Cisco PIX 501 - Unable to see sites behind PIX, Outside works great

Hello All;

  Within the last hour a problem has occured on my network.
All sites, Mail, and well, basically everything has went down that is behind the PIX.
We are running:
3 Web Servers
1 Mail Server
1 FTP Server

All these can be accessed from "Outside" the PIX.
But just know is no longer accessible from "Inside" the PIX.

Everything has been running Flawlessly, For months, until now?

I am trying to Login to the Console using HyperTerminal.
But without success.
I have an old session that I created, and when I bring it up and it connects.
I can see the configuration from the last time,
But it is not allowing me to [login] [Enable].
I cannot type anything into the Console Editor?

I cannot remember how to create a new session to connect to the PIX.
I know how to set up a Connection, but not how to connect to the PIX.?

Any information is greatfully appreciated.
Carrzkiss
LVL 31
Wayne BarronAuthor, Web DeveloperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Suggest rebooting the PIX. The 501 may simply have run out of CPU power and is "CPU bound"
0
Wayne BarronAuthor, Web DeveloperAuthor Commented:
Have already done that 2 times.
But will try again.

Tried to no success.
Still only able to access outside of the network.
I can get to it via use of the In-House IP Address.
But not the Domain Name?
Like mentioned, this just started earlier today.

Carrzkiss
0
lrmooreCommented:
>I can get to it via use of the In-House IP Address.
>But not the Domain Name?
Does your DNS resolve to the Public IP address vs the in-house private IP address?
If yes, did this change recently?
If yes, do you have "alias" commands in your PIX?
I would focus my attention on the DNS issue at this point..
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Wayne BarronAuthor, Web DeveloperAuthor Commented:
The DNS is setup to only Outside IP Address.
I do not have DNS Setup for In-House IP Address.

PIX is set up on NAT.

It is not a DNS Issue. There is something else that happened.
And nothing has been messed with, like mentioned.
It just happened out of the blue.
I was working on a web site, when it started.
I went to view the site, and it timed out on the Refresh.
And then E-mail poped up with an error.
BUT, I have the USB connected from the Modem to my main computer.
And E-mail works fine and web sites work fine, Only Outside the PIX.

Nothing looks like it has changed in the PIX.
DNS Has not changed, and it is Outside IP Address in the DNS. Not local.

Carrzkiss
0
lrmooreCommented:
>and it is Outside IP Address in the DNS
If this is true, then you must have "alias" entries in your PIX.
Can you post your PIX running config?
0
Wayne BarronAuthor, Web DeveloperAuthor Commented:
As posted in the main post here.
I cannot access it through [HyperTerminal]
For some strang reason, it is not letting me get in?
I can get into it through the [Device Manager] only
At this moment.

  I will try to bring it up again and see if it will let me
0
lrmooreCommented:
If you can get into it from the GUI, Choose File | Show Runing Config in  new window

0
Wayne BarronAuthor, Web DeveloperAuthor Commented:
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service web tcp
  description web traffic
  port-object eq www
  port-object eq https
access-list outside_in permit tcp any host 68.119.178.76 object-group web
access-list outside_in permit tcp any host 68.119.178.77 object-group web
access-list outside_in permit tcp any host 68.119.178.78 object-group web
access-list outside_in permit tcp any host 68.119.178.79 object-group web
access-list outside_in permit tcp any host 68.119.178.80 object-group web
access-list outside_in permit udp any host 68.119.178.76 eq domain
access-list outside_in permit udp any host 68.119.178.77 eq domain
access-list outside_in permit tcp any host 68.119.178.76 eq ftp
access-list outside_in permit tcp any host 68.119.178.82 eq smtp
access-list outside_in permit tcp host 204.74.100.10 host 68.119.178.76 eq domain
access-list outside_in permit tcp host 204.74.97.97 host 68.119.178.76 eq domain
access-list outside_in permit tcp host 204.74.104.97 host 68.119.178.76 eq domain
access-list outside_in permit tcp any host 68.119.178.82 eq pop3
access-list outside_in permit tcp any host 68.119.178.82 eq 8181
access-list outside_in permit tcp any host 68.119.178.82 eq www
access-list outside_in permit tcp any host 68.119.178.82 eq 8384
access-list outside_in permit tcp any host 68.119.178.84 eq 1755
access-list outside_in permit tcp any host 68.119.178.83 object-group web
access-list outside_in remark File Program TCP Connection
access-list outside_in permit tcp any host 68.119.178.89 eq 4662
access-list outside_in remark File Program UDP
access-list outside_in permit udp any host 68.119.178.89 eq 4672
access-list outside_in permit tcp any host 68.119.178.84 eq 554
access-list outside_in permit udp any host 68.119.178.84 eq 1755
access-list outside_in permit udp any host 68.119.178.84 eq 5004
access-list outside_in permit tcp any host 68.119.178.81 eq 8181
access-list outside_in permit tcp any host 68.119.178.81 eq www
access-list outside_in permit tcp any host 68.119.178.81 eq 8384
access-list outside_in permit tcp any host 68.119.178.81 eq pop3
access-list outside_in permit tcp any host 68.119.178.81 eq smtp
access-list outside_in permit tcp host 204.74.100.10 host 68.119.178.77 eq domain
access-list outside_in permit tcp host 204.74.97.97 host 68.119.178.77 eq domain
access-list outside_in permit tcp host 204.74.104.97 host 68.119.178.77 eq domain
access-list outside_in permit tcp any host 68.119.178.76 eq domain
access-list outside_in permit tcp any host 68.119.178.77 eq domain
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 68.119.178.85 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.176 255.255.255.255 inside
pdm location 192.168.1.177 255.255.255.255 inside
pdm location 192.168.1.178 255.255.255.255 inside
pdm location 192.168.1.179 255.255.255.255 inside
pdm location 192.168.1.180 255.255.255.255 inside
pdm location 192.168.1.181 255.255.255.255 inside
pdm location 192.168.1.182 255.255.255.255 inside
pdm location 192.168.1.175 255.255.255.255 inside
pdm location 192.168.1.183 255.255.255.255 inside
pdm location 192.168.1.184 255.255.255.255 inside
pdm location 192.168.1.185 255.255.255.255 inside
pdm location 192.168.1.186 255.255.255.255 inside
pdm location 192.168.1.187 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 68.119.178.75 255.255.255.255 outside
pdm location 204.74.97.97 255.255.255.255 outside
pdm location 204.74.100.10 255.255.255.255 outside
pdm location 204.74.104.97 255.255.255.255 outside
pdm location 192.168.1.188 255.255.255.255 inside
pdm location 192.168.1.189 255.255.255.255 inside
pdm location 192.168.1.190 255.255.255.255 inside
pdm location 192.168.1.191 255.255.255.255 inside
pdm location 192.168.1.193 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 68.119.178.87
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 68.119.178.76 192.168.1.176 netmask 255.255.255.255 0 0
static (inside,outside) 68.119.178.77 192.168.1.177 netmask 255.255.255.255 0 0
static (inside,outside) 68.119.178.78 192.168.1.178 netmask 255.255.255.255 0 0
static (inside,outside) 68.119.178.79 192.168.1.179 netmask 255.255.255.255 0 0
static (inside,outside) 68.119.178.80 192.168.1.180 netmask 255.255.255.255 0 0
static (inside,outside) 68.119.178.81 192.168.1.181 netmask 255.255.255.255 0 0
static (inside,outside) 68.119.178.82 192.168.1.182 netmask 255.255.255.255 0 0
static (inside,outside) 68.119.178.75 192.168.1.175 netmask 255.255.255.255 0 0
static (inside,outside) 68.119.178.83 192.168.1.183 netmask 255.255.255.255 0 0
static (inside,outside) 68.119.178.84 192.168.1.184 netmask 255.255.255.255 0 0
static (inside,outside) 68.119.178.85 192.168.1.185 netmask 255.255.255.255 0 0
static (inside,outside) 68.119.178.86 192.168.1.186 netmask 255.255.255.255 0 0
static (inside,outside) 68.119.178.87 192.168.1.187 netmask 255.255.255.255 0 0
static (inside,outside) 68.119.178.88 192.168.1.188 netmask 255.255.255.255 0 0
static (inside,outside) 68.119.178.90 192.168.1.190 netmask 255.255.255.255 0 0
static (inside,outside) 68.119.178.89 192.168.1.189 netmask 255.255.255.255 0 0
static (inside,outside) 68.119.178.91 192.168.1.191 netmask 255.255.255.255 0 0
static (inside,outside) 68.119.178.93 192.168.1.193 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 255.255.255.0 68.119.178.85 1
route outside 0.0.0.0 0.0.0.0 68.119.178.85 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd dns 68.119.178.83 192.168.1.178
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:aeddb50167e8c7043b71cace85411cca
: end
[OK]
0
lrmooreCommented:
If you don't want internal users to DNS resolve to the private IP's (the best way), then you need to add a set of "alias" commands for your public servers
  sysopt noproxyarp inside
  alias (inside) 192.168.1.176 68.119.178.76 255.255.255.255
  alias (inside) 192.168.1.177 68.119.178.77 255.255.255.255
  alias (inside) 192.168.1.178 68.119.178.78 255.255.255.255
<etc>

Reference:
http://www.cisco.com/warp/public/110/alias.html
0
Wayne BarronAuthor, Web DeveloperAuthor Commented:
Question?

   I have never had it in their before. I have been running the configuration posted since June, 2004
With no problems. This is something that just happened yesterday.
Any idea's why it just happened?

Before I add in anything else into the Config, I need to know "why" it happened?

Thank you
Carrzkiss
0
lrmooreCommented:
I have no answer as to why it was working before. It should not have ever been working while resolving DNS to the public IP addresses without the alias commands.
My best guess is that the DNS resolution changed from resolving to the private IP's to the Public IP's. That is the only think I can think of that would cause it. If nothing changed on the PIX, then something else changed.

-dazed and confused...
<8-{

 
0
Wayne BarronAuthor, Web DeveloperAuthor Commented:
I will do some throughal checking and see what I come up with.
Will post back my findings.

If I cannot find anything, then I will try the commmands that you supplied.
And see if that will resolve the issue.

This is very puzzling..

-dazed and confused.... That is right, same here {Led Zepplin}

Take Care lrmoore

Carrzkiss
0
Wayne BarronAuthor, Web DeveloperAuthor Commented:
Have one question though?
You posted this:
If you don't want internal users to DNS resolve to the private IP's (the best way),

How is this done? Do you have a link that will explain this?

Thanks
Carrzkiss
0
lrmooreCommented:
Your local DNS server should resolve local hosts to the local private IP address always.
You should have a separate DNS server that serves up the public IPs to the general public, not to local users.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Wayne BarronAuthor, Web DeveloperAuthor Commented:
I forgot all about this question.
Time to clean house on it.
lrmoore, even though this did not resolve this issue, I beleive that you are accurate on what you say.
So I will award you the points.

Thank you for your time.

Carrzkiss
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.