?
Solved

Win2k3 - Cisco PIX Issue? - Some Laptop users periodically unable to connect to internet but able to connect to local network

Posted on 2006-04-06
11
Medium Priority
?
255 Views
Last Modified: 2010-03-19
We have a strange issue here.  Some of our laptop users periodically run into problems where they are able to connect to the intranet; however they are unable to connect to the Internet.  We have about 15 Computers connected to our network, 6 Desktops and 9 Laptops (IBM T43's) all running XP Pro SP2.  Our DNS/DHCP/Active Directory/Fileserver is running Windows 2003 SP1.  We have a Cisco PIX 515E (version 6.3.5) appliance that acts as our Firewall/VPN and connects to our DSL line.

It seems like the Laptop users that have problems are not always the same, however the problem is always the same in that they are not able to connect to servers outside our local network.  When I do an ipconfig the configuration looks correct (see example)

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : example.com
        IP Address. . . . . . . . . . . . : 192.168.1.44
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1

The laptops typically have both Ethernet and Wireless connections enabled and appear to both have correct settings in the ipconfig

Another interesting condition is that if I disconnect the wired connection and connect to an outside wireless network the laptop users are able to connect to the internet.  

I’ve looked at the configuration settings on the laptops (all use DHCP) and they are all the same and appear correct.  Any suggestions on checking the Windows Server / Cisco PIX / Network would be appreciated!
0
Comment
Question by:cja777
  • 5
  • 5
11 Comments
 
LVL 8

Expert Comment

by:MarkDozier
ID: 16394741
run ipconfig /all
This may give you some more data.
Is the defaqult gateway the inside interface of the PIX?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16395192
>The laptops typically have both Ethernet and Wireless connections enabled
>if I disconnect the wired connection and connect to an outside wireless network the laptop users are able to connect to the internet.  

If you disconnect the wireless connection, can the laptop then get both the Intranet and Internet?

This should be a hint... don't run both the wireless and the wired at the same time..
If you must, then check both the NIC settings, TCP/IP properties, Advanced, IP Settings - make sure "Automatic metric" is checked.
0
 

Author Comment

by:cja777
ID: 16395604
Thanks for the quick responses!!  

>run ipconfig /all
>This may give you some more data.
>Is the defaqult gateway the inside interface of the PIX?
Yes the default gateway is the inside interface of the PIX.  running ipconfig /all didn't show anything unexpected, but I am still investigating.  

>If you disconnect the wireless connection, can the laptop then get both the Intranet and Internet?
No if we disconnect the wireless connection we can only get to the Intranet

>This should be a hint... don't run both the wireless and the wired at the same time..
>If you must, then check both the NIC settings, TCP/IP properties, Advanced, IP Settings - make sure "Automatic metric" is checked.

Yes, the Automatic metric is checked for all network interfaces

Still trying to figure out if it could be a PIX or DNS issue...

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 79

Expert Comment

by:lrmoore
ID: 16395778
Are these laptops the only systems on the inside LAN that can't get out through the wired net/PIX?

with both interfaces active, your DNS entries may be hosed.
Try adding a manual DNS entry on the wired interface.
0
 

Author Comment

by:cja777
ID: 16405227
Hi lrmoore,

I turned off wireless access on all of our Laptops and gave our users fixed IP Addresses and still had the same problem, however it is now only happening on 1 laptop at a time and not on 3 - 4 laptops.  After further investigation it seems like the effected users (the ones unable to connect to the internet) were the last ones to log on and connect to our network.  Could there be a setting in the PIX that is only letting say the first 15 users connect to the internet?  We have 25 IP addresses from our Internet provider.  Does anyone have any suggestions on what types of checks can I look into on our PIX or our WIN2K3 server to figure this out?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16406764
It could be something in your PIX, but I'd have to see the whole config to check.
0
 

Author Comment

by:cja777
ID: 16431071
Looks like the PIX configuration is limiting the number of outbound internet connections from computers and is assigning them to a block of IP Addresses and when the limit of addresses is reached it prohibits other users from connecting to the internet.  Does anyone know off the top of their heads if there is a way around this?  I am thining that I will need to set up a proxy server for our internet usage.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16431723
Depends on how you have the NAT / global set up.

Can you post the parts of your config that match these:
 global (outside) x
 nat (inside) x
0
 

Author Comment

by:cja777
ID: 16438926
Hi Lrmore

Thank you very for your help!  It is much appreciated!!  
Here is the configuration from our PIX you requested

global (outside) 10 69.181.24.131-69.181.24.149 netmask 255.255.255.224
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0

Thanks again!
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 16440201
AHA! Here's the important part:


global (outside) 10 69.181.24.131-69.181.24.149 netmask 255.255.255.224
nat (inside) 10 0.0.0.0 0.0.0.0 0 0

The first global pool only has 18 IP addresses. System #19 is out of luck and will not get a global address. Yes, I know you only have 15 systems, but with laptops connecting and disconnecting, the xlates don't always timeout quick enough..

How to fix it? Pretty simple. Add a single PAT "overload" entry that will handl #19 and any/all subsequent users:

global (outside) 10 interface  <== yes, use the word "interface" just as shown

now you'll be good to go and you can handle up to 65,000 individual systems instead of just 18

0
 

Author Comment

by:cja777
ID: 16441185
Perfect works like a charm.  Thanks!!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question