Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

I think there is a problem with my pix501

Ok, I thought it was just me and I'm starting to think the pix is my problem. Running through setup I get the pix's basic config set up. Now from what I understand and what it shows me access from the inside should now be allowed outside. Upon completion of the boot process this happens. I can get out to the internet and do whatever I like from the inside interface..... for about 5 minutes or so. Then bam, no access. I can't ping anything. from an outside network I can ping the outside interface of the router, but the router itself won't ping anything but inside and it's interfaces. If I do a reload command it will work again for a few minutes. Here is a write term of my config:

User Access Verification

Password:

Type help or '?' for a list of available commands.

pix1> en

Password:

pix1# write term

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 10baset

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx

passwd xxxxx

hostname pix1

domain-name mail.marini.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 192.168.5.30 NINTWEB

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 24.x.x.x.x.255.248

ip address inside 192.168.5.5 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.5.5 255.255.255.255 inside

pdm location 192.168.5.0 255.255.255.0 inside

pdm location NINTWEB 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 10 interface

global (outside) 1 24.97.9.13

global (inside) 1 24.97.9.13

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 24.97.9.9 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.5.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 60

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:xxxx

: end

[OK]

pix1#

any help would be greatly appreciated.

7 REPLIES
Silver

Re: I think there is a problem with my pix501

I noted that your outside interface is running at 10mbits half duplex. What devices are the pix interfaces connected to? Insure that no switch or router ports that the pix interfaces connect to are set to auto-negotiate. Both ends should be set the same way and I have seen issues like this arise due to auto-negotiate being set.

The next time this problem happens, console into the pix and do a show interface command. I am curious as to what the status of them are, especially the outside one.

Another thing I noted is that the global (outside 10) interface. Can you change the nat (inside) 10 to nat (inside) 1 to use a different ip address? Or have you tried that already and still had the issue?

New Member

Re: I think there is a problem with my pix501

Ok, the outside interface was supposed to be 10full so I changed it and the interface. It worked for a bit longer this time, but still froze up. here is a write term with the current config, followed with sh int (note this is the state in which the pix is not allowing internet access):

User Access Verification

Password:

Type help or '?' for a list of available commands.

pix1> en

Password:

pix1# config t

pix1(config)# write term

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 10full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx

passwd xxxxx

hostname pix1

domain-name mail.marini.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 192.168.5.30 NINTWEB

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 24.x.x.x.x.255.248

ip address inside 192.168.5.5 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.5.5 255.255.255.255 inside

pdm location 192.168.5.0 255.255.255.0 inside

pdm location NINTWEB 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (inside) 1 24.97.9.13

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 24.97.9.9 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.5.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:xxxx

: end

[OK]

pix1(config)# sh int

interface ethernet0 "outside" is up, line protocol is up

Hardware is i82559 ethernet, address is 000f.2497.ddbb

IP address 24.97.9.12, subnet mask 255.255.255.248

MTU 1500 bytes, BW 10000 Kbit full duplex

1408 packets input, 488771 bytes, 0 no buffer

Received 770 broadcasts, 2 runts, 0 giants

80 input errors, 78 CRC, 0 frame, 0 overrun, 78 ignored, 0 abort

837 packets output, 111138 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/2)

output queue (curr/max blocks): hardware (0/3) software (0/1)

interface ethernet1 "inside" is up, line protocol is up

Hardware is i82559 ethernet, address is 000f.2497.ddbc

IP address 192.168.5.5, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

24836 packets input, 3941614 bytes, 0 no buffer

Received 22326 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

3226 packets output, 3489068 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/30)

output queue (curr/max blocks): hardware (1/46) software (0/1)

pix1(config)#

Silver

Re: I think there is a problem with my pix501

I am thinking you have a link layer problem. I noted that the percentage of input errors to input packets on the e0 interface is more than 3%.

Let me know what the pix log and external log, if you are logging to another host, messages say at the time you have the issue.

Try replacing the e0 cable with one that tests clean, if you have a cable tester.

What does the e0/outside interface connect to? Is it a managed switch or hub? If so, look there and see if the port that the pix connects to also is having a high percentage of input and/or output errors.

New Member

Re: I think there is a problem with my pix501

I have cable internet service. They provided me a brand new 5 port zyxel router. Right now the way my network is set up I have the zyxel piece, going to 3 linksys routers which each output to the same NPI switching gear. Each router has a static IP and they are used for different services.

Right now the pix is plugged into one of the ports on the zyxel and a port on the npi switch. I have a test server set up that I changed the default gateway on to point to the pix. I swapped the cable on the pix to a brand new cable, performed a reload on the pix, and still have the same problem.I also swapped ports on the zyxel with another router and the same problem.

I don't have logging set up. I can't understand why there is a problem,

Silver

Re: I think there is a problem with my pix501

The pix's outside interface is connected to zyxwl routerm and the inside interface is conected to the npi switching gear, am I correct in that assumption?

I would setup logging on the pix just to see if you can get some meaningful info when the problem occurs; set the logging level to error.

You mentioned the linksys routers. How do they fix in relation to the pix? Are they running routing protocols such as ospf or rip?

New Member

Re: I think there is a problem with my pix501

Yes the zyxel is on the pix's outside interface and the npi is on the inside.

I'll try setting up logging later tonight. I'm also going to directly connect my laptop to the pix and unplug it from the npi and see what happens.

I don't think the linksys routers support anything besides of rip. 2 are wireless routers and the 3rd is a standard router, all of which are really home type equipment not meant for business or advanced types of configuration. I'm also getting rid of the npi for a 2621 router and a 2900xl switch, but I've put off on it until I can get this piece working first.

New Member

Re: I think there is a problem with my pix501

I solved the problem by updating the pix firmware.

old version: 6.3.1

new version: 6.3.3

problems solved. I'm guessing I had a bad flash install or something along those lines.

100
Views
0
Helpful
7
Replies
CreatePlease to create content