Pix 515E drops internet connections for some PCs

Unanswered Question

I support the local library,  they have a PIX 515E which has worked fine for some time, after a recent storm which took out  some of the telco equipment we have been having problems with the firewall dropping connections at our public internet PC's if they have set idle for a whille and on staff machines that have turned off. There is fifty PCs 25 public access systems and 25 staff machines, most of the machines can access the internet.  I checked the config settings  which have not changed. If I reboot the firewall with all the machines on they can get access to to internet if a system sets idle for a while it will loose its connection until the firewall is rebooted again. Any Ideas ?

See config below

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 57A/EOG0yJ5..drT encrypted
passwd 57A/EOG0yJ5..drT encrypted
hostname pixfirewall
domain-name gpl.local
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 80
fixup protocol smtp 135
fixup protocol sqlnet 1433
fixup protocol http 443
object-group service P2P_tcp tcp
  port-object eq 6346
  port-object eq 6347
object-group service P2P_udp udp
  port-object eq 6346
  port-object eq 6347
access-list acl_in permit tcp host host eq ssh
access-list acl_in permit gre any host
access-list acl_in permit tcp any host eq 1723
access-list acl_inside_in deny ip any host
access-list acl_inside_in permit ip any any
access-list allowping permit icmp any any
pager lines 24
logging on
logging buffered debugging
interface ethernet0 auto
interface ethernet1 100full
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 86400
global (outside) 1 netmask
global (outside) 1 netmask
nat (inside) 1 0 0
static (inside,outside) netmask 0 0
access-group acl_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor n2h2 host port 4005 timeout 10 protocol
filter url except
filter url except
filter url except
filter url except
filter url except
filter url except
filter url except
filter url except
filter url except
filter url except
filter url except
filter url except
filter url except
filter url except
filter url except
filter url except
filter url except
filter url except
filter url http allow
snmp-server host inside poll
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet inside
telnet inside
telnet timeout 5
ssh outside
ssh outside
ssh outside
ssh timeout 5
terminal width 80
: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

Find the output from the show version command

Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)

Compiled on Fri 07-Jun-02 17:49 by morlee

pixfirewall up 3 hours 18 mins

Hardware:   PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 000b.be94.a833, irq 10
1: ethernet1: address is 000b.be94.a834, irq 11
Licensed Features:
Failover:           Disabled
VPN-DES:            Enabled
VPN-3DES:           Enabled
Maximum Interfaces: 3
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Unlimited
<--- More --->

Kureli Sankar Mon, 08/30/2010 - 18:41

I'd suggest to remove these two lines. Hopefully these are not causing the problem. The logs would show it clearly if it were the reason.

conf t

no ip audit info action alarm
no ip audit attack action alarm

Also remove this line and add it again without the mask.

conf t

no global (outside) 1 netmask

global (outside) 1

check the logs

sh logg | i x.x.x.x

where x.x.x.x is the ip address of the host that cannot go out to the internet. Make sure the host has proper DNS server IPs configured and is able to resolve names fine.



This Discussion

Related Content