[c-nsp] PIX515 don't want to allocate ip address on interface.

Nikolay Pavlov quetzal at zone3000.net
Tue Aug 8 08:15:46 EDT 2006 

On Thursday,  3 August 2006 at 21:59:55 +0300, Nikolay Pavlov wrote:
> Hi, guys. I want to define ip address on both outside and inside
> interfaces of my PIX515. I am not familiar with PIX's and smash my head
> trying to understand why i can't neither ping gateway from it nor connect to it:
> 
> cspix515-fw1-NY# sh ip address
> System IP Addresses:
> Interface                Name                   IP address      Subnet
> mask     Method
> Ethernet0                outside                x.x.57.54 255.255.255.192 CONFIG
> Ethernet1                inside                 192.168.1.1 255.255.255.0   CONFIG
> Current IP Addresses:
> Interface                Name                   IP address      Subnet mask     Method
> 
> !
> interface Ethernet0
>  nameif outside
>  security-level 0
>  ip address x.x.57.54 255.255.255.192
> !
> interface Ethernet1
>  nameif inside
>  security-level 100
>  ip address 192.168.1.1 255.255.255.0
> !
> route outside 0.0.0.0 0.0.0.0 x.x.57.1 1
> 
> access-list 100 extended permit icmp any any echo
> access-list 100 extended permit icmp any any echo-reply
> access-list 100 extended permit tcp any any range ssh telnet
> 
> access-group 100 in interface outside 
> 
> 
> cspix515-fw1-NY# sh ver
> 
> Cisco PIX Security Appliance Software Version 7.1(2)
> 
> Compiled on Tue 14-Mar-06 17:00 by dalecki
> System image file is "flash:/pix712.bin"
> Config file at boot was "startup-config"
> 
> cspix515-fw1-NY up 38 mins 7 secs
> 
> Hardware:   PIX-515, 64 MB RAM, CPU Pentium 200 MHz
> Flash i28F640J5 @ 0x300, 16MB
> BIOS Flash AT29C257 @ 0xfffd8000, 32KB
> 
>  0: Ext: Ethernet0           : address is 0003.e300.0e6c, irq 10
>  1: Ext: Ethernet1           : address is 0003.e300.0e6d, irq 7
> 
> Licensed features for this platform:
> Maximum Physical Interfaces : 6
> Maximum VLANs               : 25
> Inside Hosts                : Unlimited
> Failover                    : Active/Standby
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> VPN-DES                     : Enabled
> VPN-3DES-AES                : Enabled
> Cut-through Proxy           : Enabled
> Guards                      : Enabled
> URL Filtering               : Enabled
> Security Contexts           : 2
> GTP/GPRS                    : Disabled
> VPN Peers                   : Unlimited

Pheeewww.. I have found what was the problem:

   ========================== NOTICE =========================
      This platform is licensed as a secondary failover unit
      but lacks a connection to a fully-licensed primary.
         Please check the failover cable connection to the
       primary system. This platform will reboot at intervals
                     in its current state.
   ==========================================================


        Switching to Standby
INFO: This unit is currently in standby state. By disabling failover,
this unit will remain in standby state.
*** Output from config line 42, "no failover"

Seems like a stupid Cisco joke.
Next time my choice whould be OpenBSD pf... :(

More information about the cisco-nsp mailing list