building configuration...
[OK]
PIX(config)# Sync Started
..
Sync Completed

Then : https://192.168.100.2/pdm.html,,,,,,,,,,,,,,,,,,,,I was able to see the message below

(link removed)

Shall I click run on the warning message (Hostname mismatch) in the link above ?

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Yes! Just say yes!
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Try accessing each one and see if you can get one but not the other.
For example, do you get different results from

https://192.168.100.1/pdm.html
https://192.168.100.2/pem.html

Or can you now access them both?
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
I note you that each PIX is connected to a different external subnet (10.1.1.130 and 192.168.105.2).  Furthermore, your second PIX has both interfaces on potentially the same subnet.
What are you trying to do with these PIXies?  It's evidently more than just plain redundancy?

0
 

Author Comment

by:zillah
Comment Utility
[cut]
I note you that each PIX is connected to a different external subnet (10.1.1.130 and 192.168.105.2).  Furthermore, your second PIX has both interfaces on potentially the same subnet.
[/cut]
I have not configured the PIXies, the configurations were there, let me check them and I will let you know
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Is PDM working now?
0
 

Author Comment

by:zillah
Comment Utility
[cut]
Is PDM working now?
[/cut]
I am not at work right now, but the link that I posted , it is a good indictore that it should work (I hope so)
0
 

Author Comment

by:zillah
Comment Utility
I was able to access the primary one (192.168.100.1).

But not 192.168.100.2 ,,,,,,,,,,This is the message that I have received:
http://img179.imageshack.us/img179/2788/secondpixpv6.jpg

Regards
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 100 total points
Comment Utility
...which is fine.  You can only access PDM on your primary unit.  In the event of failover, the IP addresses would swap around.

However, your failover doesn't appear to be working properly as you've two interfaces in (waiting) state, rather than just 'normal', which is what it should be.  The two interfaces need to be on the same VLAN/hub/switch, which I think they may not be as they have different IP addresses.

http://www.cisco.com/warp/public/110/failover.html

I would get this setup properly, just in case you have a genuine failover event
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 400 total points
Comment Utility
Actually.... you should be able to access them both any time.
As I said previously, we sometimes forget to update the PDM on the secondary when upgrading the primary.
It would not hurt to re-install the PDM files onto the secondary PIX.

Do a show ver on the primary

PIX# show version
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

And on secondary
PIX# show version
Cisco PIX Firewall Version 6.3(5)
                                              <== does not show PDM
0
 

Author Comment

by:zillah
Comment Utility
For primary

PIX#  show version

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
Compiled on Thu 04-Aug-05 21:40 by mrlaa

[cut]
<== does not show PDM
[/cut]
For secondary

PIX# show version

Cisco PIX Firewall Version 6.3(5)
Compiled on Thu 04-Aug-05 21:40 by mrlaa
<====Yes you are lrmoore it is missing

[cut]
It would not hurt to re-install the PDM files onto the secondary PIX.
[/cut]
is there any precaution i have to take in consideration in order not to affect the PIXes configurations ?  

Regards
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
No. Loading the PDM has no affect on running configurations

copy tftp://1.2.3.4/pdm-304.bin flash:pdm

where 1.2.3.4 = your local tftp server
0
 

Author Comment

by:zillah
Comment Utility
I am greatfull to you lrmoore and to you tim

If there is possibility to increase the points more that 500 (I had already increased from 250 to 500), i would do it , but unfortunately there is not.

Warm regards for your time and efforts.

Thanks
0
 

Author Comment

by:zillah
Comment Utility
Can I upload pdm-304.bin from the primary pix to the loacl tftp,,,,,,,,,and them copy the same bin from local tftp to the secondary pix ?
Thanks
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
No. You cannot upload files from PIX's, only to them. It's not just one file, it is a whole directory structure that is created when you install the PDM from the single file.
0
 

Author Comment

by:zillah
Comment Utility
I see,
In this case, I have to search where is PDM.bin file

Regards

0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This video discusses moving either the default database or any database to a new volume.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now