Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Pix 501 - static (inside,outside) statements shut down all internet access

Posted on 2006-11-12
Medium Priority
Last Modified: 2013-11-16
I have a feeling I'm just missing something really simple here, but this problem has been driving me crazy!

Here's the situation:

We had a Pix 506E which failed a couple days ago because of a bad power connector.  I installed a brand new Pix 501 and cut/pasted the config from the 506.  Everything seemed to work the same, except that the 501 was a 10 user model, so we were banging up against that limit immediately.  

We acquiried a unlimited license 501, and I again cut/pasted the exact same config - but when I connected it this time no one was able to pass traffic out through the Pix.  Every host could ping the Pix, but not any public address outside the network.  After many frustrating hours I discovered that if I removed the static (inside,outside) statements mapping our public addresses to our two onsite servers, everything would work fine!  Putting those static statements back in would immediately hose internet access again.

What's weird is that the 10-user Pix 501 has those static statements and there's no problem!  

Also, we just fixed the original 506 (just had to open it up and reseat the power connector) and connected it back to the network - same problem as the unlimited license 501.  The config on this unit wasn't changed!  This is leading me to believe I'm just overlooking something really obvious and simple.

Below is the config we're using.  I'm assigning 500 points because this is keeping multiple users from doing their work effectively. Thanks in advance for any help!


PX1# sh ver

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

PX1 up 1 min 19 secs

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 0016.c7f9.b681, irq 9
1: ethernet1: address is 0016.c7f9.b682, irq 10
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                10
Throughput:                  Unlimited
IKE peers:                   10

This PIX has a Restricted (R) license.

Configuration has not been modified since last system restart.

PX1# sh ru
: Saved
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password FDIh4f5k47X7yofT encrypted
passwd FDIh4f5k47X7yofT encrypted
hostname PX1
domain-name local.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list 100 permit ip
access-list 100 permit ip
access-list 110 permit ip
pager lines 24
logging facility 16
logging host inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.33.162
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnip
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0 0
static (inside,outside) xxx.xxx.33.164 netmask 0 0
static (inside,outside) xxx.xxx.33.165 netmask 0 0
static (inside,outside) xxx.xxx.33.167 netmask 0 0

static (inside,outside) xxx.xxx.33.170 netmask 0 0

conduit permit icmp any any
conduit permit tcp host xxx.xxx.33.164 eq www any
conduit permit tcp host xxx.xxx.33.165 eq www any
conduit permit tcp host xxx.xxx.33.165 eq smtp any
conduit permit tcp host xxx.xxx.33.165 eq ftp any
conduit permit tcp host xxx.xxx.33.165 eq 5500 any
conduit permit tcp host xxx.xxx.33.167 eq 5500 any
conduit permit tcp host xxx.xxx.33.170 eq lpd any
conduit permit udp host xxx.xxx.33.170 eq 515 any
route outside xxx.xxx.33.161 1
timeout xlate 0:05:00
timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpntrans esp-des esp-md5-hmac
crypto dynamic-map vpndyn 30 set transform-set vpntrans
crypto map b2pvpn 10 ipsec-isakmp
crypto map b2pvpn 10 match address 110
crypto map b2pvpn 10 set peer xxx.xxx.31.194
crypto map b2pvpn 10 set transform-set vpntrans
crypto map b2pvpn 20 ipsec-isakmp dynamic vpndyn
crypto map b2pvpn interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.31.194 netmask no-xauth no-c
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup local-vpn address-pool vpnip
vpngroup local-vpn dns-server
vpngroup local-vpn wins-server
vpngroup local-vpn default-domain local.local
vpngroup local-vpn split-tunnel 100
vpngroup local-vpn idle-time 18000
vpngroup local-vpn password ********
telnet inside
telnet timeout 5
ssh outside
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd dns
dhcpd wins
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end
Question by:smocohiba
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 28

Accepted Solution

batry_boy earned 2000 total points
ID: 17925896
The first thing I would check is the ARP cache on your next hop gateway listed in your PIX config as xxx.xxx.33.161.  When you change out hardware you run into the problem of the next hop gateway (or any other device on the outside network segment) caching your MAC address in it's ARP table which can cause connectivity problems until it is refreshed.

Therefore, clear the ARP cache on the next hop router by either:

1) Manually issuing the command to do it for that particular device (don't know how to tell you to do this since I don't know what kind of router/device it is)
2) Cycle the power to it

Try this first and let me know if the problem is still there.

Author Comment

ID: 17925990
Thanks for your suggestion - the .161 gateway is an onsite endpoint from our wireless ISP, basically nothing more than a small box with one enet port and a power connector.  I've power cycled this along with our other equipment without success.  

I also contacted our ISP and they assured me there's no other equipment along our circuit that would be caching  MAC addresses.

Thanks again and please keep the suggestions coming!

LVL 28

Expert Comment

ID: 17927308
Is one of the inside servers referenced in your static translation statements your DNS server for your inside network hosts?  Also, when you try to ping an outside host from an inside host have you tried pinging by IP address or pinging by hostname?
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.


Author Comment

ID: 17927576
Yes, the .165 outside address is static mapped to the .11 internal DNS/mail server.  All pings outside are by IP.

LVL 28

Expert Comment

ID: 17928020
Can you post the 10 user PIX 501 config and either the 506 or the unrestricted 501 configs as they exist right now?

Author Comment

ID: 17948533
It actually did end up being the MAC cache on the ISP gateway!  I had them flush it and everything works fine.  Thanks for your help!

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Considering cloud tradeoffs and determining the right mix for your organization.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question