Pix 515E --> After a few minutes inside hosts lose internet and dmz

Discussion in 'Cisco' started by ForumKid, Dec 3, 2008.

  1. ForumKid

    ForumKid

    Joined:
    Dec 3, 2008
    Messages:
    1
    Here is my issue. It's the strangest thing that i have been battling for 2 weeks now and I need some guidance because Im just stuck against a wall.

    After a few minutes, maybe 10, maybe 5, all clients on the inside interface lose internet access and lose access to the dmz. Once it happens, it happens for all users on the inside interface at the same exact time.

    However, the dmz seems to never lose internet access. I think I'm missing or screwed something up with NAT/PAT, but I cannot be sure.

    I've tried two separate firewalls. One on version 6.2(3) and 8.0(2) and it's the same issue, so it's most likely a config issue. I've bypassed all switches, changed cables, etc, so it's directly related to the firewall.

    Also I know the static statements below are ridiculous, but I couldnt figure out how to give the entire inside interface access to the server on the dmz. Thats a separate issue.

    I only have one server on the dmz and the ip address is 192.168.2.2 and the gateway is obviously 192.168.2.200.

    The only error I saw was an ARP collision on 192.168.1.200 which is the ip address of the inside interface, but when that popped up, users on the inside interface still had access to internet and dmz.

    PIX Version 8.0(2)
    !
    hostname pixfirewall
    enable password xxx encrypted
    names
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address xx.xx.45.82 255.255.255.248
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 192.168.1.200 255.255.255.0
    !
    interface Ethernet2
    nameif dmz
    security-level 10
    ip address 192.168.2.200 255.255.255.0
    !
    passwd xxx encrypted
    ftp mode passive
    access-list in_out extended permit ip any any
    access-list dmz_out extended permit ip any any
    access-list acl_out extended permit tcp any host xx.xx.45.83 eq 3389
    pager lines 24
    logging enable
    logging console warnings
    logging trap warnings
    logging host inside 192.168.1.2
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (dmz) 1 192.168.2.0 255.255.255.0
    static (dmz,outside) xx.xx.45.83 192.168.2.2 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.24 192.168.1.24 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.14 192.168.1.14 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.3 192.168.1.3 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.4 192.168.1.4 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.5 192.168.1.5 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.6 192.168.1.6 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.7 192.168.1.7 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.8 192.168.1.8 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.9 192.168.1.9 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.10 192.168.1.10 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.11 192.168.1.11 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.12 192.168.1.12 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.13 192.168.1.13 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.15 192.168.1.15 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.16 192.168.1.16 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.17 192.168.1.17 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.18 192.168.1.18 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.19 192.168.1.19 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.20 192.168.1.20 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.23 192.168.1.23 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.25 192.168.1.25 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.26 192.168.1.26 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.27 192.168.1.27 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.28 192.168.1.28 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.29 192.168.1.29 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.30 192.168.1.30 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.31 192.168.1.31 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.32 192.168.1.32 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.33 192.168.1.33 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.34 192.168.1.34 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.35 192.168.1.35 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.36 192.168.1.36 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.37 192.168.1.37 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.38 192.168.1.38 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.39 192.168.1.39 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.40 192.168.1.40 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.41 192.168.1.41 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.42 192.168.1.42 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.43 192.168.1.43 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.44 192.168.1.44 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.45 192.168.1.45 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.46 192.168.1.46 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.47 192.168.1.47 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.48 192.168.1.48 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.49 192.168.1.49 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.50 192.168.1.50 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.51 192.168.1.51 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.52 192.168.1.52 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.53 192.168.1.53 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.54 192.168.1.54 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.55 192.168.1.55 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.56 192.168.1.56 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.57 192.168.1.57 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.58 192.168.1.58 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.59 192.168.1.59 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.60 192.168.1.60 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.61 192.168.1.61 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.62 192.168.1.62 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.63 192.168.1.63 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.64 192.168.1.64 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.65 192.168.1.65 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.66 192.168.1.66 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.67 192.168.1.67 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.68 192.168.1.68 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.69 192.168.1.69 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.70 192.168.1.70 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.22 192.168.1.22 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.21 192.168.1.21 netmask 255.255.255.255
    static (inside,dmz) 192.168.1.2 192.168.1.2 netmask 255.255.255.255
    access-group acl_out in interface outside
    access-group in_out in interface inside
    access-group dmz_out in interface dmz
    route outside 0.0.0.0 0.0.0.0 xx.xx.45.81 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no crypto isakmp nat-traversal
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd dns 167.206.112.138
    !
    dhcpd address 192.168.1.2-192.168.1.70 inside
    dhcpd enable inside
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    !
    prompt hostname context
    Cryptochecksum:482f6b69b4e0b353a5bb6924c2ad84c8
    : end
    [OK]
     
    ForumKid, Dec 3, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tofe
    Replies:
    5
    Views:
    2,887
  2. mfoolb@gmail.com

    PIX 515E: VPN (PPTP) and DMZ to INSIDE rules

    mfoolb@gmail.com, Dec 2, 2005, in forum: Cisco
    Replies:
    0
    Views:
    2,377
    mfoolb@gmail.com
    Dec 2, 2005
  3. esudoit@gmail.com
    Replies:
    3
    Views:
    979
    hinka
    Mar 6, 2007
  4. morten
    Replies:
    4
    Views:
    1,265
    Tilman Schmidt
    Sep 4, 2007
  5. Jack
    Replies:
    0
    Views:
    704
Loading...

Share This Page