- Posts: 301
- Thank you received: 3
PIX 506e
19 years 1 month ago #10315
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
Can you ugrade a PIX-506e IOS like a router? I have 6.3(3)on it. It sucks I cant even with a most basic setup get computers on my lan to go on the net. Infact I setup IPs in my inside and outside interface and they cannot evne ping each other.
ping inside(ping from INSDIE interface) 216.50.23.14
ping outside(ping form outside interface) 10.10.61.50
This is with a VERY basic config its sad really can a person upgrade to 7.0?
ping inside(ping from INSDIE interface) 216.50.23.14
ping outside(ping form outside interface) 10.10.61.50
This is with a VERY basic config its sad really can a person upgrade to 7.0?
The Bublitz
Systems Admin
Hospice of the Red River Valley
- TheeGreatCornholio
- Offline
- Junior Member
-
Less
More
- Posts: 24
- Thank you received: 0
19 years 1 month ago #10319
by TheeGreatCornholio
Replied by TheeGreatCornholio on topic Re: PIX 506e
Yes, you can upgrade your PIX from 6.3(3), but not to PIX 7. I think I mentioned this in a different post, but Cisco is not supporting the 506 under Version 7 yet.
Note from Cisco's upgrade doc: "PIX Version 7.0 runs on PIX 515/515E, PIX 525, and PIX 535, but is not supported on the PIX 501 or PIX 506/506E platforms at this time. "
But, you can (and should) upgrade to the latest version of 6.3 - which is now 6.3(5), released on Sept 8th, 05. Even 6.3(4) would be an improvement (from a bug-fix perspective). I didn't read the release notes on 6.3(5), but I'm sure it's more of the same - bug fixes.
I'll be happy to assist you with your PIX config issues. Paste in the config to a post (change IP's and remove passwords so they don't reveal any confidential info. Do paste the nat config, interface, routing and ACL's. If you can't or don't want to do this, then ask me some more questions, and I'll try to steer you in the right direction.
Note from Cisco's upgrade doc: "PIX Version 7.0 runs on PIX 515/515E, PIX 525, and PIX 535, but is not supported on the PIX 501 or PIX 506/506E platforms at this time. "
But, you can (and should) upgrade to the latest version of 6.3 - which is now 6.3(5), released on Sept 8th, 05. Even 6.3(4) would be an improvement (from a bug-fix perspective). I didn't read the release notes on 6.3(5), but I'm sure it's more of the same - bug fixes.
I'll be happy to assist you with your PIX config issues. Paste in the config to a post (change IP's and remove passwords so they don't reveal any confidential info. Do paste the nat config, interface, routing and ACL's. If you can't or don't want to do this, then ask me some more questions, and I'll try to steer you in the right direction.
19 years 1 month ago #10320
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
Replied by Bublitz on topic Re: PIX 506e
Can you Link me the page for the upgrade? Ive tried to find it on their site nothing yet. Its easy to find router IOS files it seems.
The Bublitz
Systems Admin
Hospice of the Red River Valley
19 years 1 month ago #10321
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
Replied by Bublitz on topic Re: PIX 506e
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password U9yubZ57l8sIaD7nF3B encrypted
passwd 2KFQbnblNIdaI.2KYOU encrypted
hostname BPIX
domain-name pfbiz.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 217.16.67.248 255.255.252.0
ip address inside 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
route inside 0.0.0.0 0.0.0.0 217.16.67.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:7b6e8f1b6818a616e9b10d6e36f18b24
: end
Here a VERY basic config I cannot even ping inside and outside interfaces with in the router. I think i just need to get this POS upgraded ive tried nat and pat using examples from ciscos site. They are opetty detailed and give you a good idea on how it should work. It doesnt tho.
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password U9yubZ57l8sIaD7nF3B encrypted
passwd 2KFQbnblNIdaI.2KYOU encrypted
hostname BPIX
domain-name pfbiz.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 217.16.67.248 255.255.252.0
ip address inside 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
route inside 0.0.0.0 0.0.0.0 217.16.67.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:7b6e8f1b6818a616e9b10d6e36f18b24
: end
Here a VERY basic config I cannot even ping inside and outside interfaces with in the router. I think i just need to get this POS upgraded ive tried nat and pat using examples from ciscos site. They are opetty detailed and give you a good idea on how it should work. It doesnt tho.
The Bublitz
Systems Admin
Hospice of the Red River Valley
19 years 1 month ago #10322
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
Replied by Bublitz on topic Re: PIX 506e
I saw your post on the other topic on why it wont let you ping. Well I cannot get this pix to let any pc have internet access at all. It shouldent be DNS becuase im using the same servers that i am behind oher device. I cannot ping yahoo.com on a pc on LAN nor can I ping my ISP router or Internet Gateway.
The Bublitz
Systems Admin
Hospice of the Red River Valley
- TheeGreatCornholio
- Offline
- Junior Member
-
Less
More
- Posts: 24
- Thank you received: 0
19 years 1 month ago #10388
by TheeGreatCornholio
Replied by TheeGreatCornholio on topic Re: PIX 506e
Bublitz
I haven't been able to log in for a few days - sorry for the delay.
I'd love to tell you how to download the code, but unless you have a CCO account on Cisco's site, you're SOL. If your PIX has a SmartNet contract, you should qualify to sign up for a CCO account.
By the way, you don't need to specify the interface for your ping at the command line - this is legacy code left behind from the early days of PIX code (4.x) - but it is still usable for advanced troublshooting. anyway...
Ok - it looks to me like your config has no NAT or Global commands at all. You need something. A simple NAT (inside) and Global (outside) will do the trick... paste this in there...
nat (inside) 1 10.10.10.0 255.255.255.0
global (outside) 1 interface
Oh yeah - your default route statement is wrong too... change it to:
route outside 0.0.0.0 0.0.0.0 217.16.67.1 1
Nothing else is really jumping out at me, other than that you have no access-lists defined. So in this case, the PIX will by default allow everything from the inside oubound, and nothing from the outside inbound.
That should do it. Let us know if it works... Good luck!
tGc
PS: That's one hell of a large subnet on your outside interface... that subnet mask on a Class-C based IP address is technically not valid... fine for summary routing (CIDR) but not for LAN addressing.
I haven't been able to log in for a few days - sorry for the delay.
I'd love to tell you how to download the code, but unless you have a CCO account on Cisco's site, you're SOL. If your PIX has a SmartNet contract, you should qualify to sign up for a CCO account.
By the way, you don't need to specify the interface for your ping at the command line - this is legacy code left behind from the early days of PIX code (4.x) - but it is still usable for advanced troublshooting. anyway...
Ok - it looks to me like your config has no NAT or Global commands at all. You need something. A simple NAT (inside) and Global (outside) will do the trick... paste this in there...
nat (inside) 1 10.10.10.0 255.255.255.0
global (outside) 1 interface
Oh yeah - your default route statement is wrong too... change it to:
route outside 0.0.0.0 0.0.0.0 217.16.67.1 1
Nothing else is really jumping out at me, other than that you have no access-lists defined. So in this case, the PIX will by default allow everything from the inside oubound, and nothing from the outside inbound.
That should do it. Let us know if it works... Good luck!
tGc
PS: That's one hell of a large subnet on your outside interface... that subnet mask on a Class-C based IP address is technically not valid... fine for summary routing (CIDR) but not for LAN addressing.
Time to create page: 0.129 seconds