Re: PIX Internal LAN Issue

m.hossein · ‎06-04-2005

Dear All,

It seems that I'll show up from time to time with a new problem in my PIX...

My PIX firewall is 506E with IOS Version 6.3(3). It's working for a year with No problem but now a days I noticed a new problem happened for some IPs in the internal Network which protected by my PIX...

The problem is: when I assign internal IP to internal machine it works for minutes and stop working at all... when I changed this IP and assign another IP to the same machine it works fine and so on....

this problem started increase dramatically and I do know now how to solve as it's impossible to assign one of our technical engineer to follow up only with the IP problems issued because of my PIX...

Please, if someone faced such problem and find out how to solve it... I'll be grateful for his help to resolve this problem...

Best regards,,

Magdy Hossein

MAS Technology

mlowery · ‎06-04-2005

When you say "it works for minutes and stop working at all", does the machine still work on the local LAN at this time?

Does it only stop working when trying to go through the firewall?

What static,nat, and global statements are configured in the firewall?

Thanks,

Michael

m.hossein · ‎06-04-2005

Michael,

yes the machine still working on the LAN at that time...

Yes it only stop working when trying to go through the firewall...

below the part of our configuration you asked for:

----------------------------------------------------

ip address outside 217.52.62.194 255.255.255.192

ip address inside 192.168.1.250 255.255.255.0

global (outside) 1 217.52.62.195-217.52.62.214 netmask 255.255.255.192

global (outside) 1 217.52.62.215 netmask 255.255.255.192

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 217.52.62.193 1

------------------------------------------------

Hope this will help to resolve the problem....

Regards,,

Magdy Hossein

a.alekseev · ‎06-04-2005

could you show "sh ver" from your pix?

mlowery · ‎06-04-2005

Ok, all of that looks fine. Now I have several more questions...

Is the PIX ip 192.168.1.250 the default gateway of the machine?

Can the workstation ping 217.525.62.193 when this happens?

What shows up in your debugging syslog output when the workstaiton tries to connect to an outside IP?

Have you looked at the "show xlate" and "show conn" output? Do you see the workstation's IP in the output?

Thanks,

Michael

m.hossein · ‎06-05-2005

Hi Michael,

Below the answers for your questions:

1- the Output of Show Ver command?

danabeach# show ver

Cisco PIX Firewall Version 6.3(3)

Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 13-Aug-03 13:55 by morlee

danabeach up 22 hours 22 mins

Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz

Flash E28F640J3 @ 0x300, 8MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0011.208a.4ea6, irq 10

1: ethernet1: address is 0011.208a.4ea7, irq 11

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Physical Interfaces: 2

Maximum Interfaces: 2

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

2- Is the PIX ip 192.168.1.250 the default gateway of the machine?

Yes.

3- Can the workstation ping 217.525.62.193 when this happens?

NO.

4- Have you looked at the "show xlate" and "show conn" output? Do you see the workstation's IP in the output?

Check the output of Show xlate then Show conn:

danabeach# show xlate

4 in use, 4 most used

Global 217.52.62.195 Local 192.168.1.66

Global 217.52.62.197 Local 192.168.1.65

Global 217.52.62.198 Local 192.168.1.76

Global 217.52.32.196 Local 192.168.1.41

danabeach# show conn

1 in use, 10 most used

UDP out 62.140.73.1:53 in 192.168.1.76:1160 idle 0:01:00 flags -

The Local Machine's IP is: 192.168.1.76

Hoep this help..

Regards,,,

Magdy Hossein

mlowery · ‎06-05-2005

What about the syslog? Does the PIX show any traffic being blocked to or from the 192.168.1.76 address?

If you do a "show arp", does the MAC address match the PC's MAC address?