Solved: Cisco PIX DNS not working.

RadxD461 · ‎05-28-2024

I am having an issue with a Cisco PIX firewall. Yes, I know I'm old school. Anyways, the workstations on the inside interface can reach the internet and do everything. However they cannot ping Google’s DNS server (8.8.8.8) (8.8.4.4) Or my default gateway (192.168.1.1) . I have no idea what the issue is as I never touched anything.The problem just started out of nowhere. Any advice would be much appreciated! Here is my running config:

PIX Version 7.2(2)

!

hostname RDXLFW01

domain-name radxd461labs.net

enable password w1We8ZR.yX6EPBDl encrypted

names

dns-guard

!

interface Ethernet0

nameif outside

security-level 0

ip address 192.168.1.80 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

passwd w1We8ZR.yX6EPBDl encrypted

banner motd Warning! This Firewall is property of RADX Labs! Any unauthorized access will be prosecuted to the full extent of the law! You have been warned.

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

domain-name radxd461labs.net

access-list acl_out extended permit icmp any any

access-list acl-out extended permit tcp any interface outside eq www

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 192.168.1.81-192.168.1.95 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www 10.0.0.7 www netmask 255.255.255.255

access-group acl-out in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.0.0.2-10.0.0.254 inside

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:04088dc0dc1c7fb77a1bd8fd52de512b

: end

RDXLFW01#

balaji.bandi · ‎05-28-2024

the workstations on the inside interface can reach the internet and do everything

based on the information - is the ping working before ?

since you have DNS confgured as google DNS if that is working your ping should work too.

is this ping only not working google IP or any other IP ?

what is the error you getting when you ping from PC and when you ping from PIX ?

access-list acl_out extended permit icmp any any

i do not see this ACL used any where or am i missing something here ? to be honest fogot the command try below :

access-group acl_out in interface inside

or

access-group acl_out in interface outside

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎05-28-2024

the workstations on the inside interface can reach the internet and do everything

based on the information - is the ping working before ?

since you have DNS confgured as google DNS if that is working your ping should work too.

is this ping only not working google IP or any other IP ?

what is the error you getting when you ping from PC and when you ping from PIX ?

access-list acl_out extended permit icmp any any

i do not see this ACL used any where or am i missing something here ? to be honest fogot the command try below :

access-group acl_out in interface inside

or

access-group acl_out in interface outside

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

RadxD461 · ‎05-28-2024

Yes, everything was working perfectly fine before. I was able to Ping Google and my default

gateway with no issues, until yesterday when this problem happened.

It seems that I can ping any IP addresses on the inside interface of the firewall but I cannot ping any outside IP addresses.

This is what happens whenever I ping from my PC:

Pinging google.com [142.250.114.101] with 32 bytes of data:

Request timed out.

Ping statistics for 142.250.114.101:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

And whenever I do the same thing from my PIX it gets through.

MHM Cisco World · ‎05-28-2024

Clear conn

Clear xlate

This will solve issue

MHM

RadxD461 · ‎05-28-2024

RDXLFW01# Clear conn
^
ERROR: % Invalid input detected at '^' marker.
RDXLFW01#
RDXLFW01# Clear xlate
RDXLFW01# conf t
RDXLFW01(config)# Clear conn
^
ERROR: % Invalid input detected at '^' marker.
RDXLFW01(config)#
RDXLFW01(config)# Clear xlate

RadxD461 · ‎05-28-2024

there is no conn command.

RDXLFW01# clear ?

aaa Clear AAA run time data
aaa-server Clear aaa-server statistics
access-list Clear counters for a specific access policy
arp Clear ARP statistics
asp Clear the current contents of selected memory in the
Accelerated Security Path
blocks Clear system buffers statistics
capture Clear packets in a particular capture
console-output Clear messages stored in buffer
counters Clear protocol stack counters
cpu Clear CPU stats
crashinfo Crash information
crypto Clear crypto operational data
dhcpd Clear dhcpd binding | statistics
dhcprelay Clear DHCP Relay Agent statistics
dns-hosts Clear DNS hosts information
failover Clear failover statistics
fragment Clear the IP reassembly queue and statistics
gc Clear garbage collection process statistics
igmp Clear multicast membership related information
interface Clear interface statistics
ip Clear IP IDS statistics, etc
ipsec Clear IPsec operational data
ipv6 Clear IPv6 operational data
isakmp Clear ISAKMP operational data
local-host Clear local host network information
logging Clear internal or ASDM logging buffer
memory Clear memory tools information
mfib Clear IP multicast forwarding information base
nat Clear NAT policy counters
ospf Clear OSPF information
pc Clear information about Xlate, conn and local-host maintained
on PC
pclu Clear PC logical update statistics
pim Clear PIM information
priority-queue Clear the priority-queue statistics counters
resource Clear system resources and usage
route Clear routes learned through dynamic routing protocols
service-policy Clear MPF service policy statistics
shun Clear all shun filters
snmp-server Clear snmp-server statistics.
startup-config Clear startup configuration parsing errors
sunrpc-server Clear active SUNRPC services
terminal Turn off syslogging or pagination for this terminal
traffic Clear traffic statistics
uauth Clear uauth
url-block Clear url-block statistics
url-cache Clear URL cache statistics
url-server Clear URL filter server statistics
vpn-sessiondb Clear Session Database operational data
wccp Reset wccp information
xlate Clear current translation information

MHM Cisco World · ‎05-28-2024

Clear local-host

It same ad clear conn

MHM

RadxD461 · ‎05-28-2024

The command worked. but it didn't fix my problem. Any other ideas?

balaji.bandi · ‎05-28-2024

that clarify that you have Internet access from PIX firewall - i need to refresh my memory of that commands its beend 20 years now.

10.0.0.1 so from PC you able to ping this IP correct ? what is the PC IP address

between PIX and PC do you any other device ?

can you post from PC ipconfig /all

have you tried reboot PIX ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

RadxD461 · ‎05-28-2024

i tried this again and it worked. Thanks!