08-05-2004 01:24 PM - edited 03-09-2019 08:19 AM
hi all
I have a pix 515E -R with a three interfaces: inside, outside and DMZ. I have 2 servers in DMZ with private Ip address and i am doing NAT in pix to public ip address for that these server are reachables from internet.
Th problem is thath each 2 o 3 days, the connectivity from internet to this servers is break, there is necessary reload the server to gain connectivity again.
Please anybody know what is the problem?
Thanks
08-05-2004 05:02 PM
HI,
No Idea what the problem is :(
You need to provide more information. e.g. the version, config, syslogs etc.
Thanks
Nadeem
08-06-2004 07:41 AM
Ok, nadeem
sh ver:
Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Fri 02-Jul-04 00:07 by morlee
PIX up 3 days 17 hours
Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 000e.d738.dd22, irq 10
1: ethernet1: address is 000e.d738.dd23, irq 11
2: ethernet2: address is 0002.b3ea.9dee, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Disabled
Maximum Physical Interfaces: 3
Maximum Interfaces: 5
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Restricted (R) license.
Serial Number: 808010584 (0x30294358)
Running Activation Key: 0xeca6bf27 0x63d5789a 0x1627c6a2 0x9f3bf494
Configuration last modified by enable_15 at 14:18:11.118 UTC Thu Aug 5 2004
sh run:
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
access-list smtp permit tcp any host 200.1.1.1 eq www
access-list acl_dmz permit tcp any host 192.168.0.79 eq www
access-list acl-inside permit icmp any any
access-list acl-inside permit tcp any any
access-list acl-inside permit udp any any
access-list 101 permit ip 192.168.0.0 255.255.255.0 200.1.1.4 255.255.255.248
access-list 101 permit ip 192.168.0.0 255.255.255.0 172.16.8.0 255.255.255.0
pager lines 24
logging on
logging buffered informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 200.2.1.1 255.255.255.240
ip address inside 192.168.0.253 255.255.255.0
ip address dmz 172.16.8.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 200.3.1.1 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 200.2.1.2
nat (inside) 0 access-list 101
nat (inside) 1 192.168.0.202 255.255.255.255 0 0
static (inside,outside) 200.1.1.2 192.168.0.153 netmask 255.255.255.255 0 0
static (inside,outside) 200.1.1.5 192.168.0.151 netmask 255.255.255.255 0 0
static (dmz,outside) 200.1.1.1 172.16.8.100 netmask 255.255.255.255 0 0
static (dmz,outside) 200.1.1.2 172.16.8.101 netmask 255.255.255.255 0 0
static (dmz,outside) 200.1.1.3 172.16.8.102 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0
access-group 100 in interface outside
access-group acl-inside in interface inside
route outside 0.0.0.0 0.0.0.0 200.2.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Thanks in advanced
08-06-2004 09:50 AM
Hi,
See these static statements are overlapping.
static (inside,outside) 200.1.1.2 192.168.0.153 netmask 255.255.255.255 0 0
static (dmz,outside) 200.1.1.2 172.16.8.101 netmask 255.255.255.255 0 0
What is the IP address of the server you see the issue?
Change the above static statments and do a clear xlat (if possible)
you also have this ACL applied on outside interface
access-group 100 in interface outsi
but the acl doesnot exists
Thanks
Nadeem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide