My network is runnig behind a PIX, i am using a private range of IPs (192.168.100.x) which is distributed through a DHCP server (Also DNS Server) behind the firewall. Every now and then two or three PCs (IPs) stop browsing (accessing the outside world). I have to reboot the PC so that it can work.
When i removed the PIX, and become directly connected to the router everything is working fine and this behavior doesn't happen.
Any comment ...
Seems to be an arp-cache related issue. Next time the problem occur, check all the arp caches and make sure they match accross all the pc's and the PIX:
On a W2K pc: c:\>ipconfig /all (write down the ip and mac addresses)
On the PIX: pix#sho arp (compare the pc's ip and mac addresses)
On the DHCP server: compare the active leases with the above info.
Does this happen ONLY after a certain numbers of translations(sh xlate)? Check the license for the pix. Should be unrestricted. Are these PC able get out after clearing the translations (clear xlate)?
What is the version on the PIX? Are you PAT'ng or NAT'ng? sh ver and wr t will help.
First thank you for offering help ...
Second, there is no problem with the licesnse. Honestly i didn't try to run this command (clear xlate) to know if it has an effect or not..
The version :
PIXFIREWALL# sh version
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)
Compiled on Fri 07-Jun-02 17:49 by morlee
PIXFIREWALL up 1 day 0 hours
Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1: ethernet1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Inside Hosts: Unlimited
IKE peers: Unlimited
I am running NATing.
PIXFIREWALL# sh run
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxx
passwd xxxxxxxxxxxxx encrypted
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list internal permit tcp any any eq www
access-list internal permit tcp any any eq https
access-list internal permit tcp any any eq pop3
access-list internal permit tcp any any eq smtp
access-list internal permit icmp any any
access-list internal permit udp any any eq domain
access-list internal permit tcp any any eq ftp
access-list internal permit tcp any any eq domain
access-list internal deny ip any any
access-list 101 permit ip 192.168.101.1 255.255.255.0 192.168.101.10 255.255.255.
access-list external permit icmp any any
pager lines 24
logging trap warnings
logging host inside 192.168.100.1
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xx.xx 255.255.255.224
ip address inside 192.168.100.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.101.1-192.168.101.10
pdm location 192.168.100.1 255.255.255.255 inside
pdm location 192.168.101.0 255.255.255.0 outside
pdm location 192.168.101.0 255.255.255.0 inside
pdm location xx.xx.xx.xx 255.255.255.224 outside
pdm location xx.xx.xx.xx 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 xx.xx.xx.xx
nat (inside) 0 access-list 101
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
access-group external in interface outside
access-group internal in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.101.0 255.255.255.0 outside
http xx.xx.xx.xx 255.255.255.224 outside
http 192.168.100.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
sysopt connection permit-pptp
no sysopt route dnat
crypto map mymap 30 ipsec-isakmp
telnet xx.xx.xx.xx 255.255.255.0 outside
telnet 192.168.101.0 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns 192.168.100.1
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username test password *********
vpdn enable outside
terminal width 80
no vpdn group 1 accept dialin pptp
no vpdn group 1 ppp authentication pap
no vpdn group 1 ppp authentication chap
no vpdn group 1 ppp authentication mschap
no vpdn group 1 ppp encryption mppe 40
no vpdn group 1 client configuration address local pptp-pool
no vpdn group 1 client configuration dns 192.168.100.1
no vpdn group 1 pptp echo 60
no vpdn group 1 client authentication local
no vpdn username test password *********
no vpdn username sboshra password *********
no vpdn username raya password *********
no vpdn enable outside
Is it possible that you are having a DNS issue. Can the PC's ping by IP address - but not by name. If so, have a look at this bug and try creating a static for your DNS Server.
With multiple recursive DNS servers on the inside that source DNS
query from fix port, such as 53, DNS query can sporadically failed
under high query rate.
The workaround is to configure static for the DNS server.
It's worth a shot.
We have had the same problem for a long time now so I would like to know if it worked or not.
If not, could it come from a bug of the firewall?
Thanks for any replys.
Honestly, i started the troubleshooting by removing all the access-lists on the Firewall, and in a wiered behavour it seems that everything is fine ...
Sorry no solution with technical background ..
try setting up a syslog server on your internal network and check if any errors appear in the logging.
To enable syslogging, enter these commands:
logging host ip_address_syslogserver
logging trap 7
Maybe level 7 (= debugging) shows too much info and slows down the pix. You can lower the logging level to 4 (=warning) to see dropped packets.