Thanks for your reply. I'll setup the ping test, and try to narrow the problem down. I'll also try browsing by IP next time the internet appears down on our network.

My first thoughts were that the PIX was being overloaded somehow, therefore requiring a reload to clear something out & work again.

you may do "sh cpu u" when it happens again to verify the load. in fact, if you connect to the pix via console/ssh you would feel it as well in case the firewall is overloaded.

in addition, you may do "sh conn c" to check how many existing connection is there. it is extremely useful to verify whether there is virus or hacking activities

just more info from another part of the forum:

Replied by: ehirsel - Jul 23, 2005, 6:25pm PSTNew Message!

Run the show version command on the pix, and look what type of license is in use.

Do you have the pix configured in a failover cluster?

You may have the unit using a key that is somehow seen as a failover license key with no corresponding pix that is running a restricted or unrestricted license key that is active. In addition the serial failover cable on the pix 506e in question may need to be connected to the pix.

The 24 hour period is normal for a pix with a failover lic that has no connection to a pix with another type of lic. Note that the serial cable not being installed can cause this issue as the secondary pix expects to be connected to the primary pix in a failover cluster.

Let me know what you find.

for full conversation:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=Security&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd8d8b7

Thank you for the reply:

We do have an IIS server that is hosting our company website, and we also have outside to inside NAT. I had begun to wonder about external attacks, but wasn't sure how to handle a situation like that. Any ideas on taking measures to resolve the problem if in fact thats what it is? I'll setup syslogging to a syslog server, then monitor the activity to look for more info.

Hi,

As i have posted in my previous post, u can enable syslogging and send those logs to a syslog server to analyze the attacks. Coming to ur server, if you are hosting a web site u can do a static NAT for that IP and allow only port http or https (as required). u can even do shunning on PIX for any attacks. This should help you.

Please rate this post if the reply is satisfactory

you will always have some ppl port scan from the internet. in fact only 10-15 entries should not be a worry

in addition, it's a bit hard to believe that a hacker actively tries to hack your system every 24 hour and brings down your internet at the same time

you may use commands "sh conn" and "sh conn c" to verify

"sh conn c" shows the total number of existing connections; whereas "sh conn" shows the actual connections include the source and destination IPs

Hi,

I was searching for a solution for your porblem and i found this link in cisco site.

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_security_notice09186a008024d9ca.html

This needs a CCO login ID (and i hope you have one). This says that the NATed IP pool would exhaust and connectivity doesn't happen. You need to reboot the firewall for normal operation. This happens due to some ICMP packets (you can visit the site and get all the info). The site has a workaround also. I believe the error/info messages you are seeing is because of this. Hope this would be helpful.

The solution sounds promising, and very similar to the situation we're having. Unfortunately, my cisco login ID only has guest privlidges. Is there a way to maybe download the document to PDF or some other format, then e-mail it to me? Any assistance would be greatly appreciated!!

chuston@village.rantoul.il.us