Re: Internet Access - One computer on network can't

Jstpeter906 · ‎01-26-2011

Hello,

Pix 6.3

All computers except 1 static IP computer on inside lan are able to access Internet through the pix. If I change the IP address of the static ip to one less (.40 to .39) or go to DHCP it can get online. I am able to ping the pix from the computer (with problem static IP) and able to route internal. I get stopped at the pix when trying to access Internet. This is just a recent issue, was working for 5 years as this static IP address. I cleared ARP on pix and took out/put back in http enable and http [LAN address block] inside. I have also checked the config to make sure no new instances of that Static IP has been added where it could cause issues or being blocked. It is like the Pix just decide on its own that this IP can no longer access the Internet. Getting to the point of thinking of resetting (reboot) pix at night.

Does anyone have any other suggestions or ran across this before? I would hate to reboot the pix unless I had too.

Thank you,

mirober2 · ‎01-26-2011

Hi Jason,

There are a couple of things I would check before rebooting the PIX:

1. What are the subnet masks on both the affected PC and the PIX's LAN interface?

2. What does your NAT configuration look like?

3. Do you have an ACL applied on the LAN interface?

4. What syslogs are generated when you try to browse to the Internet from the affected PC?

-Mike

Jstpeter906 · ‎01-26-2011

Hello Mike,

Thanks for Replying,

1. What are the subnet masks on both the affected PC and the PIX's LAN interface?

Both the computer and PIX are on the same subnet 192.168.0.0/255.255.255.0. We use some routes and acl to allow additional subnets 192.168.10.x to connect with each other. The PC with the static can route to an ip on the 192.168.10.x subnet through the pix.

2. What does your NAT configuration look like?

nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (co) 0 access-list 101
nat (co) 1 0.0.0.0 0.0.0.0 0 0

Static IP computer is on the nat(inside) group.

3. Do you have an ACL applied on the LAN interface?

multiple entries as below to allow access to multiple "mini" networks

access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 100 permit icmp any 192.168.0.0 255.255.255.0 unreachable
access-list 100 permit icmp any 192.168.0.0 255.255.255.0 echo-reply
access-list 100 permit icmp any 192.168.0.0 255.255.255.0 time-exceeded

4. What syslogs are generated when you try to browse to the Internet from the affected PC?

Checking the computers event viewer I see no errors for Internet Explorer. I can peform an nslookup which replies from the internal DNS server but unable to trace route or ping outside IP address. If I would change the Static to another IP it will route outside.

I also check the follow, no unique ACL or instances in PIX for that inside static IP address. I hope these were some of the answers you were looking for.

I also checked the PC in question for rookit, proxy, and virus/malware to rule out possbile issues of re-rerouting.

Thanks again in advance for any ideas.

mirober2 · ‎01-26-2011

Hi Jason,

What 'access-group' commands are configured on the PIX?

What does the output of 'show route' show?

Also, please configure 'logging buffered 7' and 'logging enable' and then send some traffic from the affected PC. Once the traffic is sent, do a 'show log' so we can see if there are any syslog messages generated.

Finally, if this is a Windows PC, open a Command Prompt and do 'route print'. If it is a Linux PC, do a 'route' from the terminal. We want to make sure the default gateway is set for the PIX's inside interface.

-Mike

Jstpeter906 · ‎01-26-2011

Hello Mike,

I ended up scheduling reboot. After reboot of pix the Computer with the Static IP was able to get outside again.

Thank you for attempting to help out with this issue.