Pix 501 - static (inside,outside) statements shut down all internet access

I have a feeling I'm just missing something really simple here, but this problem has been driving me crazy!

Here's the situation:

We had a Pix 506E which failed a couple days ago because of a bad power connector.  I installed a brand new Pix 501 and cut/pasted the config from the 506.  Everything seemed to work the same, except that the 501 was a 10 user model, so we were banging up against that limit immediately.  

We acquiried a unlimited license 501, and I again cut/pasted the exact same config - but when I connected it this time no one was able to pass traffic out through the Pix.  Every host could ping the Pix, but not any public address outside the network.  After many frustrating hours I discovered that if I removed the static (inside,outside) statements mapping our public addresses to our two onsite servers, everything would work fine!  Putting those static statements back in would immediately hose internet access again.

What's weird is that the 10-user Pix 501 has those static statements and there's no problem!  

Also, we just fixed the original 506 (just had to open it up and reseat the power connector) and connected it back to the network - same problem as the unlimited license 501.  The config on this unit wasn't changed!  This is leading me to believe I'm just overlooking something really obvious and simple.

Below is the config we're using.  I'm assigning 500 points because this is keeping multiple users from doing their work effectively. Thanks in advance for any help!


PX1# sh ver

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

PX1 up 1 min 19 secs

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 0016.c7f9.b681, irq 9
1: ethernet1: address is 0016.c7f9.b682, irq 10
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                10
Throughput:                  Unlimited
IKE peers:                   10

This PIX has a Restricted (R) license.

Configuration has not been modified since last system restart.

PX1# sh ru
: Saved
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password FDIh4f5k47X7yofT encrypted
passwd FDIh4f5k47X7yofT encrypted
hostname PX1
domain-name local.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list 100 permit ip
access-list 100 permit ip
access-list 110 permit ip
pager lines 24
logging facility 16
logging host inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.33.162
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnip
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0 0
static (inside,outside) xxx.xxx.33.164 netmask 0 0
static (inside,outside) xxx.xxx.33.165 netmask 0 0
static (inside,outside) xxx.xxx.33.167 netmask 0 0

static (inside,outside) xxx.xxx.33.170 netmask 0 0

conduit permit icmp any any
conduit permit tcp host xxx.xxx.33.164 eq www any
conduit permit tcp host xxx.xxx.33.165 eq www any
conduit permit tcp host xxx.xxx.33.165 eq smtp any
conduit permit tcp host xxx.xxx.33.165 eq ftp any
conduit permit tcp host xxx.xxx.33.165 eq 5500 any
conduit permit tcp host xxx.xxx.33.167 eq 5500 any
conduit permit tcp host xxx.xxx.33.170 eq lpd any
conduit permit udp host xxx.xxx.33.170 eq 515 any
route outside xxx.xxx.33.161 1
timeout xlate 0:05:00
timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpntrans esp-des esp-md5-hmac
crypto dynamic-map vpndyn 30 set transform-set vpntrans
crypto map b2pvpn 10 ipsec-isakmp
crypto map b2pvpn 10 match address 110
crypto map b2pvpn 10 set peer xxx.xxx.31.194
crypto map b2pvpn 10 set transform-set vpntrans
crypto map b2pvpn 20 ipsec-isakmp dynamic vpndyn
crypto map b2pvpn interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.31.194 netmask no-xauth no-c
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup local-vpn address-pool vpnip
vpngroup local-vpn dns-server
vpngroup local-vpn wins-server
vpngroup local-vpn default-domain local.local
vpngroup local-vpn split-tunnel 100
vpngroup local-vpn idle-time 18000
vpngroup local-vpn password ********
telnet inside
telnet timeout 5
ssh outside
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd dns
dhcpd wins
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The first thing I would check is the ARP cache on your next hop gateway listed in your PIX config as xxx.xxx.33.161.  When you change out hardware you run into the problem of the next hop gateway (or any other device on the outside network segment) caching your MAC address in it's ARP table which can cause connectivity problems until it is refreshed.

Therefore, clear the ARP cache on the next hop router by either:

1) Manually issuing the command to do it for that particular device (don't know how to tell you to do this since I don't know what kind of router/device it is)
2) Cycle the power to it

Try this first and let me know if the problem is still there.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
smocohibaAuthor Commented:
Thanks for your suggestion - the .161 gateway is an onsite endpoint from our wireless ISP, basically nothing more than a small box with one enet port and a power connector.  I've power cycled this along with our other equipment without success.  

I also contacted our ISP and they assured me there's no other equipment along our circuit that would be caching  MAC addresses.

Thanks again and please keep the suggestions coming!

Is one of the inside servers referenced in your static translation statements your DNS server for your inside network hosts?  Also, when you try to ping an outside host from an inside host have you tried pinging by IP address or pinging by hostname?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

smocohibaAuthor Commented:
Yes, the .165 outside address is static mapped to the .11 internal DNS/mail server.  All pings outside are by IP.

Can you post the 10 user PIX 501 config and either the 506 or the unrestricted 501 configs as they exist right now?
smocohibaAuthor Commented:
It actually did end up being the MAC cache on the ISP gateway!  I had them flush it and everything works fine.  Thanks for your help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.