No Internet Access Pix 506/501

Hi all

I am fairly new to cisco and seek your advise or opinions on the
problem I'm having with the Pix firewall. First for a brief background
of the problem.

I had setup a Pix 506 to Checkpoint VPN for one of our remote offices
in Seattle in June of 2003 with the following configuration shown
below. It runs over a Qwest DSL line with an Actiontec 1520 modem with
a Block of 5 usable public IP's. It worked fine up until December 22nd
2003. They had Internet access and freely connected to the DC office
throught the VPN. On 12/22/03 they complained of no intrnet or
extremely slow page loads while the VPN still worked fine. We have
been through several reboots of the modems, fw, servers and everything
else. Any help is appreciated.

As of right now here are the symptoms

No internet acces
The VPN connects if the DSL Modem and the FW are rebooted and then
dies after a couple of hours.
I reconfigured a spare pix 501 and sent it over there. After it was
plugged in it worked fine for about 5 minutes. As we tested a few
computers for Internet access it started very slow page loads and then
failed again.

Plugging a Laptop directly into the DSL modem works fine while the Pix
is disconnected from the DSL modem. If the Pix is connected back the
Internet access slows or stops.

I did a sh Xlate and found one copmuter creating several PAT
connections. I unplugged it rebooted the Modem and Fw and Internet
access worked fine for a couple of minutes and then died again.

If I am missing any information please do not hesitate to ask.

Here are some relevent details
Internal LAN - 172.16.16.0 netmask 255.255.254.0
Qwest assigned IP's 63.224.37.22 Gateway (DSL Modem)63.224.37.222
netmask 255.255.255.248

LAN switch connects to PIX Inside and PIX ouside connects to DSL
modem.

Thank you all very much in advance. Any input is appreciated.



PixSeattle# wr t
Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password soGlSO/GXZyfn6aE encrypted
passwd soGlSO/GXZyfn6aE encrypted
hostname PixSeattle
domain-name apcoworldwide.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 115 permit ip 172.16.16.0 255.255.254.0 172.16.0.0
255.255.252.0
access-list 115 deny ip 172.16.16.0 255.255.254.0 any
pager lines 24
interface ethernet0 10full
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 63.224.37.221 255.255.255.248
ip address inside 172.16.16.2 255.255.254.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 63.224.37.220
nat (inside) 0 access-list 115
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 63.224.37.222 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.16.16.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map rtpmap 10 ipsec-isakmp
crypto map rtpmap 10 match address 115
crypto map rtpmap 10 set peer 12.40.161.2
crypto map rtpmap 10 set transform-set myset
crypto map rtpmap interface outside
isakmp enable outside
isakmp key ******** address 12.40.161.2 netmask 255.255.255.248
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 172.16.16.0 255.255.254.0 inside
telnet timeout 5
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:264e4d838ea7fe19045bdb80e9a98d12
: end
[OK]
PixSeattle#

 

Hi,

Please post a sho conn from the 506
and remember that 501 have a userlimit, which you might hit.
So post a sho log aswell, and enable logging 8)

The line:
access-list 115 deny ip 172.16.16.0 255.255.254.0 any
doesnt make sende, so i recommend you delete that line.

otherwise your cfg looks fine


hth
Martin Bilgrav

 

:I had setup a Pix 506 to Checkpoint VPN for one of our remote offices
:in Seattle in June of 2003 with the following configuration shown
:below. It runs over a Qwest DSL line with an Actiontec 1520 modem with
:a Block of 5 usable public IP's. It worked fine up until December 22nd
:2003. They had Internet access and freely connected to the DC office
:throught the VPN. On 12/22/03 they complained of no intrnet or
:extremely slow page loads while the VPN still worked fine.

:As of right now here are the symptoms

:No internet acces

None at all? Not even poor access?

:The VPN connects if the DSL Modem and the FW are rebooted and then
:dies after a couple of hours.


lugging a Laptop directly into the DSL modem works fine while the Pix
:is disconnected from the DSL modem. If the Pix is connected back the
:Internet access slows or stops.

I have three hypothesises (hypothesi ?):

1) MTU problems. Your configuration does not permit any of the usual
icmp packets back from the internet. PIX's Adaptive Security (ASA)
is not the best for icmp -- most of the time it can't figure out
that there is already a "connection" [especially since the icmp
packet might come from a completely different location along
the way.] PIX does better with tracking icmp as of 6.3(1), but
you are running 6.2(2); even in 6.3 you need to specifically
permit back some key icmp.

2) DNS problems. If your DNS queries are not getting through, then
the internet might seem unreachable; have you tested by IP address?

3) You are running 6.2(2), which has been superceeded by 6.2(3).
6.2(3) has a number of bug fixes, including for a security problem.
It could be that your PIX is getting bogged down by attacks.


But the answer is probably something else completely.


I notice that on your PIX, you have no logging turned on at all,
not even to the in-memory buffers. You should turn on logging
(via appropriate 'logging' commands) and look to see what is
going on. Start with logging buffer debug as a configuration
and 'show log' to see what gets put in there. You don't want
to log to debug level in production, but you aren't in production
until you get the device working again ;-)

I also suggest that you configure the PIX to allow ssh
control remotely, by using the 'ssh' command. First you will
need to generate a key on it, using one of the 'ca gen' commands. Then
make sure you -save- the key using 'ca save all' -- that's not
done automatically! You only need to generate and save the key once.

 

Problem solved. Thanks all for your input. It turned out that there
were one or more "rogue" computers on the network that seemed to
overload the Pix. Although I have not had a chance to identify the
rogues I have removed all the non essential machines from the
hub/switch and only allowed a few necessary users on the network along
with the servers. This was done by the painstaking process of
elimination. I'll post another follow up in a few days after I find
out what the problem was. My suspecion is that the rogue machines were
either virus infected or hacked.

Walter
In response to your suggestions I had the logging on the previous pix
506 which I then replaced with the 501. I forgot to turn logging on
the 501 but will do so for future use. I'll also try the ssh
suggestions which I think are useful. I will be upgrading to 6.2.3
winthin a couple of days.

Martin
In response to your suggestions I deleted the line
access-list 115 deny ip 172.16.16.0 255.255.254.0 any
which did not make any difference either way. I also tried this after
I got the problem resolved and don't seem to find any difference.
Maybe I'm not quite clear on what that line does. We only have 6
people on our network so we would be fine in the 10 user limit.

Once again I thank you all for you quick responses.