Solved

Cisco PIX 501 configuration

Posted on 2006-07-24
11
893 Views
Last Modified: 2008-01-09
We have a Cisco PIX 501 in our office that has started giving us problems with connectivity to the internet.  We've had it since May 2003, but this problem has developed over the last 6 months or so.  If we repower the PIX, all works normally for a while. But we're having to do this as often as every day sometimes.  Could someone review our configuration and advise if there are any noticiable problems?

zenpix01(config)# show tech
 
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(2)
 
Compiled on Fri 07-Jun-02 17:49 by morlee
 
zenpix01 up 7 days 1 hour
 
Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
 
0: ethernet0: address is 000c.ce32.d60a, irq 9
1: ethernet1: address is 000c.ce32.d60b, irq 10
Licensed Features:
Failover:           Disabled
VPN-DES:            Enabled
VPN-3DES:           Enabled
Maximum Interfaces: 2
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       50
Throughput:         Limited
IKE peers:          5
 
Serial Number: 807160744 (0x301c4ba8)
Running Activation Key: 0xe925a867 0x4ca38eb8 0xd3b58dfe 0xb44c7461
Configuration last modified by enable_15 at 14:54:13.344 UTC Mon Jul 24 2006
 
------------------ show config (run time) ------------------
 
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password HaWKfORzruzMjZCl encrypted
passwd J3NcngX6AMobzzCw encrypted
hostname zenpix01
domain-name zencos.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
name 10.0.0.1 zenpix01
name 10.0.0.5 zenux01
name 10.0.0.19 zenhp4550dn
name 10.0.0.21 zenmail01
name 10.0.0.31 zensrv01
name 10.0.0.32 zensrv02
name 10.0.0.34 zensrv04
name 10.0.0.61 zensql01
name 10.0.0.62 zenkmsrv01
name 10.0.0.81 zenwkst01
name 10.0.0.82 zenwkst02
name 10.0.0.83 zenwkst03
name 12.38.10.211 wwwzencoscom
name 12.38.10.213 patzencoscom
name 12.38.10.212 demozencoscom
name 12.38.10.214 webmailzencoscom
name 12.38.10.221 kmzencosnet
name 12.38.10.222 gatezencoscom
name 12.38.10.181 expensezencoscom
name 10.0.0.2 zenap01
name 10.0.0.18 zenprnsrv01
name 10.0.0.33 zensrv03
name 10.0.0.35 zensrv05
name 10.0.0.84 zenwkst04
name 10.0.0.63 zendev01
name 10.0.0.41 zenstor01
name 10.0.0.38 salesops
name 10.0.0.37 zensrv07
name 12.38.10.40 sourcezencoscom
name 10.0.0.36 sourcesrv
name 172.29.0.0 SBC_SalesOpsSrv
name 10.0.0.27 zenmail
name 12.38.10.45 hcsbizencoscom
name 10.0.0.161 zenitsrv01
name 10.0.0.162 zenitsrv02
name 10.0.0.163 zenitsrv03
name 10.0.0.184 zenitsrv04
access-list 101 permit tcp any host wwwzencoscom eq www
access-list 101 permit icmp any host wwwzencoscom
access-list 101 permit tcp any host webmailzencoscom eq www
access-list 101 permit tcp any host webmailzencoscom eq smtp
access-list 101 permit tcp any host webmailzencoscom eq pop3
access-list 101 permit tcp any host webmailzencoscom eq imap4
access-list 101 permit icmp any host patzencoscom
access-list 101 permit udp any host wwwzencoscom eq domain
access-list 101 permit tcp any host kmzencosnet eq www
access-list 101 permit tcp any host wwwzencoscom eq smtp
access-list 101 permit udp any host kmzencosnet eq domain
access-list 101 permit tcp any host wwwzencoscom eq 1723
access-list 101 permit gre any host wwwzencoscom
access-list 101 permit tcp any host demozencoscom eq www
access-list 101 permit icmp any host demozencoscom
access-list 101 permit tcp any host kmzencosnet eq smtp
access-list 101 permit tcp any host expensezencoscom eq www
access-list 101 permit tcp any host expensezencoscom eq 20001
access-list 101 permit icmp any host expensezencoscom
access-list 101 permit tcp any host kmzencosnet eq ftp
access-list 101 permit tcp any host sourcezencoscom eq www
access-list 101 permit icmp any host sourcezencoscom
access-list 101 permit tcp any host hcsbizencoscom eq www
access-list 101 permit tcp any host expensezencoscom eq 3101
access-list 101 permit tcp any host webmailzencoscom eq https
access-list 101 permit tcp any host expensezencoscom eq 1723
access-list 101 permit gre any host expensezencoscom
access-list 101 permit tcp any host wwwzencoscom eq 1888
access-list 101 permit tcp any host sourcezencoscom eq 9080
access-list 101 permit tcp any host sourcezencoscom eq 9443
access-list 101 permit tcp any host hcsbizencoscom eq 8098
access-list 101 permit tcp any host hcsbizencoscom eq 3389
access-list 101 permit tcp any host demozencoscom eq https
access-list 101 permit tcp any host sourcezencoscom eq ftp
access-list 101 permit tcp any host sourcezencoscom eq ftp-data
access-list 101 permit tcp any host demozencoscom eq ftp
access-list 101 permit tcp any host demozencoscom eq ftp-data
access-list 101 permit tcp any host demozencoscom eq 8080
access-list inside_outbound_nat0_acl permit ip any 10.0.0.128 255.255.255.128
access-list 102 permit ip 10.0.0.0 255.255.255.0 172.16.172.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.128 255.255.255.128
access-list outside_cryptomap_dyn_40 permit ip any 10.0.0.128 255.255.255.128
access-list outside_cryptomap_dyn_60 permit ip any 10.0.0.128 255.255.255.128
access-list 103 permit ip 10.0.0.0 255.255.255.0 172.16.172.0 255.255.255.0
no pager
logging console debugging
logging buffered informational
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside gatezencoscom 255.255.255.0
ip address inside zenpix01 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location zenmail01 255.255.255.255 inside
pdm location zensrv02 255.255.255.255 inside
pdm location zensrv04 255.255.255.255 inside
pdm location sourcesrv 255.255.255.255 inside
pdm location salesops 255.255.255.255 inside
pdm location zensql01 255.255.255.255 inside
pdm location zenkmsrv01 255.255.255.255 inside
pdm location XXXXXXXX 255.255.255.255 outside
pdm location XXXXXXXX 255.255.255.255 outside
pdm location XXXXXXXX  255.255.255.0 outside
pdm location XXXXXXXX 255.255.255.0 outside
pdm location zensrv07 255.255.255.255 inside
pdm location zenmail 255.255.255.255 inside
pdm location 10.0.0.56 255.255.255.255 inside
pdm location XXXXXXXX 255.255.255.128 outside
pdm location zensrv05 255.255.255.255 inside
pdm location zenitsrv03 255.255.255.255 inside
pdm location XXXXXXXX  255.255.255.0 outside
pdm location zenitsrv04 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 12.38.10.182-12.38.10.185 netmask 255.255.255.0
global (outside) 1 patzencoscom
global (outside) 2 wwwzencoscom
nat (inside) 0 access-list 102
nat (inside) 2 zensrv02 255.255.255.255 0 0
nat (inside) 1 10.0.0.0 255.255.255.0 0 0
static (inside,outside) kmzencosnet zenkmsrv01 netmask 255.255.255.255 0 0
static (inside,outside) expensezencoscom zensql01 netmask 255.255.255.255 0 0
static (inside,outside) sourcezencoscom zensrv07 netmask 255.255.255.255 0 0
static (inside,outside) webmailzencoscom zenmail netmask 255.255.255.255 0 0
static (inside,outside) hcsbizencoscom zenitsrv03 netmask 255.255.255.255 0 0
static (inside,outside) demozencoscom salesops netmask 255.255.255.255 0 0
static (inside,outside) wwwzencoscom zenitsrv04 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 12.38.10.2 1
route outside 12.38.10.2 255.255.255.255 gatezencoscom 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 129.6.15.28 source outside
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set rackset esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map rackmap 9 ipsec-isakmp
crypto map rackmap 9 match address 103
crypto map rackmap 9 set peer XXXXXXXX
crypto map rackmap 9 set transform-set rackset
crypto map rackmap interface outside
isakmp enable outside
isakmp key ******** address XXXXXXXX netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash md5
isakmp policy 9 group 2
isakmp policy 9 lifetime 900
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
ca identity zenitsrv01 10.0.0.161:/cgi-bin
ca configure zenitsrv01 ra 1 0
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 25
ssh XXXXXXXX 255.255.255.255 outside
ssh XXXXXXXX.0 255.255.255.0 outside
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
username XXXXXXXX password XXXXXXXX encrypted privilege 15
username XXXXXXXX password XXXXXXXX encrypted privilege 15
terminal width 80
Cryptochecksum:75bcd9dfc9e92c68e6a105022a1a06d2
 
------------------ show blocks ------------------
 
  SIZE    MAX    LOW    CNT
     4    600    561    600
    80    400    399    400
   256    100     96    100
  1550    932    489    676
  2560    200    196    199
 
------------------ show interface ------------------
 
interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 000c.ce32.d60a
  IP address 12.38.10.222, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 10000 Kbit half duplex
        8095932 packets input, 3212547550 bytes, 0 no buffer
        Received 326305 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        8345526 packets output, 2492215366 bytes, 0 underruns
        0 output errors, 105699 collisions, 0 interface resets
        0 babbles, 0 late collisions, 220612 deferred
        1 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/124)
        output queue (curr/max blocks): hardware (0/100) software (0/44)
interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 000c.ce32.d60b
  IP address 10.0.0.1, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 10000 Kbit full duplex
        8729734 packets input, 2443319448 bytes, 0 no buffer
        Received 251325 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        7739150 packets output, 3073229084 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/94)
        output queue (curr/max blocks): hardware (0/105) software (0/93)
 
------------------ show process ------------------
 

    PC       SP       STATE       Runtime    SBASE     Stack Process
Hsi 800b0e09 80759798 8052ddd8         20 80758810 3688/4096 arp_timer
Lsi 800b5271 8077c880 8052ddd8        210 8077b908 3800/4096 FragDBGC
Lwe 8000f9fe 808b6cc0 80531508          0 808b5e48 3704/4096 dbgtrace
Lwe 8020685d 808b8e20 80507300          0 808b6ed8 8008/8192 Logger
Hwe 8020a550 808bbee8 805075b0          0 808b9f70 8008/8192 tcp_fast
Hwe 8020a4c9 808bdf78 805075b0          0 808bc000 8008/8192 tcp_slow
Lsi 80137edd 809400f0 8052ddd8         10 8093f168 3796/4096 xlate clean
Lsi 80137deb 80941170 8052ddd8         20 809401f8 3784/4096 uxlate clean
Mwe 8012f423 8095dc88 8052ddd8        660 8095bcf0 7748/8192 tcp_intercept_timer
_process
Lsi 80256f4d 8096c430 8052ddd8         30 8096b4a8 3784/4096 route_process
Hsi 8011bd84 8096d4a0 8052ddd8        540 8096c538 2648/4096 Hosts conn cleaner
Hwe 800da249 80999b10 8052ddd8        130 80995ba8 15072/16384 isakmp_time_keepe
r
Lsi 801217ac 809a7b40 8052ddd8         10 809a6bb8 3768/4096 perfmon
Hwe 800d6f61 809af920 804eda20    3723850 809ae9d8 3024/4096 IPsec response hand
ler
Mwe 800d2671 809b19e0 8052ddd8       1490 809afa68 5424/8192 IPsec timer handler
 
Hwe 801c089b 809c3d58 8053d5f8       1730 809c1e00 6932/8192 qos_metric_daemon
Lwe 8012ff5a 809daac8 80539908          0 809d9c50 3704/4096 pix/trace
Lwe 8013016a 809dbb58 80539fd0          0 809dace0 3704/4096 pix/tconsole
Hwe 800b2dd0 809ddbe8 80753b9c   19086810 809dbd70 5428/8192 pix/intf1
Hwe 800b2dd0 809dfca8 80753b58    1352550 809dde00 5052/8192 pix/intf0
H*  80014f5a 7ffffe2c 8052ddc0        410 809e1ea0 13384/16384 ci/console
Csi 801299b3 809e6e88 8052ddd8       2200 809e5f30 3376/4096 update_cpu_usage
Hwe 8011a791 80a09640 804ef288          0 80a077b8 7676/8192 uauth0
Hwe 8011a791 80a0b6e0 804ef298          0 80a09858 7676/8192 uauth1
Hwe 802090d1 80a0d7c0 80793e1c          0 80a0b8e8 7896/8192 uauth
Hwe 8021b280 80a0e8f0 805077c8          0 80a0d978 3960/4096 udp_timer
Hsi 800aa0d2 80a10250 8052ddd8         70 80a0f2d8 3752/4096 557mcfix
Crd 800aa087 80a11300 8052e240  257529740 80a10368 3656/4096 557poll
Lsi 800aa139 80a12370 8052ddd8         60 80a113f8 3688/4096 557timer
Cwe 800b2e00 80a233f8 8077ecf8          0 80a224b0 3912/4096 fover_ip1
Cwe 800abb55 80a24448 808420b4     327630 80a23540 3556/4096 ip/1:1
Hwe 800b2e00 80a25518 8077ecd0       4510 80a245d0 3368/4096 icmp1
Mwe 8021aff6 80a26598 807cd974          0 80a25660 3896/4096 riprx/1
Msi 801c8831 80a27668 8052ddd8         10 80a266f0 3888/4096 riptx/1
Hwe 800b2e00 80a286d0 8077eca8       2220 80a27798 3732/4096 udp_thread/1
Hwe 800b2e00 80a29748 8077ec80          0 80a28840 3848/4096 tcp_thread/1
Cwe 800b2e00 80a2a828 8077ec58          0 80a298e0 3912/4096 fover_ip0
Cwe 800abb55 80a2b878 807cec04     331920 80a2a970 3400/4096 ip/0:0
Hwe 800b2e00 80a2c948 8077ec30          0 80a2ba00 3532/4096 icmp0
Mwe 8021aff6 80a2d9d8 807cd934          0 80a2caa0 3896/4096 riprx/0
Msi 801c8831 80a2eab8 8052ddd8         10 80a2db40 3752/4096 riptx/0
Hwe 800b2e00 80a2fb20 8077ec08        290 80a2ebe8 3732/4096 udp_thread/0
Hwe 800b2e00 80a30b98 8077ebe0         30 80a2fc90 3612/4096 tcp_thread/0
Mwe 8010cefd 80a64798 8052ddd8       1440 80a63820 3200/4096 ntp
Hwe 802092e5 80a64b78 80780144          0 80a648d0  300/1024 listen/http1
Hwe 800b2e00 80a67fb0 8077ebb8          0 80a66088 7976/8192 ahd
Hwe 800b2e00 80a6a040 8077eb90     111910 80a68118 7460/8192 espd
Hwe 8021aff6 80a6c0c0 807cd8f4     761390 80a6a1a8 6332/8192 isakmp_receiver
Hwe 802092e5 80a6c590 80780230          0 80a6c348  188/1024 listen/pfm
Hwe 802092e5 80a6ca38 8078031c          0 80a6c7f0  188/1024 listen/telnet_1
Hwe 802092e5 80a6cf00 80780408          0 80a6ccb8  188/1024 listen/ssh_0
Hwe 802092e5 80a6d3e8 807804f4          0 80a6d1a0  188/1024 listen/ssh_1
Mwe 801992c2 80a6fc20 8052ddd8       5780 80a6dca8 5476/8192 Crypto CA
Mwe 8021aff6 80b0abf8 807cd8b4        100 80b09cd0 3160/4096 ntp0
 
------------------ show failover ------------------
 
No license for Failover
zenpix01(config)#
0
Comment
Question by:dcostanzo
  • 2
  • 2
  • 2
  • +1
11 Comments
 
LVL 19

Accepted Solution

by:
nodisco earned 500 total points
Comment Utility
hi there

the first thing I would do with this PIX is upgrade its OS.  6.2(2) is very old and there have been many updates and bugs since that release to present date.  If you have a Cisco CCO ID or smartnet contract you can download the 6.3(5) OS from http://www.cisco.com/cgi-bin/tablebuild.pl/pix

I would do this first as it may fix the problem, but until you have upgraded, any other tests you do to fix your issue may not give you accurate results until it is upgraded.  I would also check the duplex settings on the next device outside - be it an outside switch, cable modem, isp router etc.  Often a duplex mismatch will cause intermittent issues. At present it is being picked up as half duplex.

hth
0
 

Author Comment

by:dcostanzo
Comment Utility
Thank you.  We will do the upgrade and advise.
0
 
LVL 9

Expert Comment

by:NYtechGuy
Comment Utility

I would also suggest an upgrade to the newest - believe you can only go up to v6.35 with a pix 501.

However, one test you can try - when you realize that no one can get to the internet:

clear xlate

Type that into the command line, when logged in and after doing ENABLE to get to priv mode.

Thanks,

Justin
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Agree with nodisco, first upgrade the version to 6.3(5) and also since your access-list 101 has more lines, PIX will have to do more processing on the traffic as well. So I would suggest you to make it TurboACL. It is nothing but making the access-list processing faster than the traditional processing. It keeps the map in the memory and does a good job.

To turn on TurboAcl;

access-list 101 compiled

above is the command.

Cheers,
Rajesh
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 9

Expert Comment

by:NYtechGuy
Comment Utility
rajeesh-

does the pix 501 support turboACL ?  I always thought it was not supported/licensed for use on 501

Thanks!

Justin
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
I believe it does.

Cheers,
Rajesh
0
 
LVL 19

Expert Comment

by:nodisco
Comment Utility
FYI
Turbo ACLs are not supported on the 501.

0
 

Author Comment

by:dcostanzo
Comment Utility
Thank you all for this information.  We are going to schedule the upgrade  in a few weeks.  We're a small company and our IT person is doing billable work on a client site right now.  Once we can free him up, we'll proceed.  More later...
0

Featured Post

NetScaler Deployment Guides and Resources

Citrix NetScaler is certified to support many of the most commonly deployed enterprise applications. Deployment guides provide in-depth recommendations on configuring NetScaler to meet specific application requirements.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now