• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 315
  • Last Modified:

Win2k3 - Cisco PIX Issue? - Some Laptop users periodically unable to connect to internet but able to connect to local network

We have a strange issue here.  Some of our laptop users periodically run into problems where they are able to connect to the intranet; however they are unable to connect to the Internet.  We have about 15 Computers connected to our network, 6 Desktops and 9 Laptops (IBM T43's) all running XP Pro SP2.  Our DNS/DHCP/Active Directory/Fileserver is running Windows 2003 SP1.  We have a Cisco PIX 515E (version 6.3.5) appliance that acts as our Firewall/VPN and connects to our DSL line.

It seems like the Laptop users that have problems are not always the same, however the problem is always the same in that they are not able to connect to servers outside our local network.  When I do an ipconfig the configuration looks correct (see example)

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : example.com
        IP Address. . . . . . . . . . . . : 192.168.1.44
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1

The laptops typically have both Ethernet and Wireless connections enabled and appear to both have correct settings in the ipconfig

Another interesting condition is that if I disconnect the wired connection and connect to an outside wireless network the laptop users are able to connect to the internet.  

I’ve looked at the configuration settings on the laptops (all use DHCP) and they are all the same and appear correct.  Any suggestions on checking the Windows Server / Cisco PIX / Network would be appreciated!
0
cja777
Asked:
cja777
  • 5
  • 5
1 Solution
 
MarkDozierCommented:
run ipconfig /all
This may give you some more data.
Is the defaqult gateway the inside interface of the PIX?
0
 
lrmooreCommented:
>The laptops typically have both Ethernet and Wireless connections enabled
>if I disconnect the wired connection and connect to an outside wireless network the laptop users are able to connect to the internet.  

If you disconnect the wireless connection, can the laptop then get both the Intranet and Internet?

This should be a hint... don't run both the wireless and the wired at the same time..
If you must, then check both the NIC settings, TCP/IP properties, Advanced, IP Settings - make sure "Automatic metric" is checked.
0
 
cja777Author Commented:
Thanks for the quick responses!!  

>run ipconfig /all
>This may give you some more data.
>Is the defaqult gateway the inside interface of the PIX?
Yes the default gateway is the inside interface of the PIX.  running ipconfig /all didn't show anything unexpected, but I am still investigating.  

>If you disconnect the wireless connection, can the laptop then get both the Intranet and Internet?
No if we disconnect the wireless connection we can only get to the Intranet

>This should be a hint... don't run both the wireless and the wired at the same time..
>If you must, then check both the NIC settings, TCP/IP properties, Advanced, IP Settings - make sure "Automatic metric" is checked.

Yes, the Automatic metric is checked for all network interfaces

Still trying to figure out if it could be a PIX or DNS issue...

0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
lrmooreCommented:
Are these laptops the only systems on the inside LAN that can't get out through the wired net/PIX?

with both interfaces active, your DNS entries may be hosed.
Try adding a manual DNS entry on the wired interface.
0
 
cja777Author Commented:
Hi lrmoore,

I turned off wireless access on all of our Laptops and gave our users fixed IP Addresses and still had the same problem, however it is now only happening on 1 laptop at a time and not on 3 - 4 laptops.  After further investigation it seems like the effected users (the ones unable to connect to the internet) were the last ones to log on and connect to our network.  Could there be a setting in the PIX that is only letting say the first 15 users connect to the internet?  We have 25 IP addresses from our Internet provider.  Does anyone have any suggestions on what types of checks can I look into on our PIX or our WIN2K3 server to figure this out?
0
 
lrmooreCommented:
It could be something in your PIX, but I'd have to see the whole config to check.
0
 
cja777Author Commented:
Looks like the PIX configuration is limiting the number of outbound internet connections from computers and is assigning them to a block of IP Addresses and when the limit of addresses is reached it prohibits other users from connecting to the internet.  Does anyone know off the top of their heads if there is a way around this?  I am thining that I will need to set up a proxy server for our internet usage.
0
 
lrmooreCommented:
Depends on how you have the NAT / global set up.

Can you post the parts of your config that match these:
 global (outside) x
 nat (inside) x
0
 
cja777Author Commented:
Hi Lrmore

Thank you very for your help!  It is much appreciated!!  
Here is the configuration from our PIX you requested

global (outside) 10 69.181.24.131-69.181.24.149 netmask 255.255.255.224
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0

Thanks again!
0
 
lrmooreCommented:
AHA! Here's the important part:


global (outside) 10 69.181.24.131-69.181.24.149 netmask 255.255.255.224
nat (inside) 10 0.0.0.0 0.0.0.0 0 0

The first global pool only has 18 IP addresses. System #19 is out of luck and will not get a global address. Yes, I know you only have 15 systems, but with laptops connecting and disconnecting, the xlates don't always timeout quick enough..

How to fix it? Pretty simple. Add a single PAT "overload" entry that will handl #19 and any/all subsequent users:

global (outside) 10 interface  <== yes, use the word "interface" just as shown

now you'll be good to go and you can handle up to 65,000 individual systems instead of just 18

0
 
cja777Author Commented:
Perfect works like a charm.  Thanks!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now