Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

PIX 515E Connection Timeout Problem

Hi Everyone,

Ive been having a problem since Ive installed the pix at my office. Our internet is through AT&T Uverse which is VDSL. I read in a few posts that the MTU for DSL connections needs to be set to 1492 as this can cause a problem with the outside connection. I have done this and still no luck. I will post my config file for anyone to hopefully have an answer to why this might be happening to me. Also this happens evey night after the office sits idle for Id say around 3 to 5 hours. The only fix so far is to manually power of the PIX and power it back on. Im out of options here and would really appretiate any help. Thanks in advance.

PIX Version 8.0(3)
!
hostname XXXXXXXX
enable password XXXXXXXXXXXXXX encrypted
names
!
interface Ethernet0
description outside interface
speed 100
duplex full
nameif outside
security-level 100
ip address dhcp setroute
!
interface Ethernet1
description inside interface
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.254.254 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd XXXXXXXXXXXX.XXXXXXXXX encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service RDP tcp
port-object eq 3389
object-group protocol PPTPgre
protocol-object gre
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
access-list 110 extended permit gre any interface outside
access-list 110 extended permit tcp any interface outside eq 3389
access-list 110 extended permit tcp any interface outside eq pptp
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu outside 1492
mtu inside 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pptp 192.168.254.5 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.254.252 3389 netmask 255.255.255.255
access-group 110 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
group-policy DfltGrpPolicy attributes
dns-server value 192.168.254.5
!
class-map inspection_default
match default-inspection-traffic
class-map pptp-port
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect pptp
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2444b141647324ab91eb08bb962caedf
: end
asdm image flash:/asdm-603.bin
no asdm history enable

1 REPLY
Community Member

Re: PIX 515E Connection Timeout Problem

Id also like to add the syslog at the time it stopped working:

5|Oct 29 2010|06:34:22|111008|||User 'Config' executed the 'http 0.0.0.0 inside' command.
4|Oct 29 2010|06:34:22|411001|||Line protocol on Interface Ethernet1, changed state to up
4|Oct 29 2010|06:34:22|411001|||Line protocol on Interface Ethernet0, changed state to up
5|Oct 29 2010|06:34:22|111008|||User 'Config' executed the 'http server enable' command.
5|Oct 29 2010|06:34:22|111008|||User 'Config' executed the 'dynamic-access-policy-record DfltAccessPolicy' command.
||||||-- Syslog Connection Started --
3|Oct 29 2010|15:24:33|710003|201.11.102.23|99.175.222.171|TCP access denied by ACL from 201.11.102.23/3943 to outside:99.175.222.171/23
3|Oct 29 2010|14:56:52|710003|122.203.210.100|99.175.222.171|TCP access denied by ACL from 122.203.210.100/34870 to outside:99.175.222.171/22
3|Oct 29 2010|14:24:57|710003|86.199.43.170|99.175.222.171|TCP access denied by ACL from 86.199.43.170/4215 to outside:99.175.222.171/23
3|Oct 29 2010|13:06:28|710003|83.22.39.216|99.175.222.171|TCP access denied by ACL from 83.22.39.216/3627 to outside:99.175.222.171/23
5|Oct 29 2010|10:32:21|111008|||User 'enable_15' executed the 'dir flash:/dap.xml' command.

4|Nov 02 2010|08:40:54|411001|||Line protocol on Interface Ethernet1, changed state to up
4|Nov 02 2010|08:40:54|411001|||Line protocol on Interface Ethernet0, changed state to up
5|Nov 02 2010|08:40:54|111008|||User 'Config' executed the 'http server enable' command.
5|Nov 02 2010|08:40:54|111008|||User 'Config' executed the 'dynamic-access-policy-record DfltAccessPolicy' command.
||||||-- Syslog Connection Started --
3|Oct 31 2010|23:47:12|710003|80.87.72.59|99.175.222.171|TCP access denied by ACL from 80.87.72.59/46586 to outside:99.175.222.171/22
3|Oct 31 2010|23:47:09|710003|80.87.72.59|99.175.222.171|TCP access denied by ACL from 80.87.72.59/46586 to outside:99.175.222.171/22
3|Oct 31 2010|23:23:29|710003|222.153.237.236|99.175.222.171|TCP access denied by ACL from 222.153.237.236/2119 to outside:99.175.222.171/23
3|Oct 31 2010|23:13:27|710003|60.240.163.185|99.175.222.171|TCP access denied by ACL from 60.240.163.185/4644 to outside:99.175.222.171/22

309
Views
0
Helpful
1
Replies
CreatePlease to create content