Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

PIX 525 Ver 6.1(4) - Sometime DNS quary fails

Hi All,

To access internet, we are using 2 DNS server. 1 is ISP's DNS server( out-side of PIX) and another is local DNS server which is in-side the PIX. We have configured global( outside) 1, nat( inside) 1. Also using tcp/udp access-list with any any. No ip access-list.

1) We are facing problem, when we try to connect to the internet PIX( or NAT) does not recognise the 'some' clients request, not all the client.

2) Is there any way to use 2 non-coniguous IP addresses( belongs to ISP) for gate-way from PIX Now we are using only one of them.

Thanks in advance..

richard

17 REPLIES
Cisco Employee

Re: PIX 525 Ver 6.1(4) - Sometime DNS quary fails

1) We'd have to see the syslog messages on the PIX at the time this failed to see what's going on.

2) No. You can only have one default gateway on the PIX.

New Member

Re: PIX 525 Ver 6.1(4) - Sometime DNS quary fails

hi gfullage,

We have seen the syslog messages. Should I send it to you?

Say, we try 5 times to reach cisco.com from any pc host, 3 times we succeed and 2 times fail. And there is no syslog message for that. For successful connection there is Built and tear-down UDP/53 but if it's not successful then no entry in syslog message.

Other thing is that, we have 4 IP addresses in global Ip pool. If someone get the 1st IP, with that IP he can resolve name. If 2nd person try to get internet he may get the 2nd IP address from the pool. Now, at this point 1st person cannot resolve domain-name. And 2nd person continues successfully.

thanks

richard

Cisco Employee

Re: PIX 525 Ver 6.1(4) - Sometime DNS quary fails

This sounds a little odd. Can you post the PIX configuration, make sure you xxxxxx out your passwords and just xxx out one number in the public addresses so we can still tell what's going on.

Thanks.

New Member

Re: PIX 525 Ver 6.1(4) - Sometime DNS quary fails

Hi gfullage,

Thanks for your reply. Here is my config.:

sh config

: Saved

:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

nameif ethernet3 intf3 security15

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

enable password gyAGOSv.UG4R63yZ encrypted

passwd XcaLq5VlL2Wjo0YK encrypted

hostname Pix

domain-name grameenphone.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list dns_in permit tcp any any

<--- More --->

access-list dns_in permit udp any any

pager lines 24

logging on

logging trap debugging

logging host inside 10.10.20.154

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 203.105.151.6 255.255.255.240

ip address inside 10.10.20.14 255.255.248.0

ip address intf2 127.0.0.1 255.255.255.255

ip address intf3 127.0.0.1 255.255.255.255

ip address intf4 127.0.0.1 255.255.255.255

ip address intf5 127.0.0.1 255.255.255.255

ip audit info action alarm

<--- More --->

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address intf2 0.0.0.0

failover ip address intf3 0.0.0.0

failover ip address intf4 0.0.0.0

failover ip address intf5 0.0.0.0

pdm history enable

arp timeout 14400

global (outside) 1 203.105.151.8-203.105.151.11 netmask 255.255.255.252

global (outside) 1 203.105.151.12

nat (inside) 1 10.10.20.152 255.255.255.248 0 0

access-group dns_in in interface inside

route outside 0.0.0.0 0.0.0.0 203.105.151.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

<--- More --->

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

service resetinbound

service resetoutside

telnet 10.10.20.154 255.255.255.255 inside

telnet 10.10.21.227 255.255.255.255 inside

telnet timeout 5

ssh 10.10.20.154 255.255.255.255 inside

ssh timeout 5

terminal width 80

Cryptochecksum:2888803cadc731805a23636df0d85e69

Pix# sh ver

Cisco PIX Firewall Version 6.1(4)

Cisco PIX Device Manager Version 1.1(2)

Compiled on Tue 21-May-02 08:40 by morlee

Pix up 3 days 22 hours

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5

0: ethernet0: address is 000a.f45f.2464, irq 10

1: ethernet1: address is 000a.f45f.2465, irq 11

2: ethernet2: address is 00e0.b605.de7b, irq 11

3: ethernet3: address is 00e0.b605.de7a, irq 10

4: ethernet4: address is 00e0.b605.de79, irq 9

5: ethernet5: address is 00e0.b605.de78, irq 5

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES: Disabled

<--- More --->

Maximum Interfaces: 8

Cut-through Proxy: Enabled

Guards: Enabled

Websense: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

ISAKMP peers: Unlimited

Serial Number: 806371424 (0x30104060)

Activation Key: 0xf579b1f2 0xdc1df947 0x3ce369b7 0x4dee1252

Pix#

thanks again,

richard

Cisco Employee

Re: PIX 525 Ver 6.1(4) - Sometime DNS quary fails

Change

> global (outside) 1 203.105.151.8-203.105.151.11 netmask 255.255.255.252

to this:

> global (outside) 1 203.105.151.8-203.105.151.11 netmask 255.255.255.240

Also, you have this:

> ip address inside 10.10.20.14 255.255.248.0

> nat (inside) 1 10.10.20.152 255.255.255.248 0 0

Are those masks correct (you have both 255.255.248.0 and 255.255.255.248)? This says only hosts 10.10.20.152 - 10.10.20.159 on the inside will be able to go outside, is that really what you want?

New Member

Re: PIX 525 Ver 6.1(4) - Sometime DNS quary fails

hmm, it's my mistake. let me check. But I am sure of it that I don't want only those from 152 to 159 IP will pass. I want all of my inside user will reach the internet.

thank you very much, I will let you know

richard

New Member

Re: PIX 525 Ver 6.1(4) - Sometime DNS quary fails

Hi,richard:

You can use this following syntas

nat (inside) 1 0.0.0.0 0.0.0.0

But this syntas will permite all inside users to reach internet.

Or you can use this following syntas

nat (inside) 1 10.10.16.0 255.255.248.0

Upon syntas only permite network 10.10.16.0/28

New Member

Re: PIX 525 Ver 6.1(4) - Sometime DNS quary fails

hi,

thanks. I guess the last one is better option:

nat (inside) 1 10.10.16.0 255.255.248.0

thanks for the advice.

richard

New Member

Re: PIX 525 Ver 6.1(4) - Sometime DNS quary fails

Hi gfullage,

I have changed the global statement as you said:

global (outside) 1 203.105.151.8-203.105.151.11 netmask 255.255.255.240

and also the nat : nat (inside) 1 10.10.16.0 255.255.240.0.

But still some http requests fails. I am cut-pasting some of mine syslog messages:

Feb 10 14:50:18 10.10.20.14 %PIX-5-111007: Begin configuration: 10.10.21.227 reading from terminal

Feb 10 14:51:14 10.10.20.14 %PIX-6-302010: 1 in use, 20 most used

Feb 10 14:51:38 10.10.20.14 %PIX-5-111001: Begin configuration: 10.10.21.227 writing to memory

Feb 10 14:51:38 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/5934 laddr 10.10.20.152/1027

Feb 10 14:51:41 10.10.20.14 %PIX-5-111004: 10.10.21.227 end configuration: OK

Feb 10 14:51:43 10.10.20.14 %PIX-5-111005: 10.10.21.227 end configuration: OK

Feb 10 14:52:11 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/31 laddr 10.10.20.152/31

Feb 10 14:52:11 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/31 laddr 10.10.20.152/1482

Feb 10 14:52:11 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/32 laddr 10.10.20.152/32

Feb 10 14:52:11 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/32 laddr 10.10.20.152/1483

Feb 10 14:53:22 10.10.20.14 %PIX-6-609001: Built local-host inside:10.10.21.87

Feb 10 14:53:22 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1678 dst outside:203.105.151.2/53

Feb 10 14:53:22 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1678 dst outside:203.105.151.2/53

Feb 10 14:53:23 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1678 dst outside:203.105.151.2/53

Feb 10 14:53:46 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1681 dst outside:203.105.151.2/53

Feb 10 14:53:46 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1681 dst outside:203.105.151.2/53

Feb 10 14:53:47 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1681 dst outside:203.105.151.2/53

Feb 10 14:54:10 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1684 dst outside:203.105.151.2/53

Feb 10 14:54:10 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1684 dst outside:203.105.151.2/53

Feb 10 14:54:11 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1684 dst outside:203.105.151.2/53

Feb 10 14:54:11 10.10.20.14 %PIX-3-305005: No translation group found for udp src inside:10.10.21.87/1686 dst outside:203.105.151.2/53

Feb 10 14:54:16 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1688 dst outside:203.105.151.2/53

Feb 10 14:54:16 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1688 dst outside:203.105.151.2/53

Feb 10 14:54:17 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1688 dst outside:203.105.151.2/53

Feb 10 14:54:39 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1691 dst outside:203.105.151.2/53

Feb 10 14:54:40 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1691 dst outside:203.105.151.2/53

Feb 10 14:54:40 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1691 dst outside:203.105.151.2/53

Feb 10 14:55:03 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1694 dst outside:203.105.151.2/53

Feb 10 14:55:04 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1694 dst outside:203.105.151.2/53

Feb 10 14:55:04 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1694 dst outside:203.105.151.2/53

Feb 10 14:55:38 10.10.20.14 %PIX-6-609002: Teardown local-host inside:10.10.21.87 duration 0:02:17

Feb 10 14:57:10 10.10.20.14 %PIX-2-106006: Deny inbound UDP from 66.28.19.68/1066 to 203.105.151.9/1434 on interface outside

Feb 10 14:59:27 10.10.20.14 %PIX-6-110001: No route to 203.105.151.8 from 210.151.138.240

Feb 10 14:59:27 10.10.20.14 %PIX-2-106006: Deny inbound UDP from 210.151.138.240/44342 to 203.105.151.9/137 on interface outside

Feb 10 14:59:27 10.10.20.14 %PIX-2-106006: Deny inbound UDP from 210.151.138.240/44345 to 203.105.151.10/137 on interface outside

Feb 10 15:01:12 10.10.20.14 %PIX-6-302010: 0 in use, 20 most used

Feb 10 15:01:13 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6142 laddr 10.10.20.152/6142

Feb 10 15:01:13 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6142 laddr 10.10.20.152/1027

Feb 10 15:01:13 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6143 laddr 10.10.20.152/6143

Feb 10 15:01:13 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6143 laddr 10.10.20.152/1027

Feb 10 15:01:13 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6144 laddr 10.10.20.152/6144

Feb 10 15:01:13 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6144 laddr 10.10.20.152/1027

Feb 10 15:01:13 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6145 laddr 10.10.20.152/6145

Feb 10 15:01:13 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6145 laddr 10.10.20.152/1027

Feb 10 15:01:13 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6146 laddr 10.10.20.152/6146

Feb 10 15:01:13 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6146 laddr 10.10.20.152/1027

Feb 10 15:01:13 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6147 laddr 10.10.20.152/6147

Feb 10 15:01:13 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6147 laddr 10.10.20.152/1027

Feb 10 15:01:13 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6148 laddr 10.10.20.152/6148

Feb 10 15:01:13 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6148 laddr 10.10.20.152/1027

Feb 10 15:03:07 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6149 laddr 10.10.20.152/6149

Feb 10 15:03:07 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6149 laddr 10.10.20.152/1027

Feb 10 15:03:07 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6150 laddr 10.10.20.152/6150

Feb 10 15:03:07 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6150 laddr 10.10.20.152/1027

Feb 10 15:03:07 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6151 laddr 10.10.20.152/6151

Feb 10 15:03:07 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6151 laddr 10.10.20.152/1027

Feb 10 15:03:07 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6152 laddr 10.10.20.152/6152

Feb 10 15:03:07 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6152 laddr 10.10.20.152/1027

Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6153 laddr 10.10.20.152/6153

Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6153 laddr 10.10.20.152/1027

Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6154 laddr 10.10.20.152/6154

Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6154 laddr 10.10.20.152/1027

Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6155 laddr 10.10.20.152/6155

Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6155 laddr 10.10.20.152/1027

Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6156 laddr 10.10.20.152/6156

Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6156 laddr 10.10.20.152/1027

Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6157 laddr 10.10.20.152/6157

Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6157 laddr 10.10.20.152/1027

Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6158 laddr 10.10.20.152/6158

Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6158 laddr 10.10.20.152/1027

Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6159 laddr 10.10.20.152/6159

Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6159 laddr 10.10.20.152/1027

Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6160 laddr 10.10.20.152/6160

Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6160 laddr 10.10.20.152/1027

Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6161 laddr 10.10.20.152/6161

Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6161 laddr 10.10.20.152/1027

Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6162 laddr 10.10.20.152/6162

Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6162 laddr 10.10.20.152/1027

Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6163 laddr 10.10.20.152/6163

Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6163 laddr 10.10.20.152/1027

Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6164 laddr 10.10.20.152/6164

Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6164 laddr 10.10.20.152/1027

Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6165 laddr 10.10.20.152/6165

Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6165 laddr 10.10.20.152/1027

You will find some deny message, although there is no blocking for those sites.

Any suggestion.

Is there any email address of you so I can send the whole syslog.

Thanks

richard

Cisco Employee

Re: PIX 525 Ver 6.1(4) - Sometime DNS quary fails

You don't need to send the whole syslog, I can see the problem. These messages:

Feb 10 14:53:22 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1678 dst outside:203.105.151.2/53

Feb 10 14:53:22 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1678 dst outside:203.105.151.2/53

Feb 10 14:53:23 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1678 dst outside:203.105.151.2/53

mean the PIX has run out of translation addresses to use. Can you do a "sho conn count" and send that info, you do have a global statement with a PAT address, so you should have thousands of translations available. In the meantime, to give you more translations, you can add a second PAT global by changing:

global (outside) 1 203.105.151.8-203.105.151.11 netmask 255.255.255.252

global (outside) 1 203.105.151.12

to:

global (outside) 1 203.105.151.8-203.105.151.10 netmask 255.255.255.252

global (outside) 1 203.105.151.11

global (outside) 1 203.105.151.12

That should resolve your problem for a while, but I'd be looking at why you're running out of translations. A "sho xlate" will show you the current translations outbound thru the PIX, check to see if one internal address seems to be using all of them up. It may just be that you have a large number of internal hosts and one PAT address isn't enough, which is fine and doing the above changes should resolve that, but you need to verify that you don't have one internal PC using up thousands of them cause it's got some worm or virus on it.

New Member

Re: PIX 525 Ver 6.1(4) - Sometime DNS quary fails

Thanks gfullage, for your reply.

But for your information( I should have told you earlier) we have connected only 3 pc in the in-side for testing purpose. No other pc's in the lan are connected with this PIX. With this 3 pc, we encounter this problem. Everything is good, but sometime some web sites cannot be resolved.

I will send you the info's you want to check.

thanks

richard

Cisco Employee

Re: PIX 525 Ver 6.1(4) - Sometime DNS quary fails

OK, all the more reason to check that one of these isn't going haywire and using up 1000's of connections. You're definately running out of available translations, so a "sho conn count" and a "sho xlate" will give you an idea of what's going on.

New Member

Re: PIX 525 Ver 6.1(4) - Sometime DNS quary fails

Hi,

These are the outputs.

Pix# sh conn count

3 in use, 21 most used

Pix# sh xlate

3 in use, 44 most used

Global 203.105.151.9 Local 10.10.20.153

Global 203.105.151.10 Local 10.10.20.152

Global 203.105.151.11 Local 10.10.21.87

Pix#

Is there any bug in PIX 6.1(4) regarding PAT?

Thanks

Richard

New Member

Re: PIX 525 Ver 6.1(4) - Sometime DNS quary fails

Hi,

This is my sh global and sh xlate output.

Pix# sh global

global (outside) 1 203.105.151.8-203.105.151.11 netmask 255.255.255.240

global (outside) 1 203.105.151.12 netmask 255.255.255.240

global (outside) 1 203.105.151.13 netmask 255.255.255.240

Pix# sh xlate

12 in use, 44 most used

PAT Global 203.105.151.12(1657) Local 10.10.21.227(1104)

PAT Global 203.105.151.12(1656) Local 10.10.21.227(1103)

PAT Global 203.105.151.12(157) Local 10.10.21.227(1)

Global 203.105.151.8 Local 10.10.20.154

Global 203.105.151.9 Local 10.10.20.153

Global 203.105.151.10 Local 10.10.20.152

Global 203.105.151.11 Local 10.10.21.87

PAT Global 203.105.151.12(1653) Local 10.10.21.227(1100)

PAT Global 203.105.151.12(1652) Local 10.10.21.227(1099)

PAT Global 203.105.151.12(1655) Local 10.10.21.227(1102)

PAT Global 203.105.151.12(1127) Local 10.10.21.227(1035)

PAT Global 203.105.151.12(1654) Local 10.10.21.227(1101)

Now there are 4 pc connected with PIX. Still we are encountering the resolution problem.

Again sending you the syslog messages:

on interface outside

Feb 17 16:45:05 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12295 faddr 192.6.118.44/80 gaddr 203.105.151.11/2542 laddr 10.10.21.87/2542 duration 0:00:00 bytes 0 (TCP Reset-I)

Feb 17 16:45:05 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12293 faddr 192.6.118.44/80 gaddr 203.105.151.11/2539 laddr 10.10.21.87/2539 duration 0:00:04 bytes 6330 (TCP FINs)

Feb 17 16:45:06 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12296 for faddr 63.218.7.135/80 gaddr 203.105.151.11/2543 laddr 10.10.21.87/2543

Feb 17 16:45:06 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12297 for faddr 63.218.7.135/80 gaddr 203.105.151.11/2544 laddr 10.10.21.87/2544

Feb 17 16:45:07 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 63.218.7.135:/country/us/eng/img/top/hpweb_topnav_country.gif

Feb 17 16:45:07 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 63.218.7.135:/country/us/eng/img/top/hpc60_topnav_home.gif

Feb 17 16:45:08 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12298 for faddr 63.218.7.135/80 gaddr 203.105.151.11/2545 laddr 10.10.21.87/2545

Feb 17 16:45:08 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12296 faddr 63.218.7.135/80 gaddr 203.105.151.11/2543 laddr 10.10.21.87/2543 duration 0:00:02 bytes 991 (TCP Reset-I)

Feb 17 16:45:09 10.10.20.14 %PIX-6-106015: Deny TCP (no connection) from 63.218.7.135/80 to 203.105.151.11/2543 flags ACK on interface outside

Feb 17 16:45:09 10.10.20.14 %PIX-6-106015: Deny TCP (no connection) from 63.218.7.135/80 to 203.105.151.11/2543 flags FIN ACK on interface outside

Feb 17 16:45:09 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 63.218.7.135:/country/us/eng/img/top/hpc60_topnav_prodserv.gif

Feb 17 16:45:16 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12299 for faddr 65.54.195.190/80 gaddr 203.105.151.11/2546 laddr 10.10.21.87/2546

Feb 17 16:45:17 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 65.54.195.190:/3GRENUS/3_8100_11?id=categories/romance

Feb 17 16:45:19 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12299 faddr 65.54.195.190/80 gaddr 203.105.151.11/2546 laddr 10.10.21.87/2546 duration 0:00:03 bytes 1130 (TCP FINs)

Feb 17 16:45:23 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12300 for faddr 65.54.195.190/80 gaddr 203.105.151.11/2547 laddr 10.10.21.87/2547

Feb 17 16:45:24 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 65.54.195.190:/3GRENUS/3_8100_11?id=categories/romance

Feb 17 16:45:26 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12294 faddr 63.218.7.135/80 gaddr 203.105.151.11/2541 laddr 10.10.21.87/2541 duration 0:00:22 bytes 36734 (TCP Reset-I)

Feb 17 16:45:26 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12300 faddr 65.54.195.190/80 gaddr 203.105.151.11/2547 laddr 10.10.21.87/2547 duration 0:00:03 bytes 1130 (TCP FINs)

Feb 17 16:45:31 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12297 faddr 63.218.7.135/80 gaddr 203.105.151.11/2544 laddr 10.10.21.87/2544 duration 0:00:24 bytes 10455 (TCP Reset-I)

Feb 17 16:45:32 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12301 for faddr 65.54.195.190/80 gaddr 203.105.151.11/2548 laddr 10.10.21.87/2548

Feb 17 16:45:33 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 65.54.195.190:/3GRENUS/3_8100_11?id=categories/romance

Feb 17 16:45:36 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12301 faddr 65.54.195.190/80 gaddr 203.105.151.11/2548 laddr 10.10.21.87/2548 duration 0:00:03 bytes 1130 (TCP FINs)

Feb 17 16:45:36 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12298 faddr 63.218.7.135/80 gaddr 203.105.151.11/2545 laddr 10.10.21.87/2545 duration 0:00:27 bytes 13681 (TCP Reset-I)

Feb 17 16:46:04 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12302 for faddr 192.6.165.40/80 gaddr 203.105.151.11/2550 laddr 10.10.21.87/2550

Feb 17 16:46:04 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 192.6.165.40:/search/?ctry=us〈=eng&qt=DLT+JukeBox&submit.x=7&submit.y=4

Feb 17 16:46:06 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12302 faddr 192.6.165.40/80 gaddr 203.105.151.11/2550 laddr 10.10.21.87/2550 duration 0:00:02 bytes 1005 (TCP FINs)

Feb 17 16:46:14 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12303 for faddr 204.69.199.39/80 gaddr 203.105.151.11/2552 laddr 10.10.21.87/2552

Feb 17 16:46:20 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12304 for faddr 204.69.199.39/80 gaddr 203.105.151.11/2553 laddr 10.10.21.87/2553

Feb 17 16:46:21 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 204.69.199.39:/css/npx_style.css

Feb 17 16:46:26 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12303 faddr 204.69.199.39/80 gaddr 203.105.151.11/2552 laddr 10.10.21.87/2552 duration 0:00:12 bytes 48729 (TCP FINs)

Feb 17 16:46:45 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12304 faddr 204.69.199.39/80 gaddr 203.105.151.11/2553 laddr 10.10.21.87/2553 duration 0:00:25 bytes 2284 (TCP Reset-I)

Feb 17 16:47:00 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12305 for faddr 192.6.165.40/80 gaddr 203.105.151.11/2554 laddr 10.10.21.87/2554

Feb 17 16:47:01 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 192.6.165.40:/search/?ctry=us〈=eng&qt=DLT+JukeBox&submit.x=7&submit.y=8

Feb 17 16:47:03 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12305 faddr 192.6.165.40/80 gaddr 203.105.151.11/2554 laddr 10.10.21.87/2554 duration 0:00:02 bytes 1005 (TCP FINs)

Maybe you will find something. There are some deny messages, but I don;t why.

Should we enter each global addresses( 4 IP's: 203.105.151.8-203.105.151.11) in the DNS server's pointer record file?

Thanks and regards

Richard

New Member

Re: PIX 525 Ver 6.1(4) - Sometime DNS quary fails

Hi,

I found this in cisco's web site:

Poor or Intermittent FTP/HTTP Performance Through a PIX

--------------------------------------------------------------------------------

Introduction

When trying to download files with FTP or access external sites on the worldwide web from behind the PIX firewall, network users may experience poor or intermittent performance. This can occur because host IP addresses in the global pool (or internal host IP addresses, if you are using NAT 0) are not properly registered in the Domain Name System (DNS).

Symptoms

Some symptoms of poor performance include:

A user can connect to an FTP site, but cannot execute any commands (such as LS, PUT, or GET).

FTP performance is extremely slow.

File transfers being performed using FTP will reach only n%, at which point the transfer will halt without being completed.

A user may not be able to access certain web sites.

Note: These symptoms also may be caused by the IDENT protocol, which is explained in another technical tip.

Troubleshooting

Use nslookup to resolve a random number from your global pool. If you're using NAT 0, try to resolve your actual host IP addresses. If you get the resulting error message "No host/domain," that usually indicates a lack of reverse DNS entries. However, if you do successfully resolve to a name, please check the PIX Performance Issues Caused by IDENT Protocol (Port 113) technical tip for a possible solution to your problem.

In PIX Software versions earlier than 4.2.x, syslog at 20.7 may show "deny" messages, even though the hosts in question are not being blocked by access lists, authentication, license count, and so on. In PIX Software versions 4.2.x or later, the logging facility 20 and logging trap debugging commands may show similar "deny" messages.

Fixing the Problem

In the primary DNS for the domain, make sure there is a Pointer (PTR) record for each IP address, either those in a global pool or the ones that pass through via NAT 0. (These records are also known as in-addr.arpa entries.)

For More Information about DNS and IP Routing

For more information about how to set up and run a DNS on your network, see the following documents:

Understanding the Domain Name System

DNS Resource Records

IP Routing Technical Tips

Verify

Once PTR records have been entered, an nslookup run on an IP address should resolve to a name.

--------------------------------------------------------------------------------

Thanks

richard

New Member

Re: PIX 525 Ver 6.1(4) - Sometime DNS quary fails

Hi gfullage,

Did you find anything regarding this problem?

Thanks

Richard

New Member

Re: PIX 525 Ver 6.1(4) - Sometime DNS quary fails

Hi gfullage,

I need your help. Below is my syslog message, when I tried to connect zdnet.com from my pc. But could not resolve the server.

Feb 19 14:14:32 10.10.20.14 %PIX-6-609001: Built local-host inside:10.10.21.87

Feb 19 14:14:32 10.10.20.14 %PIX-6-305001: Portmapped translation built for gaddr 203.105.151.12/1301 laddr 10.10.21.87/1366

Feb 19 14:14:32 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 28620 for faddr 207.68.185.58/80 gaddr 203.105.151.12/1301 laddr 10.10.21.87/1366

Feb 19 14:14:33 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 207.68.185.58:/response.asp?MT=www.zdnet.com&srch=3&prov=&utf8

Feb 19 14:14:36 10.10.20.14 %PIX-6-305001: Portmapped translation built for gaddr 203.105.151.12/1302 laddr 10.10.21.87/1367

Feb 19 14:14:36 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 28621 for faddr 207.68.185.58/80 gaddr 203.105.151.12/1302 laddr 10.10.21.87/1367

Feb 19 14:14:36 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 207.68.185.58:/main/css/en-us_main.css

Feb 19 14:16:23 10.10.20.14 %PIX-6-305004: Teardown portmap translation for global 203.105.151.12/1301 local 10.10.21.87/1366

Feb 19 14:16:23 10.10.20.14 %PIX-6-305004: Teardown portmap translation for global 203.105.151.12/1302 local 10.10.21.87/1367

Feb 19 14:16:23 10.10.20.14 %PIX-6-609002: Teardown local-host inside:10.10.21.87 duration 0:01:50

What is the problem here. I did not find anything in cisco's web site. If you know any thing, pls let me know.

Thank you very much

richard

214
Views
0
Helpful
17
Replies
CreatePlease to create content