• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 521
  • Last Modified:

With new PIX, ome users cannot access Internet, but other can

I have a new PIX 515 that I thought was working fine.  I installed it yesterday with no problems.  I came in today, and some people do not have Internet access.  There are others who do have access.  Everybody had access yesterday afternoon when I switched over to the PIX, but this morning a few people could not browse the Internet, though internal access was OK on these PCs.  I could ping the Firewall and other devices just fine.

All the setting on the PC look OK.  They are provided by the PIX which acts as a DHCP server.  IP Address, Subnet Mask, Gateway, DNS.  All look OK.  If I set to static, these PCs still cannot connect.  The only difference between yesterday and today, is that the PIX acted as the DHCP server to these PC this morning, whereas my other firewall was provided the DHCP leases yesterday.  Still, this should not matter.

It is not a "first come first serve"  issue either.  I came in late today and was the last to login.  By this time, two people informed me they did not have Internet access.  I turned on my PC and it worked fine, though I was the last to login.
0
Javier196
Asked:
Javier196
  • 22
  • 19
1 Solution
 
lrmooreCommented:
Did you setup a PAT Global address in addition to the NAT global pool?

Can you post your global (outside) configuration? You can mask your real public ip..
0
 
Javier196Author Commented:
Strange circumstance.  I had to reboot my DC, which provides DNS server for my internal network.  After the server came back up, I personally lost Internet Access.  I cannot hit Google or MSN, but I do receive email, and I know my pcAnywhere forwarding is working.  Funny thing though, I received an email from this website concerning your reply to my problem, and when I clicked on the link, I was able to open up this website, and reply back to you.  I cannot access any other site though.

Here is my config:

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside xxx.xxx.20.98 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.20.97 1

no fixup protocol smtp 25

global (outside) 1 xxx.xxx.20.100-xxx.xxx.20.110
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0


static (inside,outside) xxx.xxx.20.98 192.168.0.12 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.20.101 192.168.0.120 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.20.102 192.168.0.121 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.20.103 192.168.0.10 netmask 255.255.255.255 0 0


access-list public_access_in permit tcp any host xxx.xxx.20.98 eq pop3
access-list public_access_in permit tcp any host xxx.xxx.20.98 eq www
access-list public_access_in permit tcp any host xxx.xxx.20.98 eq https
access-list public_access_in permit tcp any host xxx.xxx.20.98 eq smtp
access-list public_access_in permit tcp any host xxx.xxx.20.101 eq pcanywhere-data
access-list public_access_in permit udp any host xxx.xxx.20.101 eq pcanywhere-status
access-list public_access_in permit tcp any host xxx.xxx.20.102 eq 5633
access-list public_access_in permit udp any host xxx.xxx.20.102 eq 5634
access-list public_access_in permit udp any host xxx.xxx.20.103 eq tftp

access-group public_access_in in interface outside
0
 
Javier196Author Commented:
One of the people uses Internet radio via a program called Winamp.  She was able to connect.  I tried it, and I am also able to access Internet Radio, but I cannot browse any site but this one.  Strange that I can still hit this site.  I have clicked on all the links, no problem.  All other sites are not accessable.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
lrmooreCommented:
Try this:
  no fixup protocol dns
0
 
tmehmetCommented:
very long shot......

Check license.

PIX had a habit in old days of remembering sessions, once the limit is reached it does not allow new sessions.  If people dont disconnect eventually all sessions fill up only exisiting ones work.

quick test to eliminate is to clear all sessions.. eg bounce the box and see if all work again.
0
 
lrmooreCommented:
No intent to shoot down any suggestions, just FYI..
PIX 515 has no licensing limits. Only the little baby 501 has user limit.

Sounds like a DNS issue where the DNS server can't resolve correctly. Disabling the fixup dns might help...
0
 
Javier196Author Commented:
When I enter the "no fixup protocol dns", I get at "Bad Protocol DNS" back from the PIX.
0
 
lrmooreCommented:
PIX2(config)# no fixup protocol dns
PIX2(config)#

Works just fine on mine. What version OS you got?
0
 
Javier196Author Commented:
I have PIX Firewall Version  6.3(1)
0
 
lrmooreCommented:
Ahso... fixup dns was added in 6.3(3), I'm running 6.3(4)

D'OH - I missed this big one!
Looks like you have a static xlate using the same IP as your interface. Big, big, no no...

>ip address outside xxx.xxx.20.98 255.255.255.240
>static (inside,outside) xxx.xxx.20.98 192.168.0.12 netmask 255.255.255.255

no static (inside,outside) xxx.xxx.20.98 192.168.0.12 netmask 255.255.255.255
clear xlate

0
 
Javier196Author Commented:
I then have the probem of my POP3, my SMTP, and my Webmail not being routed to my Email Server at (xxx.xxx.20.98 to 192.168.0.10).  

This was setup before I got here and was due the limitaion of the old Firewall.  The Published MX record points to the external IP Address of the old firewall.  

It is Friday, I could have the MX Record changed and have "mail.myco.com" point to xxx.xxx.20.104.  I would then add a static maping for xxx.xxx.20.104 to xxx.xxx.0.12.

Is there another solution?
0
 
lrmooreCommented:
Another solution would be to simply change the outside IP to any other non-used IP address within the same subnet, like .105

0
 
Javier196Author Commented:
That was a great suggestion.  I changed my outside ip to xxx.xxx.20.109.  I then reset my global addresses to include xxx.xxx.20.98, and the range xxx.xxx.20.100-xxx.xxx.20.108.  I get Internet access now, and email flows out of the network, but no email flows in.  I added xxx.xxx.20.98 to the global address list, is there anything else I need to do?  I cannot hit my Webmail either which makes sense.
0
 
lrmooreCommented:
OK... some progress....

did you use pix#clear xlate

Using "show access-list" do you see any "hits" on
access-list public_access_in permit tcp any host xxx.xxx.20.98 eq smtp

Is you MX record pointing to x.x.20.98?
check your domain at http://www.dnsreport.com
0
 
Javier196Author Commented:
I know for a fact the my MX Record is at xxx.xxx.20.98.  That I am sure.  I checked also.

I do not get any hits when I do a "sho access-list".  I do get Internet Access from the inside, but I cannot send or received mail.  I can hit may website at https://mail.myco.com, which is pointed to xxx.xxx.20.98 via MX, and I can also him and I also can hit the site http://mail.myco.com, so http and https are working.  I just cannot send mail.  I know then that I am hitting the pointer from my MX Record, but for some reason, POP3 and SMTP are not working.  Can it be an Exchange Issue?

I put the old Firewall in and it works fine.  
0
 
lrmooreCommented:
So you can access the web server, just not pop3 or smtp...

So do you get any hits on any of these acls? If you get hits on www, but not smtp, this could point to an Exchange problem...

access-list public_access_in permit tcp any host xxx.xxx.20.98 eq pop3
access-list public_access_in permit tcp any host xxx.xxx.20.98 eq www
access-list public_access_in permit tcp any host xxx.xxx.20.98 eq https
access-list public_access_in permit tcp any host xxx.xxx.20.98 eq smtp

How about turning off fixup for DNS. It could just be a dns issue...
  no fixup protocol dns

0
 
Javier196Author Commented:
If you recall, I have PIX version 6.3(1) and I cannot perform the "no fixup protocl dns".

One interesting thing.  I rebooted the firewall, and at the end of the boot, it gave me a message:

.outside interface address added to PAT pool Global xxx.xxx.20.98 will be Port Address Translated.  I thought I changed the outside address to xxx.xxx.20.109.

Here is my config:

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100

fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521

access-list public_access_in permit tcp any host 64.163.20.98 eq pop3
access-list public_access_in permit tcp any host 64.163.20.98 eq www
access-list public_access_in permit tcp any host 64.163.20.98 eq https
access-list public_access_in permit tcp any host 64.163.20.98 eq smtp
access-list public_access_in permit tcp any host 64.163.20.101 eq pcanywhere-data
access-list public_access_in permit udp any host 64.163.20.101 eq pcanywhere-status
access-list public_access_in permit tcp any host 64.163.20.102 eq 5633
access-list public_access_in permit udp any host 64.163.20.102 eq 5634
access-list public_access_in permit udp any host 64.163.20.103 eq tftp

ip address outside 64.163.20.109 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0

global (outside) 1 64.163.20.100-64.163.20.108
global (outside) 1 interface
global (outside) 1 64.163.20.98

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 64.163.20.98 192.168.0.12 netmask 255.255.255.255 0 0
static (inside,outside) 64.163.20.101 192.168.0.120 netmask 255.255.255.255 0 0
static (inside,outside) 64.163.20.102 192.168.0.121 netmask 255.255.255.255 0 0
static (inside,outside) 64.163.20.103 192.168.0.10 netmask 255.255.255.255 0 0

access-group public_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 64.163.20.97 1
0
 
Javier196Author Commented:
Strange. I got a email message from Expert-Exchange about your post.  I cannot get any other mail though.
0
 
lrmooreCommented:
Get rid of this global:
 global (outside) 1 64.163.20.98

no global (outside) 1 64.163.20.98

Then
clear xlate
0
 
Javier196Author Commented:
I don't need it to perform a Static NAT?
0
 
Javier196Author Commented:
Now I get a .outside interface added to PAT pool.

Still no mail.  Darn....
0
 
lrmooreCommented:
>Now I get a .outside interface added to PAT pool.
Expected because you have this:  
   global (outside) 1 interface

>I don't need it to perform a Static NAT?
No, your static is this one only:
   static (inside,outside) 64.163.20.98 192.168.0.12 netmask 255.255.255.255

Do you just want to post your complete config so I can scrub through it?
i can edit out anything if you accidently post something that you didn't want to...
0
 
Javier196Author Commented:
Here it is:

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname EzionFW1
domain-name eleczion.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list public_access_in permit tcp any host 64.163.20.98 eq pop3
access-list public_access_in permit tcp any host 64.163.20.98 eq www
access-list public_access_in permit tcp any host 64.163.20.98 eq https
access-list public_access_in permit tcp any host 64.163.20.98 eq smtp
access-list public_access_in permit tcp any host 64.163.20.101 eq pcanywhere-data
access-list public_access_in permit udp any host 64.163.20.101 eq pcanywhere-status
access-list public_access_in permit tcp any host 64.163.20.102 eq 5633
access-list public_access_in permit udp any host 64.163.20.102 eq 5634
access-list public_access_in permit udp any host 64.163.20.103 eq tftp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.163.20.109 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 192.168.0.75 255.255.255.255 inside
pdm location 192.168.0.76 255.255.255.255 inside
pdm location 192.168.0.10 255.255.255.255 inside
pdm location 192.168.0.12 255.255.255.255 inside
pdm location 192.168.0.120 255.255.255.255 inside
pdm location 192.168.0.121 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 64.163.20.100-64.163.20.108
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 64.163.20.98 192.168.0.12 netmask 255.255.255.255 0 0
static (inside,outside) 64.163.20.101 192.168.0.120 netmask 255.255.255.255 0 0
static (inside,outside) 64.163.20.102 192.168.0.121 netmask 255.255.255.255 0 0
static (inside,outside) 64.163.20.103 192.168.0.10 netmask 255.255.255.255 0 0
access-group public_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.163.20.97 1
timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.10 \ezionfw1
floodguard enable
telnet 192.168.0.75 255.255.255.255 inside
telnet 192.168.0.76 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 10
dhcpd address 192.168.0.100-192.168.0.130 inside
dhcpd dns 192.168.0.10
dhcpd wins 192.168.0.10 192.168.0.12
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain hq.eleczion.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

0
 
Javier196Author Commented:
I took out the PW lines.  Wierd part is I get meal from Experts Exchange and now other sites....Very Strange.
0
 
lrmooreCommented:
OK, let's take this out completely too. The nat pool overlaps with some of your statics...

>global (outside) 1 64.163.20.100-64.163.20.108
 
no global (outside) 1 64.163.20.100-64.163.20.108
clear xlate
exit
write mem

Reboot the PIX..

Any chance you can upgrade it to 6.3(4) ?
0
 
Javier196Author Commented:
Still no mail.  Internet is fine and I can access Webmail.  POP3 and SMTP still not sending.

What will 6.3.(4) get me.  How much will it cost?  

I bought this refurbished from a local Cisco rep.  Should I press for the upgrade?
0
 
Javier196Author Commented:
Should I set the MX Record to another address, xxx.xxx.20.105 for instance,  and set me interface address back to xxx.xxx.20.98?  I could have it done today while it is still the weekend.

Somehow this is DNS or Exchange related I believe.  I will do some readon on Exchange.
0
 
lrmooreCommented:
Did you buy SmartNet? If yes, the upgrade is free.
6.3(4) fixes several bugs as well as security issues, and supports the new PDM 3.03 GUI..
http://www.cisco.com/en/US/products/products_security_advisory09186a00801e118a.shtml

Out of curiosity, what do you have outside the PIX? Router - T1?


0
 
Javier196Author Commented:
I don't believe I purchased SmartNet.  I got it with a one Year Warranty.  I will check on Monday thought.

I have a full T1.
0
 
lrmooreCommented:
What does your mail server know itself as by DNS? 192.168.0.10, or xx.xx.20.98?

I think it definately is dns/Exchange related issue now that we have taken every possible variable out of the PIX.
Do you have your own DNS server, or do you point to your ISP's DNS?
What is the primary dns server entry for the Exchange server? Local or public?

0
 
lrmooreCommented:
One more thing to try on the PIX.. I don't know if it will work with 6.3(1), but I know it will for (4)
Just to verify one more time  - 192.168.0.12 = Exchange server?

no static (inside,outside) 64.163.20.98 192.168.0.12 netmask 255.255.255.255
static (inside,outside) 64.163.20.98 192.168.0.12 dns netmask 255.255.255.255
                                                                       ^^

Just another thought.. can you post result of C:\>route print  from the Exchange Server?
Do you have enable access to the router connecting to the T1 ? If yes, try a manual clear arp cache. If not, try rebooting it to force an arp cache refresh.


0
 
Javier196Author Commented:
GENIUS!!!!!

Rebooting the Router did it.  I should have thought of that.  I bet since we changed the IP Address of the Firewall, packets were getting dumped to .98, but the I/F was .109.  It was the router all along.  I am glad I got rid of those Global statements though.  I am sending and receiving mail.

Thank you for all the help.
0
 
lrmooreCommented:
Wooo hoooo!!! Miller time!!
0
 
lrmooreCommented:
Don't forget to come back and close out this question after you finish celebrating!

- Cheers!
0
 
Javier196Author Commented:
I have not forgotten.

I just want to come in on Monday and make sure all is well.  I expect it will be, but I want to make sure.

Thanks for all the help
0
 
Javier196Author Commented:
I have a problem with browsing the Internet again.  

I came in Morning and nobody had Internet access.  We had POP3 in, SMTP out, and even Internet Radio, but we do not get Browser access (Port 80).  I had to reconnect the old Firewall.  It worked on Saturday, but when I came in Monday, no Browser Access.  I don't understand what went wrong.  I rebooted the router and the PIX without help.

I don't understand it.

0
 
lrmooreCommented:
Do you mind posting your final config?
0
 
Javier196Author Commented:
Here it is:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname EzionFW1
domain-name eleczion.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list public_access_in permit tcp any host 64.163.20.98 eq pop3
access-list public_access_in permit tcp any host 64.163.20.98 eq www
access-list public_access_in permit tcp any host 64.163.20.98 eq https
access-list public_access_in permit tcp any host 64.163.20.98 eq smtp
access-list public_access_in permit tcp any host 64.163.20.101 eq pcanywhere-data
access-list public_access_in permit udp any host 64.163.20.101 eq pcanywhere-status
access-list public_access_in permit tcp any host 64.163.20.102 eq 5633
access-list public_access_in permit udp any host 64.163.20.102 eq 5634
access-list public_access_in permit udp any host 64.163.20.103 eq tftp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.163.20.109 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 192.168.0.xx 255.255.255.255 inside
pdm location 192.168.0.xx 255.255.255.255 inside
pdm location 192.168.0.xx 255.255.255.255 inside
pdm location 192.168.0.xx 255.255.255.255 inside
pdm location 192.168.0.xx 255.255.255.255 inside
pdm location 192.168.0.xx 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 64.163.20.98 192.168.0.12 netmask 255.255.255.255 0 0
static (inside,outside) 64.163.20.101 192.168.0.120 netmask 255.255.255.255 0 0
static (inside,outside) 64.163.20.102 192.168.0.121 netmask 255.255.255.255 0 0
static (inside,outside) 64.163.20.103 192.168.0.10 netmask 255.255.255.255 0 0
access-group public_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.163.20.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.xx
floodguard enable
telnet 192.168.0.xx 255.255.255.255 inside
telnet 192.168.0.xx 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 10
dhcpd address 192.168.0.100-192.168.0.130 inside
dhcpd dns 192.168.0.10
dhcpd wins 192.168.0.10 192.168.0.12
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain hq.eleczion.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
0
 
lrmooreCommented:
>dhcpd dns 192.168.0.10
Is this correct for DNS server? Try reversing the order...

dhcpd wins 192.168.0.12 192.168.0.10

Remove this also, since your outside interface is not using DHCP to get its address info
>dhcpd auto_config outside


0
 
Javier196Author Commented:
I am on the PIX right now.  I can access some sites like www.espn.com, www.foxnews, www.experts-exchange.com, but I cannot access www.google.com.  I can play Internet Radio but I cannot send or receive email.  This is maddening.  This morning, I could could send and receive email, but I could not access internet at all.  I was just downloading Symantec update for my laptop, and it downloaded one, then timed out on the other.   My laptop can also access all sites but Google.  

If you recall, I could send or received email, and access the Internet, after I rebooted my router.  Of course, if I reconnect my old firewall, all works A-OK.
0
 
lrmooreCommented:
That has to be a dns issue. There is no other explanation.
The only affect that the PIX can have on DNS is the max packet length fixup not available on your version pix, and/or the dns information given out by dhcp server. That is why I suggested the changes to the dhcpd config.
0
 
Javier196Author Commented:
It was a DNS Issue.  I did a few things last night.  I erased the config on the 515 and brought the PIX back to factory defaults.  I then reloaded it from scratch.  Not to hard actually.  I then installed a backup DNS server which I had been meaning to do.  I then scrubbed my DNS servers and made sure all the setting were correct.  I did find a few kinks here and there.  After all of this, everything worked fine last night.  I then came in this morning, a little nervous I will admit, and all was fine.  I think I actually had a DNS issue all along, but my old firewall was more forgiving than the PIX.

In any case, all is well.  Now to set up some site to site VPNs.

Thank you all for the the help.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 22
  • 19
Tackle projects and never again get stuck behind a technical roadblock.
Join Now