Pix 501 - static (inside,outside) statements shut down all internet access

Posted on 2006-11-12
Medium Priority
Last Modified: 2013-11-16
I have a feeling I'm just missing something really simple here, but this problem has been driving me crazy!

Here's the situation:

We had a Pix 506E which failed a couple days ago because of a bad power connector.  I installed a brand new Pix 501 and cut/pasted the config from the 506.  Everything seemed to work the same, except that the 501 was a 10 user model, so we were banging up against that limit immediately.  

We acquiried a unlimited license 501, and I again cut/pasted the exact same config - but when I connected it this time no one was able to pass traffic out through the Pix.  Every host could ping the Pix, but not any public address outside the network.  After many frustrating hours I discovered that if I removed the static (inside,outside) statements mapping our public addresses to our two onsite servers, everything would work fine!  Putting those static statements back in would immediately hose internet access again.

What's weird is that the 10-user Pix 501 has those static statements and there's no problem!  

Also, we just fixed the original 506 (just had to open it up and reseat the power connector) and connected it back to the network - same problem as the unlimited license 501.  The config on this unit wasn't changed!  This is leading me to believe I'm just overlooking something really obvious and simple.

Below is the config we're using.  I'm assigning 500 points because this is keeping multiple users from doing their work effectively. Thanks in advance for any help!


PX1# sh ver

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

PX1 up 1 min 19 secs

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 0016.c7f9.b681, irq 9
1: ethernet1: address is 0016.c7f9.b682, irq 10
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                10
Throughput:                  Unlimited
IKE peers:                   10

This PIX has a Restricted (R) license.

Configuration has not been modified since last system restart.

PX1# sh ru
: Saved
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password FDIh4f5k47X7yofT encrypted
passwd FDIh4f5k47X7yofT encrypted
hostname PX1
domain-name local.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list 100 permit ip
access-list 100 permit ip
access-list 110 permit ip
pager lines 24
logging facility 16
logging host inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.33.162
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnip
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0 0
static (inside,outside) xxx.xxx.33.164 netmask 0 0
static (inside,outside) xxx.xxx.33.165 netmask 0 0
static (inside,outside) xxx.xxx.33.167 netmask 0 0

static (inside,outside) xxx.xxx.33.170 netmask 0 0

conduit permit icmp any any
conduit permit tcp host xxx.xxx.33.164 eq www any
conduit permit tcp host xxx.xxx.33.165 eq www any
conduit permit tcp host xxx.xxx.33.165 eq smtp any
conduit permit tcp host xxx.xxx.33.165 eq ftp any
conduit permit tcp host xxx.xxx.33.165 eq 5500 any
conduit permit tcp host xxx.xxx.33.167 eq 5500 any
conduit permit tcp host xxx.xxx.33.170 eq lpd any
conduit permit udp host xxx.xxx.33.170 eq 515 any
route outside xxx.xxx.33.161 1
timeout xlate 0:05:00
timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpntrans esp-des esp-md5-hmac
crypto dynamic-map vpndyn 30 set transform-set vpntrans
crypto map b2pvpn 10 ipsec-isakmp
crypto map b2pvpn 10 match address 110
crypto map b2pvpn 10 set peer xxx.xxx.31.194
crypto map b2pvpn 10 set transform-set vpntrans
crypto map b2pvpn 20 ipsec-isakmp dynamic vpndyn
crypto map b2pvpn interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.31.194 netmask no-xauth no-c
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup local-vpn address-pool vpnip
vpngroup local-vpn dns-server
vpngroup local-vpn wins-server
vpngroup local-vpn default-domain local.local
vpngroup local-vpn split-tunnel 100
vpngroup local-vpn idle-time 18000
vpngroup local-vpn password ********
telnet inside
telnet timeout 5
ssh outside
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd dns
dhcpd wins
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end
Question by:smocohiba
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 28

Accepted Solution

batry_boy earned 2000 total points
ID: 17925896
The first thing I would check is the ARP cache on your next hop gateway listed in your PIX config as xxx.xxx.33.161.  When you change out hardware you run into the problem of the next hop gateway (or any other device on the outside network segment) caching your MAC address in it's ARP table which can cause connectivity problems until it is refreshed.

Therefore, clear the ARP cache on the next hop router by either:

1) Manually issuing the command to do it for that particular device (don't know how to tell you to do this since I don't know what kind of router/device it is)
2) Cycle the power to it

Try this first and let me know if the problem is still there.

Author Comment

ID: 17925990
Thanks for your suggestion - the .161 gateway is an onsite endpoint from our wireless ISP, basically nothing more than a small box with one enet port and a power connector.  I've power cycled this along with our other equipment without success.  

I also contacted our ISP and they assured me there's no other equipment along our circuit that would be caching  MAC addresses.

Thanks again and please keep the suggestions coming!

LVL 28

Expert Comment

ID: 17927308
Is one of the inside servers referenced in your static translation statements your DNS server for your inside network hosts?  Also, when you try to ping an outside host from an inside host have you tried pinging by IP address or pinging by hostname?
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users


Author Comment

ID: 17927576
Yes, the .165 outside address is static mapped to the .11 internal DNS/mail server.  All pings outside are by IP.

LVL 28

Expert Comment

ID: 17928020
Can you post the 10 user PIX 501 config and either the 506 or the unrestricted 501 configs as they exist right now?

Author Comment

ID: 17948533
It actually did end up being the MAC cache on the ISP gateway!  I had them flush it and everything works fine.  Thanks for your help!

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question