03-26-2004 12:48 PM - edited 03-09-2019 06:53 AM
I have PIX520 (flash 16Mb and 128 RAM). I have upgradeted from 5.1.3 to 6.3.(3). at fist the configuration was with conduit and outbount commands, later I have changed for access-list.
The PIX has 4 interfaces, Outside, DMZ, SEGURA and INSIDE. I have one DNS server (172.17.1.7) in DMZ segment and two internal servers DNS (172.25.0.176, 172.25.0.177)
PROBLEM: at first the configuration works very well, there are communication between DNSs servers. But after, without any cause the communication goes down. the DNSs between them can't communicate.
WORKAROUND: I have back the old configuration with conduit and outbound commands, and the problem resolve
Q:
What are happening?
What is the better recommendation of IOS version for this type of PIX?
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security40
nameif ethernet3 segura security60
name 172.17.1.10 webserver
name 172.16.1.19 mdb9
name A.B.C.193 router
access-list outside_mem permit icmp any any
access-list outside_mem permit icmp any any echo-reply
access-list outside_mem permit tcp any host A.B.C.194 eq www
access-list outside_mem permit tcp any host A.B.C.197 eq www
access-list outside_mem permit tcp any host A.B.C.196 eq smtp
access-list outside_mem permit tcp any host A.B.C.199 eq domain
access-list outside_mem permit udp any host A.B.C.199 eq domain
access-list dmz_mem permit icmp any any
access-list dmz_mem permit icmp any any echo-reply
access-list dmz_mem permit tcp host webserver host mdb9
access-list dmz_mem permit tcp host 172.17.1.4 host 172.17.1.170 eq smtp
access-list inside_mem permit tcp any host mdb9
access-list inside_mem permit tcp any host webserver eq www
access-list inside_mem permit tcp host 172.25.0.176 any eq domain
access-list inside_mem permit udp host 172.25.0.176 any eq domain
access-list inside_mem permit tcp host 172.25.0.177 any eq domain
access-list inside_mem permit udp host 172.25.0.177 any eq domain
access-list inside_mem permit tcp host 172.25.0.170 host 172.17.1.4 eq smtp
access-list inside_mem permit tcp host 172.25.0.170 host A.B.C.21 eq smtp
access-list inside_mem permit tcp host 172.25.0.22 any
access-list inside_mem permit udp host 172.25.0.22 any
access-list inside_mem permit tcp host 161.132.169.201 any
access-list inside_mem permit tcp host 161.132.169.205 any
access-list inside_mem permit icmp any any
access-list inside_mem permit icmp any any echo-reply
access-list inside_mem permit tcp host 172.25.2.63 host webserver eq ftp
access-list inside_mem permit tcp host 172.25.1.75 host webserver eq ftp
access-list inside_mem permit tcp host 172.25.1.77 host webserver eq ftp
access-list inside_mem permit tcp any host 172.16.1.20
access-list inside_mem permit tcp 172.25.0.0 255.255.254.0 any eq www
access-list inside_mem permit tcp 172.25.0.0 255.255.254.0 any eq https
access-list segura_mem permit icmp any any
access-list segura_mem permit icmp any any echo-reply
...
global (outside) 1 A.B.C.208 netmask 255.255.255.224
global (dmz) 1 172.17.1.100 netmask 255.255.255.0
global (segura) 1 172.16.1.100 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
nat (segura) 0 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) A.B.C.199 172.17.1.7 netmask 255.255.255.255 0 0
static (dmz,outside) A.B.C.194 webserver netmask 255.255.255.255 0 0
static (dmz,outside) A.B.C.196 172.17.1.4 netmask 255.255.255.255 0 0
static (inside,dmz) 172.17.1.170 172.25.0.170 netmask 255.255.255.255 0 0
static (inside,outside) 200.47.152.197 172.25.0.170 netmask 255.255.255.255 0 0
static (segura,dmz) mdb9 mdb9 netmask 255.255.255.255 0 0
static (inside,outside) A.B.C.213 172.25.1.75 netmask 255.255.255.255 0 0
access-group outside_mem in interface outside
access-group inside_mem in interface inside
access-group dmz_mem in interface dmz
access-group segura_mem in interface segura
route outside 0.0.0.0 0.0.0.0 router 1
03-27-2004 07:38 PM
I'm not so sure this isn't a bug. I'm experiencing this on a 506 with the same version. Our clients query an internal caching only server that resolves requests for them. Works fine for a few hours then it won't pass any more queries, doesnt even show anything in the log. A reload fixes it. I'm waiting on my maintenance agreement to renew to talk with TAC about this.
03-29-2004 05:43 AM
The symptoms you guys mention sound like a known issue - CSCec45748 - New DNS conns reset the idle timer of previous DNS conns.
My suggestion would be to open a TAC case and request the latest 6.3(3) interim release to test with. This should have the fix to this problem. Good luck.
Scott
03-29-2004 07:46 AM
Thanks Scott;
1. How do you see the pix configuration? is it good?
2 I have a PIX520, What IOS version do you
recommend?
3. If I would decide to DOWNgrade the version
Where Can I find the documentation?
Sergio
03-29-2004 12:13 PM
1. I just glanced at it quickly and it looks fine to me. But it is hard to say without knowing your enviro first hand.
2. The latest 6.3(3) interim release if you want to run with the features in the 6.3 code. You will need to get this from the TAC (it is not on CCO).
3. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/index.htm
Scott
03-29-2004 01:51 PM
Thanks Scott for your response.
Can I DOWNGRADE from 6.3.(3) to 6.1.(5)?
What is the procedure to Downgrade?
Because, 6.1.(5)GD is most stable, that is true?
Sergio
03-30-2004 08:46 AM
Yes, you can downgrade to 6.1(5) of you wish. There should be nothing that special that needs to be done here. Just load the 6.1(5) binary file and reload the PIX. If you have some commands that are new to 6.2 or 6.3 code, the obviously will error out when the 6.1(5) code tries to read in the config but this should not be too big of a deal. Just keep an eye on the console to have an idea of what is going on. And, yes, 6.1(5) has reached General Deployment which is milestone signifying a certain level of stability.
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide