Ive been having a problem since Ive installed the pix at my office. Our internet is through AT&T Uverse which is VDSL. I read in a few posts that the MTU for DSL connections needs to be set to 1492 as this can cause a problem with the outside connection. I have done this and still no luck. I will post my config file for anyone to hopefully have an answer to why this might be happening to me. Also this happens evey night after the office sits idle for Id say around 3 to 5 hours. The only fix so far is to manually power of the PIX and power it back on. Im out of options here and would really appretiate any help. Thanks in advance.
PIX Version 8.0(3) ! hostname XXXXXXXX enable password XXXXXXXXXXXXXX encrypted names ! interface Ethernet0 description outside interface speed 100 duplex full nameif outside security-level 100 ip address dhcp setroute ! interface Ethernet1 description inside interface speed 100 duplex full nameif inside security-level 100 ip address 192.168.254.254 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! passwd XXXXXXXXXXXX.XXXXXXXXX encrypted ftp mode passive clock timezone CST -6 clock summer-time CDT recurring same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group icmp-type ICMP-INBOUND description Permit necessary inbound ICMP traffic icmp-object echo-reply icmp-object unreachable icmp-object time-exceeded object-group service RDP tcp port-object eq 3389 object-group protocol PPTPgre protocol-object gre access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND access-list 110 extended permit gre any interface outside access-list 110 extended permit tcp any interface outside eq 3389 access-list 110 extended permit tcp any interface outside eq pptp pager lines 24 logging enable logging console notifications logging buffered warnings logging asdm notifications mtu outside 1492 mtu inside 1500 ip verify reverse-path interface outside no failover icmp unreachable rate-limit 1 burst-size 1 asdm image flash:/asdm-603.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface pptp 192.168.254.5 pptp netmask 255.255.255.255 static (inside,outside) tcp interface 3389 192.168.254.252 3389 netmask 255.255.255.255 access-group 110 in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL http server enable http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 no vpn-addr-assign aaa telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list group-policy DfltGrpPolicy attributes dns-server value 192.168.254.5 ! class-map inspection_default match default-inspection-traffic class-map pptp-port ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect pptp inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:2444b141647324ab91eb08bb962caedf : end asdm image flash:/asdm-603.bin no asdm history enable
Id also like to add the syslog at the time it stopped working:
5|Oct 29 2010|06:34:22|111008|||User 'Config' executed the 'http 0.0.0.0 inside' command. 4|Oct 29 2010|06:34:22|411001|||Line protocol on Interface Ethernet1, changed state to up 4|Oct 29 2010|06:34:22|411001|||Line protocol on Interface Ethernet0, changed state to up 5|Oct 29 2010|06:34:22|111008|||User 'Config' executed the 'http server enable' command. 5|Oct 29 2010|06:34:22|111008|||User 'Config' executed the 'dynamic-access-policy-record DfltAccessPolicy' command. ||||||-- Syslog Connection Started -- 3|Oct 29 2010|15:24:33|710003|220.127.116.11|18.104.22.168|TCP access denied by ACL from 22.214.171.124/3943 to outside:126.96.36.199/23 3|Oct 29 2010|14:56:52|710003|188.8.131.52|184.108.40.206|TCP access denied by ACL from 220.127.116.11/34870 to outside:18.104.22.168/22 3|Oct 29 2010|14:24:57|710003|22.214.171.124|126.96.36.199|TCP access denied by ACL from 188.8.131.52/4215 to outside:184.108.40.206/23 3|Oct 29 2010|13:06:28|710003|220.127.116.11|18.104.22.168|TCP access denied by ACL from 22.214.171.124/3627 to outside:126.96.36.199/23 5|Oct 29 2010|10:32:21|111008|||User 'enable_15' executed the 'dir flash:/dap.xml' command.
4|Nov 02 2010|08:40:54|411001|||Line protocol on Interface Ethernet1, changed state to up 4|Nov 02 2010|08:40:54|411001|||Line protocol on Interface Ethernet0, changed state to up 5|Nov 02 2010|08:40:54|111008|||User 'Config' executed the 'http server enable' command. 5|Nov 02 2010|08:40:54|111008|||User 'Config' executed the 'dynamic-access-policy-record DfltAccessPolicy' command. ||||||-- Syslog Connection Started -- 3|Oct 31 2010|23:47:12|710003|188.8.131.52|184.108.40.206|TCP access denied by ACL from 220.127.116.11/46586 to outside:18.104.22.168/22 3|Oct 31 2010|23:47:09|710003|22.214.171.124|126.96.36.199|TCP access denied by ACL from 188.8.131.52/46586 to outside:184.108.40.206/22 3|Oct 31 2010|23:23:29|710003|220.127.116.11|18.104.22.168|TCP access denied by ACL from 22.214.171.124/2119 to outside:126.96.36.199/23 3|Oct 31 2010|23:13:27|710003|188.8.131.52|184.108.40.206|TCP access denied by ACL from 220.127.116.11/4644 to outside:18.104.22.168/22
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...