network/downloading issues

Yes, I have roobeted the PIX, still exists.  If I can provide any other information.  Please ask.

thanks

I would look for errors on both the public and private ethernet interfaces on the PIX.  If there are any, replace the appropriate cable.  If the former is not a problem and the latter does not correct the problem, I'd look at the upstream routing device and/or circuit for problems.

ok, It has been a long time since I worked with routers/firewalls. I heve beeen with the company for 3 months, I had no info passed from the previous guy.  Would you be able to tell me where/how to check for errors?  Or do I need to contact Cisco?

thanks

also, when I try to go to the firewall via a browser, I get a certificate error?


thanks

Can you not http (not https) to the PIX?  I always use CLI, so my help in the GUI realm will not be as proficient.

On the pix, use the "show" command to show the interfaces.  It's been awhile since I've had to do hands-on and not just configuration support, the command may be "show interface ethernet0" for the inside and "show interface ethernet1" for the outside.

What device is in front of the firewall and what type of connection (T1, cable, DSL) to you have for your upstream?

I will go try the commands.  I am using the command console via hyper termaninal

NO errors, underruns, lost anything. on either of them?

T1

thanks

bobby

Yes, both interfaces should be relatively clean (especially after just rebooting).

What type of router does the T1 hang off?  Can you look at the T1 interface for errors?

ok, I just talk to a friend and we went through it.  I traced everything out.  the t1 comes in fiber, converts to cable goes to the PIX and then to the web server.  Then ISA is running.

This kind of changes things.  I am going to reboot the server in the morning.

Also GFI WEB MON is running

ok, rebooted, nothing helped.  I do not know much about ISA  NOt sure about the GFI WEB MON, cant even find the executible for this.  I never knew all this was even running on this server.  I assumed it was all handled via the physical firewall, which appears to be funtioning as just the router.

thanks

Bobby

If this affects the server and all workstations, even randomly, and there have been no configuration additions/changes to the network, then the only other common denominator is a switch behind the firewall connected to the machines.

even the servers have the problem.  I need to check the server witht he direct connect to the phyical PIX

The PIX (I believe) is 10M, half duplex.  Perhaps the capacity of the unit is unsufficient?  How much data are  you pushing through the ethernet interfaces?

We have our website and any users going out.  traffice has not changed?

not sure where to check how much data I am pushing?

thanks

Could you give me a more descriptive explanation of this (specifically the hardare involved):

"the t1 comes in fiber, converts to cable goes to the PIX"

Our T1 comes  and gets converted to twisted pair from Fiber.  From the converter it goes to the PIS fiirewall, whichs appears to just be acting as the router, no positive on this.  Then the PIX goes to the web server.  It is running IIS and ISA.  The web server then goes to the patch panel.

is that what wyou needed?

thanks

What I find confusing is the term "T1".  This can either mean "equivalent to a T1 in bandwidth" or "a T1 circuit terminating to a serial interface on a layer 3 device".

The default route on the PIX points to your ISP's IP address?

I guess I am referring to our internet service connection coming into the builidn as the T1, I was told that, that is why I have been referring to it that way.

If there is a T1 built out, then there needs to be a device terminating that connection.  Can you physically trace where the T1 comes into the building and what hardware it terminates to?

I t comes into a circuit id box then the fiber goes to a converter box.

thanks

If there is a smartjack with a circuit ID and it is physically provisioned as a T1, the output of a standard T1 smartjack is copper to a CSU (either external or built into a router).

But what you're saying is that there is a circuit ID box with fiber coming out of it ??

yes, It is locked, I don't even know if i have access to the inside. or if that is taken care of by our provider


thanks

Your problem really sounds like an MTU issue (and has from the start).

Ask your provider:

1) Do we have a T1 circuit?
2) To what equipment does it terminate?
3) Can I have access to that equipment?
     Yes -> check the serial interface for errors
                 see if there is an MTU issue
     No  -> tell your provider to diagnose and fix the problem

I called the line provider, they tell me all it fine on thier end.

Unless the telco came on site and performed a test with a hard loop to the inside port of your smartjack, they aren't done.

Do you have access to the piece of equipment to which the T1 terminates?  Or is this [router] managed by your provider?  Ask them to look at MTU issues if the circuit is clean and the hardware is fine.

They called it a Metro ethernet fiber?  I may have a different compnay that handles this end of the loop, they didn't seem to know much about it.  Going to trya nd get my direct rep on the service and see what he tells me, I call tech support for the company, which is no where near here.

Not sure where it termninates?  Inside the Circut id box?

thanks

Bobby

Ethernet handoff is technically not a T1 (although your provider may be provisioning 1.544M in the ethernet configuration).

Has someone put a scope on the fiber?

nobody has been here to do anything.  I called it a T1, because that is what I saw it called in notes that were left by the previous guy.


thanks

What if I stopped the ISA?  would this open up everything if the pix is doing nothing but being a firewall?

thanks

Unless your bandwidth on the ethernet interfaces of the PIX are very busy, I don't see that this will help.

Ask your provider if the connection upstream of the PIX has been modified and that it appears that there is an issue with MTU (maximum transmission unit) or MSS (maximum segment size).

Issues with the MTU and MSS can cause scripts not to run and downloads not to finish or even start.

Maybe I am missing a link in our system outside of my hardware and software?

I would typically make MTU and/or MSS adjustments on the router.

If that is not an option, from one of the machines where you are having a problem, adjust your MTU to 576 to see if there is a dramatic improvement.  If so, keep upping the MTU until you find the MTU that still gives you good speed without compromising the receipt of the data.

when I go to download things, for example, I went to download java.  I get a dos window that pops up and then goes away and the download/install never works

it happens with most things I need to download too

If you could try what I suggested and let me know what you experience, at least we have something to go on.

I tried it on the pc and nothing changed.  I haven't changed anything on the PIX,

STill the same thing.  I am not sure if I have a seperate company between me and the  line provider.  If I do a trace route will it tell me if I have another piece to my mess?

thanks

Bobby

If you have the option, terminate a PC where the public interface of the PIX would be.

Put the IP address/gateway/netmask of the PIX on your PC and test the circuit without the firewall.   If this works, continue.  If not, the problem is upstream and you need to force the issue with your provider.

Next test:  put the PIX back in-line.  Get a cross-connect cable and connect the PC to the private interface of the PIX.  Put a private IP/netmask/gateway on the PC.  If this works, the circuit and PIX are good and the most likely culprit is a switch behind the firewall.  If not, the PIX is the problem.

Let me know what you find.

thanks, I should have thought of that.  I will have to wait until after hours to do it.

Is there a way to tell if the PIX is being used as my firewall or just as a router?  Someone thought that by the way it was setup it was doing nothing more than acting as a router

thanks

Bobby

The PIX is a firewall by design.  If you want to, post the config.  Put XX in the first two octets of the public IP, delete any lines containing a password or key and especially sanitize the crypto (isakmp, ipsec) sections if they're present.

I did a sh config, is this what you need to see?

thanks

Bobby

Yes, please but remove passwords and keywords and any other sanitizing information except for the public IP -- only X out the first two octets.

PIX Version 6.1(4)
nameif ethernet0
nameif ethernet1
enable

hostname
domain-name
fixup protocol ftp xx
fixup protocol http xx
fixup protocol hxxx xxxx
fixup protocol rsh xxx
fixup protocol rtsp xxx
fixup protocol sqlnet xxxx
fixup protocol sip xxxx
fixup protocol skinny xxxx
no fixup protocol smtp xx
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host xxx.xxx.151.10 eq www
access-list 100 permit tcp any host xxx.xxx.151.5 eq smtp
access-list 100 permit tcp any host xxx.xxx.151.5 eq www
access-list 100 permit tcp any any eq xxxx
access-list 100 permit tcp any any eq xx
access-list 100 permit tcp any any eq xx
access-list 100 permit tcp any any eq xxx
access-list 100 permit gre any host xxx.xxx.151.10
access-list 100 permit tcp any host xxx.xxx.151.10 eq ftp
access-list 100 permit tcp any host xxx.xxx.151.10 eq 9999
access-list 100 permit tcp any host xxx.xxx.151.10 eq 85
access-list 100 permit tcp any host xxx.xxx.151.10 eq 389
access-list 100 permit tcp any host xxx.xxx.151.10 eq h323
access-list 100 permit tcp any host xxx.xxx.151.5 eq pop3
access-list 100 permit tcp any any eq xxxx
access-list 100 permit tcp any host xxx.xxx.151.10 eq 8100
access-list 100 permit tcp any host xxx.xxx.151.10 eq 8101
access-list 100 permit tcp any any eq 5100
access-list 100 permit tcp any any eq 5101
access-list 100 permit tcp any host xxx.xxx.151.10 eq ftp-data
access-list 100 permit tcp any host xxx.xxx.151.5 eq 143
access-list 100 permit udp any any eq xxxxxx
access-list 100 permit udp any any eq 1701
access-list 100 permit tcp any host xxx.xxx.151.5 eq 691
access-list 100 permit tcp any host xxx.xxx.151.5 eq 389
access-list 100 permit udp any host xxx.xxx.151.5 eq 389
access-list 100 permit tcp any host xxx.xxx.151.5 eq 3268
access-list 100 permit tcp any host xxx.xxx.151.5 eq 88
access-list 100 permit udp any host xxx.xxx.151.5 eq 88
access-list 100 permit tcp any any eq 1225
access-list 100 permit tcp any any eq 1226
access-list 100 permit tcp any any eq 1227
access-list 100 permit tcp any any eq 1228
access-list 100 permit tcp any host xxx.xxx.151.4 eq 3389
access-list 100 permit tcp any any eq 15000
access-list 100 permit tcp any host xxx.xxx.151.4 eq www
access-list 100 permit tcp any host xxx.xxx.151.10 eq smtp
pager lines 24
interface ethernet0 10full
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.151.2 255.255.255.240
ip address inside xxx.xxx.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.151.11
global (outside) 1 xxx.xxx.151.12

is the outside address the one I need to use on the pc to connect driectly to the line?

thanks

Bobby

Yes, to start with.

didnt have a lot of time this morning, I didn't get  all of the necessary items in the ip address, I guess, it wouldn't connect.  I wasn't sure of the gateway and the dns.

If you're removing the firewall and connecting the PC direct, use the firewall's public IP and netmask.  The gateway is the IP used in the default route.  You will manually need to add a DNS server.  If your DNS is internal, then use your provider's DNS servers.

were you able to tell anything from the conifg file?
thanks

With regard to the ethernet interfaces, if you specify auto at one end, the other end also needs to be auto (and vice versa with 10/full).

Can you look at your switch to determine whether the internal interface speed and duplex match and is set to auto?

I don't see where access-list 100 is applied (may be a result of too much sanitizing).

All of the nat configuration and timeouts are missing (but if you use default timeouts that's not a problem).

I didn't think I delted anything, might have, what would it say? (access-list 100 is applied)

and the NAT cofig, should it have shown up too?



thanks

the switches appear to be set on auto, didnt see a duplex anywhere?

I would have expected something like:

access-group 101 in interface outside
and
nat (inside) 1 PRIVATE_SUBNET PRIVATE_NETMASK
and
timeout xlate 4:00:00
timeout conn 1:00:00 half-closed 0:05:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

Have any configuration changes been made to the firewall within the time period that the problem started?

I'm interested in how the circuit works without the firewall.

nothing has changed.  I am the only one with access and I have not done a thing to anything on the network.  We installed backup exec, not on the web server though,

Hopefully I got any thing important hidden.

:
PIX Version 6.1(4)
nameif ethernet0 outside security
nameif ethernet1 inside security
enable password  encrypted
passwd  encrypted
hostname vh-pix
domain-name victorianheart.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host xxx.xxx.151.10 eq www
access-list 100 permit tcp any host xxx.xxx.151.5 eq smtp
<--- More --->

access-list 100 permit tcp any host xxx.xxx.151.5 eq www
access-list 100 permit tcp any any eq 1723
access-list 100 permit tcp any any eq 47
access-list 100 permit tcp any any eq 50
access-list 100 permit tcp any any eq 443
access-list 100 permit gre any host xxx.xxx.151.10
access-list 100 permit tcp any host xxx.xxx.151.10 eq ftp
access-list 100 permit tcp any host xxx.xxx.151.10 eq 9999
access-list 100 permit tcp any host xxx.xxx.151.10 eq 85
access-list 100 permit tcp any host xxx.xxx.151.10 eq 389
access-list 100 permit tcp any host xxx.xxx.151.10 eq h323
access-list 100 permit tcp any host xxx.xxx.151.5 eq pop3
access-list 100 permit tcp any any eq 3389
access-list 100 permit tcp any host xxx.xxx.151.10 eq 8100
access-list 100 permit tcp any host xxx.xxx.151.10 eq 8101
access-list 100 permit tcp any any eq 5100
access-list 100 permit tcp any any eq 5101
access-list 100 permit tcp any host xxx.xxx.151.10 eq ftp-data
access-list 100 permit tcp any host xxx.xxx.151.5 eq 143
access-list 100 permit udp any any eq isakmp
access-list 100 permit udp any any eq 1701
access-list 100 permit tcp any host xxx.xxx.151.5 eq 691
access-list 100 permit tcp any host xxx.xxx.151.5 eq 389
access-list 100 permit udp any host xxx.xxx.151.5 eq 389


access-list 100 permit tcp any host xxx.xxx.151.5 eq 3268
access-list 100 permit tcp any host xxx.xxx.151.5 eq 88
access-list 100 permit udp any host xxx.xxx.151.5 eq 88
access-list 100 permit tcp any any eq 1225
access-list 100 permit tcp any any eq 1226
access-list 100 permit tcp any any eq 1227
access-list 100 permit tcp any any eq 1228
access-list 100 permit tcp any host xxx.xxx.151.4 eq 3389
access-list 100 permit tcp any any eq 15000
access-list 100 permit tcp any host xxx.xxx.151.4 eq www
access-list 100 permit tcp any host xxx.xxx.151.10 eq smtp
pager lines 24
interface ethernet0 10full
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.151.2 255.255.255.240
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.151.11
global (outside) 1 xxx.xxx.151.12


nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xxx.xxx.151.10 192.168.1.1 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.151.5 192.168.1.5 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.151.4 192.168.1.4 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.151.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
terminal width 80
Cryptochecksum:

thanks

I don't see any problem with the configuration of the PIX.  Let's move forward and test one segment at a time.

1) PC connected directly to circuit
     IP               xxx.xxx.151.2
     Mask        255.255.255.240
    Gateway   xxx.xxx.151.1
    DNS          ***

2) PIX connected to circuit, PC connected via crossovercable to inside PIX ethernet
     IP             192.168.1.253
     Mask       255.255.255.0
     Gateway 192.168.1.254
     DNS         ?

***If you don't have an external DNS server to use for the first test, use 208.67.222.222.  You can also use it for the second test, as well.

I will have to test it in the morning before anyone gets here.

I really appreciate all the help you are giving me


thanks

Bobby

We are in the same time zone -- what time is the test?

sometime between 7:00 and 8:00

thanks

I'll try to be around during that time.

ok, hooked right to the laptop and worked great.

took the cable from the server and hooked it to the laptop with dhcp and got limited connectivity, maybe the server cable is not crossover?  I dont have on here.

now I know that it is the server/software or the PIX

thanks

One more test with the network in normal configuration.  Configure a PC with a private static IP that is not in use, gateway, netmask and the DNS IP above (no dhcp) and test.  

had to use the default gateway the dchp assigned usually.  I did notice that the AVG virus software did go farther before timing out, but still no go.  nothing would download and the PDF's still wont open.


should the cable that goes to the servr be a crossover cable?

I can put one together to try that.

thanks

Cables are straight through when connected via a switch.
    Firewall -> switch -> PCs, servers, etc

When two end devices are directly to each other, a cross-over cable is needed.
   Firewall --xover-> server gateway -> switch -> PCs, etc

I am unclear as to whether the firewall was involved with this test and I'm not sure how you got an IP via DHCP is the server was taken out of the loop -- can you clarify?:
      "took the cable from the server and hooked it to the laptop
       with dhcp and got limited connectivity, maybe the server"

hard coded a pc inmy office on the network,  tried using your dns address, and got nothing.  I hard coded in the internal dns, 192.168.0.1 and it and I got connection but no new results.  Should the dns you gave me have worked with this?  I was hooked up just as I would normally be, but the ip and all was hard coded.
thanks

Unless OpenDNS has withdrawn public use of its servers, then yes, it should have worked.

I suspect your access-list.  You can always add this to test and reapply the access-group statement:

access-list 100 permit udp any eq 53 any
access-list 100 permit tcp any eq 53 any

This will allow DNS responses to come back through the firewall.

It worked this morning when I bypassed the PIX

OK, I tried it again and it did work, but still the same result.

I have a cross over cable made, I will try it in the morning

thanks

Tried it again, meaning:

PIX -> switch -> PC with recommended DNS server of 208.67.222.222

and your access-list updated and reapplied?

I am presuming that there is a switch behind the PIX and in front of all of the PCs and servers.  No?

yes, it did the same thing., that is what I tried.

thanks

Do a "show log" and see if the PIX is denying DNS answers.  

did a show log and it brings up a small list and says they are disabled.

Can you post the log entries?

vh-pix# show log
Syslog logging: disabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: disabled
    History logging: disabled
vh-pix#

config t
logging on
logging buffered informational
logging trap debugging
end

try it again and let's see if there is log data.

I tried the cross over cable to the laptop to the pix, no dhcp, so i hard coded the following:

192.168.0.97
255.255.255.0
xxx.xxx.151.1
dns - 208.67.222.222

I connected to the pix, but couldnt get out.  not sure if that had to do with my settings?

thanks

vh-pix# config t
vh-pix(config)# logging on
vh-pix(config)# logging buffered informational
vh-pix(config)# logging trap
Type help or '?' for a list of available commands.
vh-pix(config)# debugging
Type help or '?' for a list of available commands.
vh-pix(config)# end
Type help or '?' for a list of available commands.
vh-pix(config)# show log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level informational, 1 messages logged
    Trap logging: disabled
    History logging: disabled
302002: Teardown TCP connection 122130 faddr xx.xxx.18.77/1944 gaddr xxx.xxx.151
.10/25 laddr 192.168.1.1/25 duration 0:02:28 bytes 0 (SYN Timeout)

vh-pix(config)# show log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level informational, 5005 messages logged
    Trap logging: level debugging, 13 messages logged
    History logging: disabled
o connection) from xxx.xxx.240.223/80 to xxx.xxx.151.5/2816 flags SYN ACK  on in
terface outside
302002: Teardown TCP connection 124051 faddr xxx.xxx.123.124/80 gaddrxxx.xxx.151
.10/32207 laddr 192.168.1.1/32207 duration 0:00:11 bytes 491 (TCP Reset-I)
302001: Built outbound TCP connection 124054 for faddr xxx.xxx.123.120/80 gaddr xxx.xxx.151.10/32210
laddr 192.168.1.1/32210
302002: Teardown TCP connection 123801 faddr xxx.xxx.136.31/4415 gaddr xxx.xxx.15
1.10/443 laddr 192.168.1.1/443 duration 0:01:32 bytes 401013 (TCP Reset-O)
302002: Teardown TCP connection 122964 faddr xxx.xxx.153.251/80 gaddr xxx.xxx.151
.10/31036 laddr 192.168.1.1/31036 duration 0:05:13 bytes 2072 (TCP Reset-O)
106015: Deny TCP (no connection) from xxx.xxx.153.251/80 to xxx.xxx.151.10/31036
flags FIN ACK  on interface outside
302001: Built inbound TCP connection 124055 for faddr xxx.xxx.109.36/62530 gaddr
xxx.xxx.151.5/25 laddr 192.168.1.5/25
106015: Deny TCP (no connection) from xxx.xxx.153.251/80 to xxx.xxx.151.10/31036
flags FIN ACK  on interface outside
302002: Teardown TCP connection 124055 faddr xxx.xxx.109.36/62530 gaddr xxx.xxx.1
51.5/25 laddr 192.168.1.5/25 duration 0:00:02 bytes 2921 (TCP FINs)
106015: Deny TCP (no connection) from xxx.xxx.153.251/80 to xxx.xxx.151.10/31036
flags FIN ACK  on interface outside
302001: Built outbound TCP connection 124056 for faddr xxx.xxx.161.238/80 gaddr xxx.xxx.151.10/32213
laddr 192.168.1.1/32213
111007: Begin configuration: console reading from terminal
302002: Teardown TCP connection 124053 faddr xxx.xxx.47.189/80 gaddr xxx.xxx.151.
10/32209 laddr 192.168.1.1/32209 duration 0:00:25 bytes 2144 (TCP Reset-I)
302002: Teardown TCP connection 123944 faddr xxx.xxx.175.71/80 gaddr xxx.xxx.151.1
0/32101 laddr 192.168.1.1/32101 duration 0:01:07 bytes 36221 (TCP Reset-O)
302001: Built outbound TCP connection 124057 for faddr xxx.xxx.47.189/80 gaddr xxx.xxx.151.10/32214
 laddr 192.168.1.1/32214
<--- More --->
333
302006: Teardown UDP connection for faddr xxx.xxx.70.2/53 gaddr xxx.xxx.151.10/803
3 laddr 192.168.1.1/30341
302001: Built outbound TCP connection 124083 for faddr xxx.xxx.15.37/119 gaddr xxx
.xxx.151.10/32242 laddr 192.168.1.1/32242
302001: Built outbound TCP connection 124084 for faddr xxx.xxx.47.17/80 gaddr xxx
.xxx.151.10/32243 laddr 192.168.1.1/32243
304001: 192.168.1.1 Accessed URL xxx.xxx.47.17:/mail/?ui=1&ik=85bdd53f85&view=tl&
search=spam&start=0&tlt=11c329d19b1&fp=10fbe8fc3149158c&auto=1&vv=4&rq=xm&at=xn3
j301rxyhmwgnoqjlr8e8617xfhz&zx=eq0m0zskt1ok
302002: Teardown TCP connection 124084 faddrxxx.xxx.47.17/80 gaddr xxx.xxx.151.1
0/32243 laddr 192.168.1.1/32243 duration 0:00:01 bytes 1774 (TCP Reset-I)
302001: Built outbound TCP connection 124085 for faddr xxx.xxx.112.160/443 gaddr
xxx.xxx.151.10/32244 laddr 192.168.1.1/32244
302002: Teardown TCP connection 124085 faddr xxx.xxx.112.160/443 gaddr xxx.xxx.15
1.10/32244 laddr 192.168.1.1/32244 duration 0:00:01 bytes 2956 (TCP Reset-I)
302002: Teardown TCP connection 123936 faddr xxx.xxx.151.10/139 gaddr xxx.xxx.15
1.10/32094 laddr 192.168.1.1/32094 duration 0:02:05 bytes 0 (SYN Timeout)
302002: Teardown TCP connection 123939 faddr 69.30.213.171/42489 gaddr xxx.xxx.1
51.10/25 laddr 192.168.1.1/25 duration 0:02:01 bytes 0 (SYN Timeout)
302002: Teardown TCP connection 124052 faddr 65.55.184.157/443 gaddr xxx.xxx.151
.10/32208 laddr 192.168.1.1/32208 duration 0:01:18 bytes 85280 (TCP Reset-O)
302001: Built outbound TCP connection 124086 for faddr xxx.xxx.219.51/80 gaddr xx
x.xxx.151.10/32245 laddr 192.168.1.1/32245
304001: 192.168.1.1 Accessed URL xxx.xxx.219.51:/client_ad.php?p=409640
302002: Teardown TCP connection 124086 faddr xxx.xxx.219.51/80 gaddr xxx.xxx.151.
10/32245 laddr 192.168.1.1/32245 duration 0:00:01 bytes 5988 (TCP Reset-I)
302002: Teardown TCP connection 124068 faddr xxx.xxx.47.189/80 gaddr xxx.xxx.151.
10/32228 laddr 192.168.1.1/32228 duration 0:00:27 bytes 2144 (TCP Reset-I)
302001: Built outbound TCP connection 124087 for faddr xxx.xxx.47.189/80 gaddr xx
x.xxx.151.10/32246 laddr 192.168.1.1/32246
304001: 192.168.1.1 Accessed URL xxx.xxx.47.189:/mail/channel/bind?at=xn3j301rxyh
vh-pix(config)# fhz

fix the trap one and got this, I hope I filtered out the all of the ips

thanks

Your gateway should be the private interface IP and your IP should be on the same subnet as the gateway.  *If* the private IP on the PIX is 192.168.1.254, then on your laptop:

192.168.1.253 - IP
255.255.255.0 - netmask
192.168.1.254 - gateway
dns - 208.67.222.222

ok, I may try it over lunch.  I will tell everyone it will be down whiel they are at lunch.

thanks

I used those settings and got a connection, but  it would not let me access the internet at all



thanks

circuit -> pix -> pc

where pix -> pc is a crossover cable
where 192.168.1.254 is the IP of the inside interface
where 192.168.1.253 is an IP that was not in use (show arp)

yes circuit=>pix=>PC with crossover cable

IP 192.168.1.253
sub 255.255.255.0
gateway  192.168.1.254
DNS 208.67.222.222

I had connection, just no access to the internet,I was in a hurry, maybe it didn't have time to connect properly?

thanks

No internet access or no DNS?

If you can ping outside of your network, you have access.  If you can't pull up www.google.com, then you don't have DNS.

If you don't have DNS, it could be because the responses are not getting back through the firewall.  Do you still have those two ACL entries allowing any eq 53 any on your outside interface?

I couldn't pull up any web site (msn ro google)  I really need to try over the weekend when I have more time to make sure it had time to connect.  I only had a few minutes at lunch


thanks

Did you have internet access even though DNS was not functional?  Could you ping 64.233.167.99?

ok, I hooked the laptop up with a crossover cable to the PIX.  Set the setting to match that of the server, except for the gateway and DNS.  It worked.  everything that was not working was working.  So I guess that rules out the PIX?  Then while I was here, I hooked the laptop up as it is normally.  I stopped the ISA service.  I then had no internet access at all?  I rebooted the server and let everything go back to the way it was.

thanks

I'd say look directly at the ISA server.  You may have had no Internet service after stopping the ISA server because, 1) you were still set to proxy web pages through the ISA server which was down or 2) a configuration within your internal network forwards port 80 through the ISA server.

The server was up and running, just the ISA service was stopped.  I do not have a proxy script running.

How would I know if I am being forwarded through the ISA?



thanks

Check your web browser to see if you are using a proxy server.

Another option, bring everything up and running.  With your laptop on the network, define  your IP, netmask, gateway and DNS server.  Make sure that your browser is not using a proxy server.  Test it.  This way the entire network is live and you are bypassing the ISA server.

We've already taken the circuit and the PIX out of the picture.  Now, we want to look at the internal network starting with the switch and ISA server.

No proxy server or scripts, automatic detection.

manually set the ip address?  


thanks

Yes, set IP, mask, gateway and DNS server.

ok, i hardcoded the ip 192.168.0.200  mask 255.255.255.0  gw 192.168.0.3  dns  208.67.222.222

got conencted tot he net, but didnt fix the problem.  did I need to use a different gateway?

thanks

From your config:

ip address inside xxx.xxx.1.254 255.255.255.0

Your gateway is xxx.xxx.1.254  (it may be 192.168.1.254?).  Your IP address has to be 192.168.1.<something>.  That 'something' needs to be an IP address not in use.

What is the 192.168.0.0 network?

my setting by dchp on my laptop:

IP: 192.168.0.79
mask 255.255.255.0
gateway 192.168.0.3
dns: 192.168.0.1
         192.168.0.2

thanks

Can you further define the network behind the PIX?  If the PIX sits on xxx.xxx.1.254 and your IP is 192.168.0.79, what is 192.168.0.3?  

Is your network VLANed?  Or you routing through a proxy server?

The PIX goes right into the Web server.

Main
192.168.0.2
255.255.255.0
192.168.0.3
192.168.0.1


SQL
192.168.0.4
255.255.255.0
192.168.0.3
192.168.0.1

Web server

Outside
192.168.1.4
255.255.255.0
192.168.1.254
192.168.1.1

Inside
192.168.0.3
255.255.255.0
no gateway
192.168.0.1


Apps
192.168.0.19
255.255.255.0
192.168.0.3
192.168.0.1


Mail(PDC)
192.168.0.1
255.255.255.0
192.168.0.3
192.168.0.1

Check the NICs on the ISA server.  Check to see if any recent updates to the ISA server broke something.

Fix the ISA server. :)

ISA is running on the web server.  Check the Nics there?

thanks

If your data is routing through 192.168.0.3, then that is the device that I would check first.

the nic that is connected to the PIX via crossover.  Has a very busy activity light, but no link light?

What is the best way to test the nic?

thanks

http://msdn.microsoft.com/en-us/library/bb961480.aspx

I couldnt fint the DTM software?  I ran some other NIC tests and it seems to be working ok

Windows is a bit out of my league.  I would try microsoft.com download section.

I ran the diaganotics I had on the nic card and it seems to be ok.  

thaanks

Since traffic that routes through the ISA server doesn't load pages and traffic that bypasses the ISA server does load pages, I would recommend going back through the ISA configuration and verify the information.  Check memory and disk space utilization on that machine.

we are using 50 gb out of 75 gb   as far as disk space goes.

I am going to have to get some documentation on the ISA server 2000 so I can find out what everything is doing.

What I would like to do is to stop the ISA Server altogether temp and get the new version and start from scratch.

thanks

I shut the ISA server down, turned off all associated services.  I was able to get to the internet via that machine.  Everything worked.  I went to my laptop and it would not connect to anything.  I am going to try and find out what I need to do to uninstall ISA server safely and that the other machines can get to the internet without it.  Then get the new version and install it.

any input is appreciated

thanks

If you use the ISA server as a DHCP server, then your client machines will expect to be able to find a server that will hand out an IP, gateway and netmask.

It would help to know the physical (pix to switch to ... ) and logical (vlans ?) connections to better advise you as to what network you need to be in and how to get the machines an IP address.

my DHCP is the PDC and is not the same machine as the ISA server is running on


What can I tell you about the PIX and hardware?

thanks

If I understood the configuration, the client machines sat behind the ISA server (and on a different subnet than the private IP of the PIX).

If this is correct and the ISA machine is no longer between the client machines and the PIX, then the DHCP server needs to hand out 192.168.1.x addresses instead of 192.168.0.x.

Pix is 192.168.1.4

Main
192.168.0.2
255.255.255.0
192.168.0.3
192.168.0.1


SQL
192.168.0.4
255.255.255.0
192.168.0.3
192.168.0.1

Web server

Outside
192.168.1.4
255.255.255.0
192.168.1.254
192.168.1.1

Inside
192.168.0.3
255.255.255.0
no gateway
192.168.0.1


Apps
192.168.0.19
255.255.255.0
192.168.0.3
192.168.0.1


Mail(PDC)(dhcp)
192.168.0.1
255.255.255.0
192.168.0.3
192.168.0.1


Nothing has changed, why would this have?

thanks

According to the config above:

ip address inside 192.168.1.254 255.255.255.0

This is the "inside" of your network.  That doesn't preclude that the another network sits behind this one, i.e.:

pix (192.168.1) -> outside internal (192.168.1) <-> inside internal (192.168.0) -> inside internal machines (192.168.0)

It appears that the machine with the web server is the interface between the outside internal and inside internal network.

So, if this web server is still functional and the DHCP server is handing out IP addresses in the 192.168.0 range with a gateway of 192.168.0.3 and a netmask of 255.255.255.0, you need to see what IP the DHCP server is handing out for the DNS server.

If the ISA machine *was* your DNS server, then you'll need to use your provider's DNS servers in the interim.

The DHCP is sending out 192.168.0.1  and 192.168.0.2


The "outside" Nic card is setup like thisin detail:
(IP)192.168.1.4
(MASK)255.255.255.0
(IP) 192.168.1.5
(MASK)255.255.255.0
(IP) 192.168.1.1
(MASK) 255.255.255.0
(GATE) 192.168.1.254
(DNS) 192.168.1.1
(WINS) --------------



thanks

Okay.  Is the layout of the network above correct?

What I'm trying to determine is: if the DHCP server is handing out 192.168.0.x IP addresses with a gateway that consists of a 192.168.0.x address, is this gateway machine reachable and does it have an outside IP address in the 192.168.1.x network?

The DHCP hands out IP's 192.168.0.X  Gateway 192.168.0.3  DNS 192.168.0.1  192.168.0.2

From my laptop 192.168.0.97 I can ping 192.168.0.3(webserver-ISA Server)  I can also ping 192.168.1.254 (PIX)

thanks

Does the ISA/Web server NAT the 192.168.0.x IP addresses or are those addresses left as is when going on to the PIX?

I don't see the NAT statements in the PIX config above that indicates what netblocks can NAT out.

I am not sure where to check that in the ISA, I have looked and I don't see anything on NAT.  I have the 0.x ip range in the LAT.

thanks

Please post the line(s) in the PIX that start with:

nat (inside)

And, is the ISA server still turned down?

CLIP of the config that contains the NAT
changed only the 209.xxx.xxx.x ip

interface ethernet0 10full
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 209.xxx.xxx.x 255.255.255.240
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 209.xxx.xxx.xx
global (outside) 1 209.xxx.xxx.xx
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 209.xxx.xxx.xx 192.168.1.1 netmask 255.255.255.255 0 0
static (inside,outside) 209.xxx.xxx.x 192.168.1.5 netmask 255.255.255.255 0 0
static (inside,outside) 209.xxx.xxx.x 192.168.1.4 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
terminal width 80
Cryptochecksum:cabfad02d6a43e5b6ce67943cfcf0015

On the PIX:

sh xlate

Do you see any translations for 192.168.0.0/24?

vh-pix(config)# sh xlate
3 in use, 86 most used
Global 209.xxx.xxx.10 Local 192.168.1.1 static
Global 209.xxx.xxx.5 Local 192.168.1.5 static
Global 209.xxx.xxx.4 Local 192.168.1.4 static

Try to go somewhere with a 192.168.0 machine and then do a "sh xlate".

It doesn't make sense that you can hit 192.168.1.254 but are not NATing out the public interface.

If there are no translations that include 192.168.0, then explicitly add this to your PIX config:

nat (inside) 1 192.168.0.0 255.255.255.0

I added that to the config

nothing changed when I went to a web site on a .0.X machine, same

thanks

ok, well after trying some things, I found that the WEBMON software is not working, I disabled it and thigns started to work.

After all that it was a bad software plug in

thanks for all your help, I have learned a lot about my network in the process.