First thank you for offering help ...

Second, there is no problem with the licesnse. Honestly i didn't try to run this command (clear xlate) to know if it has an effect or not..

The version :

PIXFIREWALL# sh version

Cisco PIX Firewall Version 6.2(2)

Cisco PIX Device Manager Version 2.1(1)

Compiled on Fri 07-Jun-02 17:49 by morlee

PIXFIREWALL up 1 day 0 hours

Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz

Flash E28F640J3 @ 0x300, 8MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1: ethernet1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES: Disabled

Maximum Interfaces: 2

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Limited

IKE peers: Unlimited

I am running NATing.

Thanks

PIXFIREWALL# sh run

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxx

passwd xxxxxxxxxxxxx encrypted

hostname PIXFIREWALL

domain-name cisco.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list internal permit tcp any any eq www

access-list internal permit tcp any any eq https

access-list internal permit tcp any any eq pop3

access-list internal permit tcp any any eq smtp

access-list internal permit icmp any any

access-list internal permit udp any any eq domain

access-list internal permit tcp any any eq ftp

access-list internal permit tcp any any eq domain

access-list internal deny ip any any

access-list 101 permit ip 192.168.101.1 255.255.255.0 192.168.101.10 255.255.255.

0

access-list external permit icmp any any

pager lines 24

logging on

logging trap warnings

logging host inside 192.168.100.1

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside xx.xx.xx.xx 255.255.255.224

ip address inside 192.168.100.x 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool pptp-pool 192.168.101.1-192.168.101.10

pdm location 192.168.100.1 255.255.255.255 inside

pdm location 192.168.101.0 255.255.255.0 outside

pdm location 192.168.101.0 255.255.255.0 inside

pdm location xx.xx.xx.xx 255.255.255.224 outside

pdm location xx.xx.xx.xx 255.255.255.0 outside

pdm history enable

arp timeout 14400

global (outside) 1 xx.xx.xx.xx

nat (inside) 0 access-list 101

nat (inside) 1 192.168.100.0 255.255.255.0 0 0

access-group external in interface outside

access-group internal in interface inside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.101.0 255.255.255.0 outside

http xx.xx.xx.xx 255.255.255.224 outside

http 192.168.100.1 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

no sysopt route dnat

crypto map mymap 30 ipsec-isakmp

telnet xx.xx.xx.xx 255.255.255.0 outside

telnet 192.168.101.0 255.255.255.0 inside

telnet 192.168.100.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local pptp-pool

vpdn group 1 client configuration dns 192.168.100.1

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username test password *********

vpdn enable outside

terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

: end

no vpdn group 1 accept dialin pptp

no vpdn group 1 ppp authentication pap

no vpdn group 1 ppp authentication chap

no vpdn group 1 ppp authentication mschap

no vpdn group 1 ppp encryption mppe 40

no vpdn group 1 client configuration address local pptp-pool

no vpdn group 1 client configuration dns 192.168.100.1

no vpdn group 1 pptp echo 60

no vpdn group 1 client authentication local

no vpdn username test password *********

no vpdn username sboshra password *********

no vpdn username raya password *********

no vpdn enable outside

Is it possible that you are having a DNS issue. Can the PC's ping by IP address - but not by name. If so, have a look at this bug and try creating a static for your DNS Server.

CSCdy52910

With multiple recursive DNS servers on the inside that source DNS

query from fix port, such as 53, DNS query can sporadically failed

under high query rate.

The workaround is to configure static for the DNS server.

It's worth a shot.

First Thanks for your help

Doyou mean .....

static (inside,outside) 1.1.1.1 10.0.0.1 netmask 255.255.255.255

BR

Yes, but only if you feel it is a dns issue.

Can you ping by IP?

We have had the same problem for a long time now so I would like to know if it worked or not.

If not, could it come from a bug of the firewall?

Thanks for any replys.

Thomas

Honestly, i started the troubleshooting by removing all the access-lists on the Firewall, and in a wiered behavour it seems that everything is fine ...

Sorry no solution with technical background ..

Farouk

Hi,

try setting up a syslog server on your internal network and check if any errors appear in the logging.

To enable syslogging, enter these commands:

logging host ip_address_syslogserver

logging trap 7

logging on

Maybe level 7 (= debugging) shows too much info and slows down the pix. You can lower the logging level to 4 (=warning) to see dropped packets.

Regards,

Tom