Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
966
Views
0
Helpful
17
Replies

PIX 501 NAT problem

pglevelle
Level 1
Level 1

‎11-15-2004 09:15 AM - edited ‎02-20-2020 11:44 PM

I have a 501 firewall for the past couple of years at a client site. In recent months they have a growing problem of a random users not able to connect to the Internet. Typically 1-2 users are able to connect in the morning and then the next user is unable. No pattern of specific users on a small LAN of 4-6 users. Rebooting the 501 by power cycling cures the problem for several days until it happens again. They are now frustrated at want me to solve the issue. The IOS has never been updated.

Clinet has a single public IP address and I "assume" that somehow NAT is not functioning correctly....but not sure.

Any suggestions on how to start solving?

TIA, Phil

0 Helpful
17 Replies 17

Patrick Iseli
Level 7
Level 7

‎11-15-2004 10:32 AM

Could you post the NATing part of your config ?

nat, globals, ip config and routes, ACL is it have ..

thanks

Patrick

0 Helpful

pglevelle
Level 1
Level 1
In response to Patrick Iseli

‎11-15-2004 12:00 PM

Patrick,

Here is the complete listing minus the security information...when I do a sh xlate the 501 says that 17 are in use. There are only 8 possible users on this SBS 2000 based domain. Are we exceeding a limit?

Phil

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxx encrypted

passwd xxxxxxx encrypted

hostname pixfirewall

domain-name xxxxxx.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit tcp any host xxxxx eq www

access-list 100 permit tcp any host xxxxx eq smtp

access-list 100 permit tcp any host xxxxx eq ftp

access-list 100 permit tcp any host xxxxx eq 3389

access-list 100 permit tcp any host xxxxx eq pop3

pager lines 24

logging on

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside xxxxx 255.255.255.0

ip address inside 10.0.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.9 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.255.255.0 0 0

static (inside,outside) tcp xxxxx smtp 10.0.0.9 smtp netmask 255.255.255.

255 0 0

static (inside,outside) tcp xxxxx www 10.0.0.9 www netmask 255.255.255.25

5 0 0

static (inside,outside) tcp xxxxx 3389 10.0.0.9 3389 netmask 255.255.255.

255 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 xxxxx 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 10.0.0.9 //xxxxx/c:/cisco_pix

no floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd address 10.0.0.12-10.0.0.41 inside

dhcpd dns 206.26.36.34 10.0.0.9

dhcpd wins 10.0.0.9

dhcpd lease 360000

dhcpd ping_timeout 750

dhcpd domain xxxxxx.com

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxxxx

pixfirewall# exit

0 Helpful

jczepiga
Level 1
Level 1

‎11-15-2004 11:15 AM

Is this a 10 user license 501? If so they may be going over the license limit. The PIX keeps track of that by the IP addresses that have gone through it. Rebooting the PIX clears the list. I ran into the same thing a few years ago. The "show local-host" command will show you how many IP's are is use. You can use the "clear local-host" command to clear out old ones. Newer software may solve the problem. Cisco's site states that these are concurrent users, but I know the older software kept the IP's longer.

How many users are at that site? Also are they on DHCP or do they have static IP's?

0 Helpful

pglevelle
Level 1
Level 1
In response to jczepiga

‎11-15-2004 12:09 PM

Yes this is a 501 with 10 user license. I did a sh xlate command before I performed the clear local-host and it said 17 users. After the clear was sent the total is now 7 users. Can be extend the license on the 501?

Phil

0 Helpful

jczepiga
Level 1
Level 1
In response to pglevelle

‎11-15-2004 12:21 PM

You can upgrade the license, but if there are fewer than 10 devices behind the PIX, you shouldn't have to do that. The software version I saw the problem in was 6.1(1). I have other customers on 10-user PIX'es now that do not seem to be having problems. What version of the PIX software is on that PIX?

0 Helpful

pglevelle
Level 1
Level 1
In response to jczepiga

‎11-15-2004 12:23 PM

Frogot to say that we use the dhcp on the 501 for the dynamic IP address for users. About 4 desktops are in the office all of the time and the other 4 laptops used in the field that are in the office on a random basis.

I also see that we can purchase a 50 user license for the 501 if this is the cause. I still don't understand why just 8 max users are bumping into this 10 license issue.

Phil

0 Helpful

jczepiga
Level 1
Level 1
In response to pglevelle

‎11-15-2004 12:37 PM

If the DHCP server is giving them different IP addresses, then those new addresses will count towards the total number of IP's passing through the PIX. I'm not sure why the PIX does not time out those addresses in the older versions. If you type "show local-host" over the next few days, you should see what addresses are taking up those licenses. I would upgrade the PIX to the latest software and watch the local-host list. If the DHCP server is just handing out different IP addresses to those devices every time, you may want to increase the lease time.

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to pglevelle

‎11-15-2004 12:39 PM

Check the release notes of your FOS version, might be a bug? I think the as the hosts are dynamic the PIX counts up all the time more hosts.

Why do you not configure your DHCP to just 10 host this may solve your issue !!!

For example: FOS 6.1.3 had

BugID CSCdw25026

License not released after 30 seconds in certain scenario.

The 501 license is based on "local-host" entries. You can issue a 'sh local-host' on the PIX to see the total number of licenses the PIX has counted.

What PIX OS version are you using ?

sincerely

Patrick

0 Helpful

pglevelle
Level 1
Level 1
In response to Patrick Iseli

‎11-15-2004 12:51 PM

Patrick,

As shown in earlier posting to you, our 501 is running 6.1(1) FOS. I did a sh local-host after doing a clear local-host and got back 7 users.

Sounds like your suggestion is to limit the hosts to 10 instead of the range of 12-41 that is currently configured?

Thanks, Phil

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to pglevelle

‎11-15-2004 01:11 PM

Yes Phil, would be good thing to do this anyway. I does just give troubles to give more than 10 DHCP addresses in an 10 user license.

The problem is definitly a bug in the 6.1.1 code I suggest you to upgarde it to 6.3.4 this release fixed also a DOS problem in the TCP/IP code.

sincerely

Patrick

0 Helpful

pglevelle
Level 1
Level 1
In response to Patrick Iseli

‎11-15-2004 01:31 PM

Patrick,

Well I just made the dhcp change to restrict to 10 IP address leases for 100 hours. I looked at the release notes on 6.1(1) and did not see anything specific to my issue. I did a "sh local-host" command and there are currently 8 users. Guess that everyone is in the office today.

I've never done a update to the FOS. How much effort is involved in doing this to a 501? I see the latest version is 6.3.4.

Phil

0 Helpful

jczepiga
Level 1
Level 1
In response to pglevelle

‎11-15-2004 02:06 PM

It's a fairly simple process. You will need a copy of the pix634.bin and PDM-302.bin (if you want to use the PIX Device Manager). Then you will need a TFTP server. From the console you will type "copy tftp://x.x.x.x/pix634.bin flash:" (where x.x.x.x is the IP address of the TFTP server. Once that is completed, you can copy the PDM with "copy tftp://x.x.x.x/pdm-302.bin flash:pdm" When both of these are completed, just type "reload".

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to pglevelle

‎11-15-2004 02:31 PM

Here are some details of this bug !!!

CSCdw25026 Bug Details

First Fixed-in Version 6.1(4), 6.1(1.104) Version

First Found-in Version 6.1(1)

Symptom:

License or host object not released after 30 seconds idle.

Conditions:

If a host retain the license longer than 30 seconds.

Workaround:

Use clear local-host

See Bug Tool:http://www.cisco.com/kobayashi/support/tac/tools.shtml

The upgarde is not really complicate you need a local TFTP server or you can download it from a Website see: Upgrading Software for the Cisco Secure PIX Firewall and PIX Device Manager

http://www.cisco.com/warp/public/110/upgrade.shtml

sincerely

Patrick

0 Helpful

pglevelle
Level 1
Level 1
In response to Patrick Iseli

‎11-16-2004 07:44 AM

Patrick,

Thanks to you for the clear description of the cause for the random problem accessing the Internet we see. I will update the FOS.

Phil

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card