Pix 515E drops internet connections for some PCs

ed · ‎08-29-2010

I support the local library, they have a PIX 515E which has worked fine for some time, after a recent storm which took out some of the telco equipment we have been having problems with the firewall dropping connections at our public internet PC's if they have set idle for a whille and on staff machines that have turned off. There is fifty PCs 25 public access systems and 25 staff machines, most of the machines can access the internet. I checked the config settings which have not changed. If I reboot the firewall with all the machines on they can get access to to internet if a system sets idle for a while it will loose its connection until the firewall is rebooted again. Any Ideas ?

See config below

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 57A/EOG0yJ5..drT encrypted
passwd 57A/EOG0yJ5..drT encrypted
hostname pixfirewall
domain-name gpl.local
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 80
fixup protocol smtp 135
fixup protocol sqlnet 1433
fixup protocol http 443
names
object-group service P2P_tcp tcp
port-object eq 6346
port-object eq 6347
object-group service P2P_udp udp
port-object eq 6346
port-object eq 6347
access-list acl_in permit tcp host 207.218.175.166 host 64.107.226.130 eq ssh
access-list acl_in permit gre any host 64.107.226.152
access-list acl_in permit tcp any host 64.107.226.152 eq 1723
access-list acl_inside_in deny ip any host 204.0.99.120
access-list acl_inside_in permit ip any any
access-list allowping permit icmp any any
pager lines 24
logging on
logging buffered debugging
interface ethernet0 auto
interface ethernet1 100full
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 64.107.226.130 255.255.255.128
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 86400
global (outside) 1 64.107.226.131-64.107.226.253 netmask 255.255.255.128
global (outside) 1 64.107.226.254 netmask 255.255.255.128
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 64.107.226.152 192.168.1.101 netmask 255.255.255.255 0 0
access-group acl_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.107.226.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor n2h2 host 192.168.1.101 port 4005 timeout 10 protocol
TCP
filter url except 192.168.1.2 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.3 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.4 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.5 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.6 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.66 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.67 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.70 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.71 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.72 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.101 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.128 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.129 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.192 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.193 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.194 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.208 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.230 255.255.255.255 0.0.0.0 0.0.0.0
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
snmp-server host inside 192.168.1.101 poll
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 192.168.1.193 255.255.255.255 inside
telnet 192.168.1.101 255.255.255.255 inside
telnet timeout 5
ssh 207.218.175.166 255.255.255.255 outside
ssh 64.40.92.218 255.255.255.255 outside
ssh 64.40.92.220 255.255.255.255 outside
ssh timeout 5
terminal width 80
Cryptochecksum:345c1fe07d6399d08e7d66554ed2b0a5
: end
[OK]

Nagaraja Thanthry · ‎08-29-2010

Hello,

Can you post the output of "show version" command?

Regards,

NT

ed · ‎08-30-2010

Find the output from the show version command

Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)

Compiled on Fri 07-Jun-02 17:49 by morlee

pixfirewall up 3 hours 18 mins

Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 000b.be94.a833, irq 10
1: ethernet1: address is 000b.be94.a834, irq 11
Licensed Features:
Failover:           Disabled
VPN-DES:            Enabled
VPN-3DES:           Enabled
Maximum Interfaces: 3
Cut-through Proxy: Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Unlimited
<--- More --->

Kureli Sankar · ‎08-30-2010

I'd suggest to remove these two lines. Hopefully these are not causing the problem. The logs would show it clearly if it were the reason.

conf t

no ip audit info action alarm
no ip audit attack action alarm

Also remove this line and add it again without the mask.

conf t

no global (outside) 1 64.107.226.254 netmask 255.255.255.128

global (outside) 1 64.107.226.254

check the logs

sh logg | i x.x.x.x

where x.x.x.x is the ip address of the host that cannot go out to the internet. Make sure the host has proper DNS server IPs configured and is able to resolve names fine.

-KS