No Internet Access Pix 506/501

Discussion in 'Cisco' started by Jack Lobo, Jan 4, 2004.

  1. Jack Lobo

    Jack Lobo Guest

    Hi all

    I am fairly new to cisco and seek your advise or opinions on the
    problem I'm having with the Pix firewall. First for a brief background
    of the problem.

    I had setup a Pix 506 to Checkpoint VPN for one of our remote offices
    in Seattle in June of 2003 with the following configuration shown
    below. It runs over a Qwest DSL line with an Actiontec 1520 modem with
    a Block of 5 usable public IP's. It worked fine up until December 22nd
    2003. They had Internet access and freely connected to the DC office
    throught the VPN. On 12/22/03 they complained of no intrnet or
    extremely slow page loads while the VPN still worked fine. We have
    been through several reboots of the modems, fw, servers and everything
    else. Any help is appreciated.

    As of right now here are the symptoms

    No internet acces
    The VPN connects if the DSL Modem and the FW are rebooted and then
    dies after a couple of hours.
    I reconfigured a spare pix 501 and sent it over there. After it was
    plugged in it worked fine for about 5 minutes. As we tested a few
    computers for Internet access it started very slow page loads and then
    failed again.

    Plugging a Laptop directly into the DSL modem works fine while the Pix
    is disconnected from the DSL modem. If the Pix is connected back the
    Internet access slows or stops.

    I did a sh Xlate and found one copmuter creating several PAT
    connections. I unplugged it rebooted the Modem and Fw and Internet
    access worked fine for a couple of minutes and then died again.

    If I am missing any information please do not hesitate to ask.

    Here are some relevent details
    Internal LAN - 172.16.16.0 netmask 255.255.254.0
    Qwest assigned IP's 63.224.37.22 Gateway (DSL Modem)63.224.37.222
    netmask 255.255.255.248

    LAN switch connects to PIX Inside and PIX ouside connects to DSL
    modem.

    Thank you all very much in advance. Any input is appreciated.



    PixSeattle# wr t
    Building configuration...
    : Saved
    :
    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password soGlSO/GXZyfn6aE encrypted
    passwd soGlSO/GXZyfn6aE encrypted
    hostname PixSeattle
    domain-name apcoworldwide.com
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    access-list 115 permit ip 172.16.16.0 255.255.254.0 172.16.0.0
    255.255.252.0
    access-list 115 deny ip 172.16.16.0 255.255.254.0 any
    pager lines 24
    interface ethernet0 10full
    interface ethernet1 10full
    mtu outside 1500
    mtu inside 1500
    ip address outside 63.224.37.221 255.255.255.248
    ip address inside 172.16.16.2 255.255.254.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 10 63.224.37.220
    nat (inside) 0 access-list 115
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 63.224.37.222 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 172.16.16.0 255.255.254.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    no sysopt route dnat
    crypto ipsec transform-set myset esp-des esp-sha-hmac
    crypto map rtpmap 10 ipsec-isakmp
    crypto map rtpmap 10 match address 115
    crypto map rtpmap 10 set peer 12.40.161.2
    crypto map rtpmap 10 set transform-set myset
    crypto map rtpmap interface outside
    isakmp enable outside
    isakmp key ******** address 12.40.161.2 netmask 255.255.255.248
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash sha
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    telnet 172.16.16.0 255.255.254.0 inside
    telnet timeout 5
    ssh timeout 5
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    Cryptochecksum:264e4d838ea7fe19045bdb80e9a98d12
    : end
    [OK]
    PixSeattle#
     
    Jack Lobo, Jan 4, 2004
    #1
    1. Advertising

  2. Hi,

    Please post a sho conn from the 506
    and remember that 501 have a userlimit, which you might hit.
    So post a sho log aswell, and enable logging 8)

    The line:
    access-list 115 deny ip 172.16.16.0 255.255.254.0 any
    doesnt make sende, so i recommend you delete that line.

    otherwise your cfg looks fine


    hth
    Martin Bilgrav


    "Jack Lobo" <> wrote in message
    news:...
    > Hi all
    >
    > I am fairly new to cisco and seek your advise or opinions on the
    > problem I'm having with the Pix firewall. First for a brief background
    > of the problem.
    >
    > I had setup a Pix 506 to Checkpoint VPN for one of our remote offices
    > in Seattle in June of 2003 with the following configuration shown
    > below. It runs over a Qwest DSL line with an Actiontec 1520 modem with
    > a Block of 5 usable public IP's. It worked fine up until December 22nd
    > 2003. They had Internet access and freely connected to the DC office
    > throught the VPN. On 12/22/03 they complained of no intrnet or
    > extremely slow page loads while the VPN still worked fine. We have
    > been through several reboots of the modems, fw, servers and everything
    > else. Any help is appreciated.
    >
    > As of right now here are the symptoms
    >
    > No internet acces
    > The VPN connects if the DSL Modem and the FW are rebooted and then
    > dies after a couple of hours.
    > I reconfigured a spare pix 501 and sent it over there. After it was
    > plugged in it worked fine for about 5 minutes. As we tested a few
    > computers for Internet access it started very slow page loads and then
    > failed again.
    >
    > Plugging a Laptop directly into the DSL modem works fine while the Pix
    > is disconnected from the DSL modem. If the Pix is connected back the
    > Internet access slows or stops.
    >
    > I did a sh Xlate and found one copmuter creating several PAT
    > connections. I unplugged it rebooted the Modem and Fw and Internet
    > access worked fine for a couple of minutes and then died again.
    >
    > If I am missing any information please do not hesitate to ask.
    >
    > Here are some relevent details
    > Internal LAN - 172.16.16.0 netmask 255.255.254.0
    > Qwest assigned IP's 63.224.37.22 Gateway (DSL Modem)63.224.37.222
    > netmask 255.255.255.248
    >
    > LAN switch connects to PIX Inside and PIX ouside connects to DSL
    > modem.
    >
    > Thank you all very much in advance. Any input is appreciated.
    >
    >
    >
    > PixSeattle# wr t
    > Building configuration...
    > : Saved
    > :
    > PIX Version 6.2(2)
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password soGlSO/GXZyfn6aE encrypted
    > passwd soGlSO/GXZyfn6aE encrypted
    > hostname PixSeattle
    > domain-name apcoworldwide.com
    > fixup protocol ftp 21
    > fixup protocol http 80
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol sip 5060
    > fixup protocol skinny 2000
    > names
    > access-list 115 permit ip 172.16.16.0 255.255.254.0 172.16.0.0
    > 255.255.252.0
    > access-list 115 deny ip 172.16.16.0 255.255.254.0 any
    > pager lines 24
    > interface ethernet0 10full
    > interface ethernet1 10full
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside 63.224.37.221 255.255.255.248
    > ip address inside 172.16.16.2 255.255.254.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 10 63.224.37.220
    > nat (inside) 0 access-list 115
    > nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    > route outside 0.0.0.0 0.0.0.0 63.224.37.222 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > http server enable
    > http 172.16.16.0 255.255.254.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > no sysopt route dnat
    > crypto ipsec transform-set myset esp-des esp-sha-hmac
    > crypto map rtpmap 10 ipsec-isakmp
    > crypto map rtpmap 10 match address 115
    > crypto map rtpmap 10 set peer 12.40.161.2
    > crypto map rtpmap 10 set transform-set myset
    > crypto map rtpmap interface outside
    > isakmp enable outside
    > isakmp key ******** address 12.40.161.2 netmask 255.255.255.248
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption des
    > isakmp policy 10 hash sha
    > isakmp policy 10 group 1
    > isakmp policy 10 lifetime 86400
    > telnet 172.16.16.0 255.255.254.0 inside
    > telnet timeout 5
    > ssh timeout 5
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > terminal width 80
    > Cryptochecksum:264e4d838ea7fe19045bdb80e9a98d12
    > : end
    > [OK]
    > PixSeattle#
     
    Martin Bilgrav, Jan 4, 2004
    #2
    1. Advertising

  3. In article <>,
    Jack Lobo <> wrote:
    :I had setup a Pix 506 to Checkpoint VPN for one of our remote offices
    :in Seattle in June of 2003 with the following configuration shown
    :below. It runs over a Qwest DSL line with an Actiontec 1520 modem with
    :a Block of 5 usable public IP's. It worked fine up until December 22nd
    :2003. They had Internet access and freely connected to the DC office
    :throught the VPN. On 12/22/03 they complained of no intrnet or
    :extremely slow page loads while the VPN still worked fine.

    :As of right now here are the symptoms

    :No internet acces

    None at all? Not even poor access?

    :The VPN connects if the DSL Modem and the FW are rebooted and then
    :dies after a couple of hours.


    :plugging a Laptop directly into the DSL modem works fine while the Pix
    :is disconnected from the DSL modem. If the Pix is connected back the
    :Internet access slows or stops.

    I have three hypothesises (hypothesi ?):

    1) MTU problems. Your configuration does not permit any of the usual
    icmp packets back from the internet. PIX's Adaptive Security (ASA)
    is not the best for icmp -- most of the time it can't figure out
    that there is already a "connection" [especially since the icmp
    packet might come from a completely different location along
    the way.] PIX does better with tracking icmp as of 6.3(1), but
    you are running 6.2(2); even in 6.3 you need to specifically
    permit back some key icmp.

    2) DNS problems. If your DNS queries are not getting through, then
    the internet might seem unreachable; have you tested by IP address?

    3) You are running 6.2(2), which has been superceeded by 6.2(3).
    6.2(3) has a number of bug fixes, including for a security problem.
    It could be that your PIX is getting bogged down by attacks.


    But the answer is probably something else completely.


    I notice that on your PIX, you have no logging turned on at all,
    not even to the in-memory buffers. You should turn on logging
    (via appropriate 'logging' commands) and look to see what is
    going on. Start with logging buffer debug as a configuration
    and 'show log' to see what gets put in there. You don't want
    to log to debug level in production, but you aren't in production
    until you get the device working again ;-)

    I also suggest that you configure the PIX to allow ssh
    control remotely, by using the 'ssh' command. First you will
    need to generate a key on it, using one of the 'ca gen' commands. Then
    make sure you -save- the key using 'ca save all' -- that's not
    done automatically! You only need to generate and save the key once.
    --
    Warhol's Law: every Usenet user is entitled to his or her very own
    fifteen minutes of flame -- The Squoire
     
    Walter Roberson, Jan 4, 2004
    #3
  4. Jack Lobo

    Jack Lobo Guest

    Problem solved. Thanks all for your input. It turned out that there
    were one or more "rogue" computers on the network that seemed to
    overload the Pix. Although I have not had a chance to identify the
    rogues I have removed all the non essential machines from the
    hub/switch and only allowed a few necessary users on the network along
    with the servers. This was done by the painstaking process of
    elimination. I'll post another follow up in a few days after I find
    out what the problem was. My suspecion is that the rogue machines were
    either virus infected or hacked.

    Walter
    In response to your suggestions I had the logging on the previous pix
    506 which I then replaced with the 501. I forgot to turn logging on
    the 501 but will do so for future use. I'll also try the ssh
    suggestions which I think are useful. I will be upgrading to 6.2.3
    winthin a couple of days.

    Martin
    In response to your suggestions I deleted the line
    access-list 115 deny ip 172.16.16.0 255.255.254.0 any
    which did not make any difference either way. I also tried this after
    I got the problem resolved and don't seem to find any difference.
    Maybe I'm not quite clear on what that line does. We only have 6
    people on our network so we would be fine in the 10 user limit.

    Once again I thank you all for you quick responses.



    -cnrc.gc.ca (Walter Roberson) wrote in message news:<bt9u47$6mu$>...
    > In article <>,
    > Jack Lobo <> wrote:
    > :I had setup a Pix 506 to Checkpoint VPN for one of our remote offices
    > :in Seattle in June of 2003 with the following configuration shown
    > :below. It runs over a Qwest DSL line with an Actiontec 1520 modem with
    > :a Block of 5 usable public IP's. It worked fine up until December 22nd
    > :2003. They had Internet access and freely connected to the DC office
    > :throught the VPN. On 12/22/03 they complained of no intrnet or
    > :extremely slow page loads while the VPN still worked fine.
    >
    > :As of right now here are the symptoms
    >
    > :No internet acces
    >
    > None at all? Not even poor access?
    >
    > :The VPN connects if the DSL Modem and the FW are rebooted and then
    > :dies after a couple of hours.
    >
    >
    > :plugging a Laptop directly into the DSL modem works fine while the Pix
    > :is disconnected from the DSL modem. If the Pix is connected back the
    > :Internet access slows or stops.
    >
    > I have three hypothesises (hypothesi ?):
    >
    > 1) MTU problems. Your configuration does not permit any of the usual
    > icmp packets back from the internet. PIX's Adaptive Security (ASA)
    > is not the best for icmp -- most of the time it can't figure out
    > that there is already a "connection" [especially since the icmp
    > packet might come from a completely different location along
    > the way.] PIX does better with tracking icmp as of 6.3(1), but
    > you are running 6.2(2); even in 6.3 you need to specifically
    > permit back some key icmp.
    >
    > 2) DNS problems. If your DNS queries are not getting through, then
    > the internet might seem unreachable; have you tested by IP address?
    >
    > 3) You are running 6.2(2), which has been superceeded by 6.2(3).
    > 6.2(3) has a number of bug fixes, including for a security problem.
    > It could be that your PIX is getting bogged down by attacks.
    >
    >
    > But the answer is probably something else completely.
    >
    >
    > I notice that on your PIX, you have no logging turned on at all,
    > not even to the in-memory buffers. You should turn on logging
    > (via appropriate 'logging' commands) and look to see what is
    > going on. Start with logging buffer debug as a configuration
    > and 'show log' to see what gets put in there. You don't want
    > to log to debug level in production, but you aren't in production
    > until you get the device working again ;-)
    >
    > I also suggest that you configure the PIX to allow ssh
    > control remotely, by using the 'ssh' command. First you will
    > need to generate a key on it, using one of the 'ca gen' commands. Then
    > make sure you -save- the key using 'ca save all' -- that's not
    > done automatically! You only need to generate and save the key once.
     
    Jack Lobo, Jan 5, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MyndPhlyp

    PIX 501 vs 506 & 506E

    MyndPhlyp, Feb 11, 2004, in forum: Cisco
    Replies:
    2
    Views:
    4,105
    MyndPhlyp
    Feb 11, 2004
  2. Brian
    Replies:
    1
    Views:
    612
    Brian
    Jul 18, 2004
  3. Fwed

    VPN pix 506 - 501 fall down

    Fwed, Aug 30, 2005, in forum: Cisco
    Replies:
    0
    Views:
    503
  4. Fwed
    Replies:
    5
    Views:
    842
  5. Replies:
    3
    Views:
    2,243
Loading...

Share This Page