desperate pix help, 1 am here and still at work, when i cold start the pix i can use the remote network's resources, after i cant at all

Posted on 2007-08-03
Last Modified: 2010-04-09
hello again (1 am here im going crazy at work)
this pix is killing me
the topology is like this in the network:

internet - linux router/gateway (doing NAT) - switch - local area connection
i have the pix in the local area connection but with a public ip i routed in the linux machine.
outside of the pix has a public ip
inside is in the same network as the other computers from the local area network
i want to be able to ping the other LAN connected to the linux router.
the working config is this

: Saved
: Written by enable_15 at 12:18:24.929 UTC Fri Aug 3 2007
PIX Version 7.1(2)
hostname pix
domain-name ...
enable password ... encrypted
interface Ethernet0
 nameif outside
 security-level 0
 ip address ...
interface Ethernet1
 nameif inside
 security-level 100
 ip address
interface Ethernet2
 no nameif
 no security-level
 no ip address
passwd ... encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name ...
access-list inside_nat0_outbound extended permit ip interface inside
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list vpn3000_splitTunnelAcl standard permit
access-list vpn3000_splitTunnelAcl standard permit
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool ippool mask
asdm image flash:/asdm-512.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10
route inside 1
route outside ... 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn3000 internal
group-policy vpn3000 attributes
 wins-server value
 dns-server value
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn3000_splitTunnelAcl
 default-domain value ...
username ... password ... encrypted privilege 0
username ... attributes
 vpn-group-policy vpn3000
username ... password ... encrypted privilege 0
username ...attributes
 vpn-group-policy vpn3000
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
 address-pool ippool
 default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
 pre-shared-key ...
telnet timeout 5
ssh timeout 5
console timeout 0
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
: end

on the linux router  have this
route add -net gw

everything fine until now
when i cold start the pix and my laptop i can connect and do my job.
if i disconnect and i try to connect again, i can connect but cant access the remote network at all.
in the stats on the cisco vpn client i have no received packets
this happens if i do a reload on pix, or add some securi,ty stuff and do a wr mem.
i wonder what is wrong, i mean IT WORKS first time perfectly.
is something left in the linux router?
is the pix bad? this is the third image version i have installed on it and the same thing happens.

also if i setup telnet i cant use it at all. neither ssh. with telnet i can connect but nothing appears.

please help im desperate, it's 1 am here, been at work from 8 am yesterday

thank you
Question by:lyncks
    LVL 22

    Expert Comment

    by:Luciano Patrão

    I think that PIX is not so good. Or a power issue, or firmware.

    The PIX have warranty? And do you(or your company) have any support from CISCO? If so, i will say that you need to contact them to check that PIX.

    If not... not so many thinks o can do about it.

    Try backup all the data, reset the PIX to default, disconnect from power about 5m, connect and restore your data.

    If that is ok, tested again.

    Try to check if any new firmware available.

    Hope this can help

    LVL 79

    Accepted Solution

    sorry to hear that, lyncks.
    Is the outside interface on the same IP subnet as the Linux box outside, or on a totally different internet link?

    >access-list inside_nat0_outbound extended permit ip interface inside
    Remove that...
     no access-list inside_nat0_outbound extended permit ip interface inside

    Add these commands:
     management-access inside
     isakmp identity address
     iskmp nat-traversal 20
     sysopt noproxyarp inside

    LVL 1

    Author Comment

    BestWay: i already did that a few times, tried with different versions of firmware and the same stuff happens.
    lrmoore: now it works, i wr erase then reonfigured everything with the exact config i posted earlier and it works. if i do a reload or wr mem it doesnt work anymore. now i just left it like that because my boss really needs it to work this weekend.
    ill try to explain in detail the setup.
    on the linux router:
    eth0: main public ip from a different subnet. that is the main internet connection
    eth1: ip from another public class which acts as the gateway for all the other computers which have a public ip, including the pix
    eth2: private ip from the LAN from our office (
    eth3: private ip from the LAN for the other offices in the building (
    eth1 is NOT on the same subnet as the outside on the linux router, but it uses the same internet connection.

    the pix has on outside interface an ip from the same subnet as eth1 on the linux router
    on the inside has an ip from the same subnet as eth2 (

    im sorry for all the troubles with this, never used a pix before, did this several times with cisco routers with vpn modules and it worked just fine. now with this pix everything seems to not wanting to work.
    i will add what you said on monday morning and see what happens. maybe with the details i just told you you can find some flaw in this configuration.

    thank you guys, thanks a lot
    LVL 79

    Expert Comment

    OK, add this too:
      sysopt noproxyarp outside
    LVL 1

    Author Comment

    it works now.
    thanks a million
    can you tell me what was wrong?
    thank you
    LVL 79

    Expert Comment

    Proxy arp does strange things when you have competing gateways on a LAN.
    Glad you are working!

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now