Link to home
Create AccountLog in
Avatar of kwmcnutt
kwmcnutt

asked on

PIX 501 blocking outbound traffic

Every once in a while, our 501 will block all outbound traffic.  Inbound traffic doesn't seem to be affected (emails still come in fine).

I'm able to fix the problem by doing a simple "reload" command, but I'd like to know what's happening so I can prevent this from happening.

The one thing I notice when the "reload" finishes is that it shows a message that may be helpful:

"Outside interface added to PAT pool"

It has shown up every time I've done this.


config:

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname CPFW
domain-name csplp.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq www
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq https
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq pptp
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq 3101
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq ssh
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq domain
access-list acl_out permit gre any host xxx.xxx.xxx.xxx
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list in2out permit tcp host 192.168.50.8 any eq smtp
access-list in2out deny tcp any any eq smtp
access-list in2out deny ip any any
access-list in2out permit tcp host 192.168.50.150 any eq smtp
access-list in2out permit tcp host 192.168.50.121 any eq smtp
access-list in2out permit tcp host 192.168.50.128 any eq smtp
pager lines 24
logging on
logging timestamp
logging trap notifications
logging device-id string ITPPIX
logging host inside 192.168.50.8
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.252
ip address inside 192.168.50.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.50.0 255.255.255.0 inside
pdm location 192.168.50.8 255.255.255.255 inside
pdm location 192.168.50.50 255.255.255.255 inside
pdm location 192.168.50.150 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.xxx.xxx www 192.168.50.8 www netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.xxx pptp 192.168.50.8 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 192.168.50.8 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.xxx 3101 192.168.50.8 3101 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.xxx smtp 192.168.50.150 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.xxx https 192.168.50.150 https netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.xxx ssh 192.168.50.150 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.xxx domain 192.168.50.150 domain netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 55.555.55.55 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80






Thanks for any help!!!

Kevin
Avatar of batry_boy
batry_boy
Flag of United States of America image

"Outside interface added to PAT pool"

That message is normal and doesn't indicate an issue.

If you issue the command "show version", what is the number of "Inside hosts" listed as?  If it says "10" or "50", you may be bumping up against a license limitation that is on your PIX.  The next time you have the problem, issue the command "show xlate" and see if how many translations are currently in the translation table.  If that number exceeds the number of "Inside hosts", this could be your issue.
Avatar of kwmcnutt
kwmcnutt

ASKER

I thought the licenses only get used up by ip addresses, not connections.  Am I wrong?  I'm only currently using 8 of 50 licenses.  And we have less than 20 devices total.
>>I thought the licenses only get used up by ip addresses, not connections.

Yes and no.  The way the PIX polices the license count is by looking at its translation table.  In your case, the PIX will continue to pass traffic for the first 50 unique inside IP addresses by creating translations in the translation table.  As soon as the 51st inside IP address tries to send traffic through the PIX, it will not allow a translation to be created and the traffic will not pass.  The translation timeout value will ultimately get rid of translations after a period of 3 hours by default (this can be dropped down lower with the "timeout xlate" command), but while the translation table has 50 unique inside IP addresses in there, it will not allow more translations to be created.

You say you are currently using 8 of 50.  Are you currently experiencing the problem?  You need to look at the number while you are experiencing the issue to really tell if this is what could be happening.  It sounds like it is not an issue since you say you have less than 20 devices total.

When the outage occurs, is it all traffic or just specific types of traffic?  What types of test traffic are you sending during the outage to determine if it's every protocol or just some protocols?
I'm not currently having the problem, but I'm not sure how we could reach 50 unique ip addresses.

When the problem happens, I'm tipped off by blackberries not receiving email.  Can't connect via VPN.  Users can't access the internet.  Basically, it seems like all traffic from inside to outside.  Outside traffic coming in doesn't seem to be affected, as emails continue to come in just fine.  I'm not really doing any specific testing since it has get back up quickly, with users on the road and working remotely.

The way I've been fixing it is by doing the "reload" command.  Works immediately after, but sure would like to fix the issue.

Thanks for your help!
ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boy
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I've opened a case with Cisco and will post back with any news.

One problem may be that the PIX I bought has version 6.3(5) on it!  
Still waiting for another occurrence, so that I can send logs to Cisco.  Haven't had the problem since I opened a case.
Cisco was no help at all, but I seem to have fixed the problem as I haven't had an occurrence since the end of May.  

Turns out the PIX was getting confused with my two NICs on the server.  I ended up dedicating one to a virtual server, which I thought I had already done.  Oh well, like usual, it boils down to improper configuration.

thanks for everyone's input
I awarded you the points since you were the only one that chimed in.  Thanks!