After i added pix515 firewall for our Ohio office, OH users got problem to get onto internet with the current ip address. but when i changed to a new ip address for the pc (user) and internet worked well. everytime when user called me for this problem and i got to change the ip address for the user in order to get onto internet. so anyone have any idea about this problem? Thanks.
It may be a problem with the static or nat/global, or a acl rule. Can you tell me what the relevant user ip addresses are, both before you make an address the change and after? Also, tell me what the static/nat/global statements are.
Is there a router between the firewall and the isp connection, or does the firewall connect direct to the ISP?
This info will give me insight into your problem.
Here is the config for you. we have router betweet the firewall and isp. the isp is AT&T and AT&T also takes care of the router. not everyone in OH got this problem, just some users got it and when i changed to any other ip and internet worked. the ip is 192.168.2.x and we also use DHCP (192.168.2.50 - 79). Thanks a lot!
I am looking at your post, and I do not see the config. Can you repost it? In the meantime, you mentioned only some users in Ohio have this issue. Do all of your users get internet access thru the same firewall?
I just noted your post today and I am looking at the config.
One other thing I noted is that you have 2 http statements, both using the inside parm, but one is on the 192.168.1/24 subnet which is not inside; that subnet is outside.
When you state that you change ip addresses to fix the user's problem, what address are you changing? Is it a change to the dhcp pool? Or are you adding a global statement to fix it?
I would change the 3 global (outside) 1 statements to just one: keep the global (outside) 1 interface statement and remove the others. I suspect that your problem may be due a conflict with the interface global statement and the glboal (outside) 1 22.214.171.124 statement.
I also noted that you have a vpn connection between to the 192.168.1.0/24 subnet? If the user has trouble with internet access, are they also having issues with connection across the vpn as well?
Thanks for the info. We use 192.168.2.x for OH office users. so when the user got problem and i just change the PC's ip to any other ip within 192.168.2.x or dhcp (192.168.2.50 -79). one user got winxp and got internet trouble everyday! i got to change ip everyday. the vpn is just for test and noone use it. before we added the firewall, the internet worked well and noone got any internet trouble. so i am pretty sure must be something on the firewall! Thanks.
I do have this question: when you change the user who had trouble everyday, are you changing from ip address 192.168.2.x to another 192.168.2 address (say from 192.168.2.145 to 192.168.2.49, or dhcp)?
Other than dhcp how else can a user acquire an ip address?
See if there is a way to determine what the dhcp address pool is that the pix is handing out - what addresses are free and what are in use. I am wondering if, either the user does not recognize that they are on the same subnet as the pix (mask may not be 255.255.255.0) or there is something amiss with the dhcp range.
From what you told me all ohio users are on the 192.168.2.0/24 network, so is the pix's inside interface. How many users are there in the Ohio office? Your dhcp range accounts for 50 (.50 thru .99 inclusive).
Also, did you remove some of the global (outside) statements, like I suggested?
I removed some of the global (outside) statements and just keep one statement (global (outside)1 126.96.36.199.after this, everyone sounds ok but one user called me for no internet access. i changed the ip to DHCP and it works.so...
we have about 35 users in OH office. the DHCP range is 192.168.2.50 thru 192.168.2.99 inclusive. others are 192.168.2.x with 255.255.255.0. we use both DHCP and static IP. i changed the user's ip from 192.168.2.x to another 192.168.2.address and DHCP too.both way works if i changed to any 'new' ip or dhcp from the 'old' ip. i know this is very stupid but i have had no choice. Thanks.
I wonder if there are stale ARP and/or xlate entries involved. The next time a user tells you that they do not have internet access try these things before you change their ip address:
1. At the user's workstation get their mac address (run ipconfig /all if the windows os us used) and record their ip address.
2. At the pix run the show arp command. See if you see the user's ip address and if so, try to match the mac address that the pix shows, with the workstation's. Record both entries. If the mac addresses do not match, then run the clear arp command on the pix, then have the user attempt again.
3. If the mac addresses do match then run the show xlate local x.x.x.x command, where x.x.x.x is the user-ip, and see if there is an xlate. If there is then run the clear xlate local x.x.x.x command and have the user try again.
4. If step 3 fails, I would make sure that there is no conflict with a dhcp address and a static address. What ranges for the last octed are you using for static addresses?
I assume that all users reside on the same subnet as the pix's inside interface and that there is no router or gateway between the pix and the user. Is that correct?
Yes, all users reside on the same subnet as the pix's inside interface and there is no router or gateway between the pix and the user. after i changed something (what you told me), evreyone sounds ok now. we will see in the next week...
Thanks a lot.