[c-nsp] PIX515 don't want to allocate ip address on interface.

Joseph Jackson JJackson at aninetworks.com
Fri Aug 4 18:28:03 EDT 2006 

The last thing I would check would be a MTU problem.  I had a pix 506e
do that.  It would pass traffic because a MTU mismatch.  Can you run a
debug on that interface or just do a logging level of say 4 and then try
to ping it or through it?


Joseph 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of 
> Michael K. Smith
> Sent: Friday, August 04, 2006 1:39 PM
> To: Nikolay Pavlov
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] PIX515 don't want to allocate ip address 
> on interface.
> 
> Hello Nikolay:
> 
> 
> On 8/4/06 11:46 AM, "Nikolay Pavlov" <quetzal at zone3000.net> wrote:
> 
> > On Thursday,  3 August 2006 at 14:10:10 -0700, Michael K. 
> Smith wrote:
> >> Hello:
> >> 
> >> 
> >> 
> >> I think a little more information is required.  How about:
> >> 
> >> 1) sho interface ethernet0
> >> 2) sho interface ethernet1
> >> 3) sho arp
> >> 4) What is the syntax for the ping command you are using?
> >> 5) Have you done the necessary steps to create ssh keys, including 
> >> adding your domain name and then generating the key?
> >> 
> >> Regards,
> >> 
> >> Mike
> > 
> > Ok... Here is additional information:
> > 
> > cspix515-fw1-NY# sh interface ethernet 0 Interface Ethernet0 
> > "outside", is up, line protocol is up
> >   Hardware is i82559, BW 100 Mbps
> >         Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
> >         MAC address 0003.e300.0e6c, MTU 1500
> >         IP address unassigned
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >         3647 packets input, 220501 bytes, 0 no buffer
> >         Received 3649 broadcasts, 0 runts, 0 giants
> >         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 
> ignored, 0 abort
> >         0 L2 decode drops
> >         0 packets output, 0 bytes, 0 underruns
> >         0 output errors, 0 collisions, 0 interface resets
> >         0 babbles, 0 late collisions, 0 deferred
> >         0 lost carrier, 0 no carrier
> >         input queue (curr/max blocks): hardware (128/128) 
> software (0/93)
> >         output queue (curr/max blocks): hardware (0/0) 
> software (0/0)
> >   Traffic Statistics for "outside":
> >         3547 packets input, 164723 bytes
> >         0 packets output, 0 bytes
> >         20 packets dropped
> > 
> > x515-fw1-NY# sh interface ethernet 1
> > Interface Ethernet1 "inside", is up, line protocol is up
> >   Hardware is i82559, BW 100 Mbps
> >         Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
> >         MAC address 0003.e300.0e6d, MTU 1500
> >         IP address unassigned
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >         8853 packets input, 531180 bytes, 0 no buffer
> >         Received 8853 broadcasts, 0 runts, 0 giants
> >         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 
> ignored, 0 abort
> >         0 L2 decode drops
> >         0 packets output, 0 bytes, 0 underruns
> >         0 output errors, 0 collisions, 0 interface resets
> >         0 babbles, 0 late collisions, 0 deferred
> >         0 lost carrier, 0 no carrier
> >         input queue (curr/max blocks): hardware (128/128) 
> software (0/97)
> >         output queue (curr/max blocks): hardware (0/0) 
> software (0/0)
> >   Traffic Statistics for "inside":
> >         8747 packets input, 402362 bytes
> >         0 packets output, 0 bytes
> >         0 packets dropped
> > 
> > cspix515-fw1-NY# sh arp
> > empty ... 
> > 
> > Don't worry about ssh, i know the procedure...
> > 
> > Here is once again "sh ip address" command:
> > 
> > cspix515-fw1-NY# sh ip address
> > System IP Addresses:
> > Interface                Name                   IP address  
>     Subnet
> > mask     Method
> > Ethernet0                outside                xx.xx.57.54 
> 255.255.255.192
> > CONFIG
> > Ethernet1                inside                 192.168.1.1 
> 255.255.255.0
> > CONFIG
> > Current IP Addresses:
> > Interface                Name                   IP address  
>     Subnet mask
> > Method
> > 
> > Here all is empty...
> > 
> > To prevent your next questions guys here goes my config:
> > 
> > 
> ======================================================================
> > 
> > cspix515-fw1-NY# sh run
> > : Saved
> > :
> > PIX Version 7.1(2)
> > !
> > hostname cspix515-fw1-NY
> > domain-name MY.TLD
> > enable password HIDE encrypted
> > names
> > !
> > interface Ethernet0
> >  nameif outside
> >  security-level 0
> >  ip address xx.xx.57.54 255.255.255.192 !
> > interface Ethernet1
> >  nameif inside
> >  security-level 100
> >  ip address 192.168.1.1 255.255.255.0
> > !
> > passwd HIDE encrypted
> > boot system flash:/pix712.bin
> > ftp mode passive
> > clock timezone ET -5
> > clock summer-time EST recurring
> > dns domain-lookup outside
> > dns server-group DefaultDNS
> >  name-server xx.xx.60.10
> >  domain-name MY.TLD
> > access-list 100 extended permit icmp any any echo access-list 100 
> > extended permit icmp any any echo-reply access-list 100 extended 
> > permit tcp any any range ssh telnet
> 
> 
> Okay, I'm stumped.  Have you done the usual shut/no-shut on 
> the interfaces and perhaps rebooted the PIX?  That 
> configuration looks perfect and *should* work as far as I know.
> 
> Mike
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list