Solved

I'm having a terrible time with my PIX 501.  Its locking up and I dont know why?

Posted on 2004-08-10
3
1,008 Views
Last Modified: 2011-10-03
When this was first happening I was running the 6.2(2) code.  I have since upgraded to 6.3(3) and I turned off icmp reply.  The PIX runs fine for about 10-20 minutes and then you are unable to get external.  You can ping the PIX but no addresses outside.  PDM will also not lauch.  I get page cant be displayed.  I will reboot the PIX and the same process repeats.  This is been going on since I have gotten this darn PIX.  I'm just really frustrated with it

Here is my config.

Rayspixfirewall# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password O56K8D.xqN/Hcd36 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Rayspixfirewall
domain-name raydoran.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
no fixup protocol ftp 21
fixup protocol ftp 2121
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.10 Server
name 192.168.1.2 raysathlon
access-list outside_in permit tcp any any eq www
access-list outside_in permit tcp any any eq 3389
access-list outside_in permit tcp any any eq 2121
access-list outside_in permit tcp any any eq 4899
access-list outside_in permit tcp any any eq 1755
access-list outside_in permit tcp any any eq smtp
access-list outside_in permit tcp any any eq 554
access-list outside_in permit tcp any any eq 69
access-list outside_in permit tcp any any eq ftp
pager lines 24
logging on
logging timestamp
logging console errors
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Server 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www Server www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 Server 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2121 Server 2121 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4899 Server 4899 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1755 Server 1755 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 554 Server 554 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 69 Server 69 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp Server ftp netmask 255.255.255.255 0 0
access-group outside_in in interface outside
rip inside default version 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp enable outside
isakmp enable inside
isakmp keepalive 10 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup raysvpn dns-server Server
vpngroup raysvpn default-domain raydoran.com
vpngroup raysvpn idle-time 1800
vpngroup raysvpn password ********
telnet 0.0.0.0 255.255.255.255 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username raydoran password cUynQTe6ojEYJ1VX encrypted privilege 15
terminal width 100
Cryptochecksum:2a8bb50b7f55a75d9d3e50354cb617a4
: end
Rayspixfirewall#



here is what is in the logs::


Rayspixfirewall# sh log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Console logging: level errors, 0 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: level debugging, 915 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
061 to outside:24.1.36.238/1053
710005: UDP request discarded from 63.210.198.169/15061 to outside:24.1.36.238/1053
710005: UDP request discarded from 63.210.198.169/15061 to outside:24.1.36.238/1053
710005: UDP request discarded from 63.210.198.169/15061 to outside:24.1.36.238/1053
710005: UDP request discarded from 63.210.198.169/15061 to outside:24.1.36.238/1053
305011: Built dynamic UDP translation from inside:192.168.1.10/7398 to outside:24.1.36.238/1125
302015: Built outbound UDP connection 217 for outside:63.240.76.198/53 (63.240.76.198/53) to inside:192.168.1.10/7398 (24.1.36.238/1125)
302016: Teardown UDP connection 217 for outside:63.240.76.198/53 to inside:192.168.1.10/7398 duration 0:00:01 bytes 553
305012: Teardown dynamic UDP translation from inside:192.168.1.10/7398 to outside:24.1.36.238/1125 duration 0:00:31
710005: UDP request discarded from 192.168.1.3/137 to inside:192.168.1.255/netbios-ns
710005: UDP request discarded from 192.168.1.3/137 to inside:192.168.1.255/netbios-ns
710005: UDP request discarded from 192.168.1.3/137 to inside:192.168.1.255/netbios-ns
305011: Built static TCP translation from inside:192.168.1.10/4899 to outside:24.1.36.238/4899
302013: Built inbound TCP connection 218 for outside:211.197.194.150/1116 (211.197.194.150/1116) to inside:192.168.1.10/4899 (24.1.36.238/4899)
302014: Teardown TCP connection 218 for outside:211.197.194.150/1116 to inside:192.168.1.10/4899 duration 0:02:01 bytes 0 SYN Timeout
305012: Teardown static TCP translation from inside:192.168.1.10/4899 to outside:24.1.36.238/4899 duration 0:02:06
305011: Built dynamic UDP translation from inside:192.168.1.4/1323 to outside:24.1.36.238/1126
302015: Built outbound UDP connection 219 for outside:204.152.184.72/123 (204.152.184.72/123) to inside:192.168.1.4/1323 (24.1.36.238/1126)
305011: Built dynamic UDP translation from inside:192.168.1.10/7398 to outside:24.1.36.238/1127
302015: Built outbound UDP connection 220 for outside:63.240.76.198/53 (63.240.76.198/53) to inside:192.168.1.10/7398 (24.1.36.238/1127)
302016: Teardown UDP connection 220 for outside:63.240.76.198/53 to inside:192.168.1.10/7398 duration 0:00:01 bytes 553
710005: UDP request discarded from 192.168.1.10/138 to inside:192.168.1.255/netbios-dgm
710005: UDP request discarded from 192.168.1.2/138 to inside:192.168.1.255/netbios-dgm
305012: Teardown dynamic UDP translation from inside:192.168.1.10/7398 to outside:24.1.36.238/1127 duration 0:00:31
302016: Teardown UDP connection 219 for outside:204.152.184.72/123 to inside:192.168.1.4/1323 duration 0:02:01 bytes 112
305012: Teardown dynamic UDP translation from inside:192.168.1.4/1323 to outside:24.1.36.238/1126 duration 0:02:06
111009: User 'enable_15' executed cmd: show logging
710005: UDP request discarded from 192.168.1.3/138 to inside:192.168.1.255/netbios-dgm
305011: Built dynamic UDP translation from inside:192.168.1.2/4176 to outside:24.1.36.238/1128
302015: Built outbound UDP connection 221 for outside:63.240.76.198/53 (63.240.76.198/53) to inside:192.168.1.2/4176 (24.1.36.238/1128)
302016: Teardown UDP connection 221 for outside:63.240.76.198/53 to inside:192.168.1.2/4176 duration 0:00:01 bytes 553
411002: Line protocol on Interface outside, changed state to down
604102: DHCP client interface outside:  address released
710005: UDP request discarded from 192.168.1.3/137 to inside:192.168.1.255/netbios-ns
710005: UDP request discarded from 192.168.1.3/137 to inside:192.168.1.255/netbios-ns
110001: No route to 63.210.198.169 from 24.1.36.238
710005: UDP request discarded from 192.168.1.3/137 to inside:192.168.1.255/netbios-ns
305012: Teardown dynamic UDP translation from inside:192.168.1.2/4176 to outside:24.1.36.238/1128 duration 0:00:31
302010: 1 in use, 12 most used
302016: Teardown UDP connection 0 for outside:63.210.198.169/15061 to inside:192.168.1.4/34400 duration 0:30:29 bytes 66861
305012: Teardown dynamic UDP translation from inside:192.168.1.4/34400 to outside:24.1.36.238/1024 duration 0:30:40
302010: 0 in use, 12 most used
111009: User 'enable_15' executed cmd: show running-config
Rayspixfirewall#


Rayspixfirewall# sh xlate
0 in use, 17 most used
Rayspixfirewall#


I need some help from an expert, because I'm definally not a PIX expert.  Thanks to anyone that can help.

0
Comment
Question by:RayDoran
  • 2
3 Comments
 
LVL 36

Expert Comment

by:grblades
Comment Utility
I cannot see anything wrong with your configuration.
I suggest you check the speed/duplex settings on the interfaces. You have the outside interface set to auto which normally works fine.
You have the inside interface set to 100full which will only work if you have the device which it is connected to also set to 100full. It wont work correctly if one side is set to 100full and the other auto.

These lines indicate that there was a problem with the network interface. This happened while you were logged in. Did you do anything to cause this?
I would check and possible replace the network cable on the outside interface incase it is faulty.
If that does not fix it then my guess would be a faulty PIX or the device it is connected to..

411002: Line protocol on Interface outside, changed state to down
604102: DHCP client interface outside:  address released
0
 

Author Comment

by:RayDoran
Comment Utility
After reading some more posts I came across one that said that I should enter in the following commands because of viruses

access-list outbound deny icmp any any echo
access-list outbound permit ip any any
!
access-group outbound in interface inside

I made the changes on the Pix and I also turned of logging.  I have a question about logging.  If the logging buffer fills up will that cause the PIX to become unresponsive?  Because I have made the changes indicated above and it now seems to be working fine.

  The only thing that is not working is ftp.  I use port 2121 for ftp and I get the login and password prompt and I enter in the information.  Then it goes out and does a list on the directory and just hangs.  I have tried with passive on and then tried it with passive off.
0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
Comment Utility
If adding the access list help then you probably have some machines infected with viruses which are trying to connect to lots of internet machines and infect them. This is why the PIX was becoming unresponsive as it or your internet connection itself was overloaded.

With logging turned on the PIX stores the last X number of lessages in the buffer. If the buffer becomes full the older messages are dropped.

You have only defined port 2121 for ftp so people should be able to connect to your ftp server using active mode. Passive mode should always work as long as the client is not behind a dumb firewall.
You have turned off fixup on the normal ftp port which may cause problems for your internal machines connecting to ftp servers on the internet.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now