Losing Internet Access

I am at one of my remote offices and they have a problem with losing Internet access for most of the staff.  

When the office opens up, the first people to connect to the Internet have access all day, the rest do not gain access.  I have yet to determine the exact number of lucky users, but it may only be 10 or so of the 80 users.  These 10 users have email, messenger, etc.  Some of the staff are granted access to MS Messenger, but most of the users have no access at all.

Details concerning the site are as follows.  There are two E1's (Mexico) coming into a Cisco 1700 router.  The 1700 then connects to a Cisco PIX 501.  We have a HP Proliant DL380 server running Win 2K3.  It has 4 CPUs and 2 Gigs of ram right now.  The server is a file server, provides DNS and Wins, and also DHCP.  There is about 70 users at any given time, all running Win XP Pro.  Utilization is low on the server and it is only using about 400 Megs of memory.  If I reboot the firewall, those running messenger normally get the connection since Messenger will keep trying to connect if the Internet goes down.

There are a few more details that I have observed:

The whole site has complete access to the local network.  No local access is lost.  The whole site can still access the file server and the network printers, so I dont think it is a switch issue.  I can go to any machine and ping the firewall, the file server etc.  Basic TCP/IP connectivity is still there.

This site connects to another site via a VPN.  The other side has a PIX 515E and the VPN link does not go down.  Here is the weird part.  If I have Internet access, I also have full access to the resources at the other side of the VPN.  I can access terminal services to any servers, and my own personal PC via Remote Desktop.  If I dont have access, I can still ping devices on the other side of the VPN, but I cannot access the servers via Terminal Services or my PC via remote desktop.  I also cannot connect to the Exchange Server  Funny thing is that I can access to a PC via pcAnywhere on the other side.

We have a MFP printer here (HP 4345) that has the ability to send email via an SMTP server at the other side of a VPN link.  If you come in first thing in the morning, you can send email out on the printer.  Once people start logging in, the printer loses connection to the SMTP server, and will not connect for the rest of the day.  We have another MFP printer local to the SMTP server and it works fine and never has a problem.   No matter how I try, I cannot get this printer to connect.  So after 6, when the office has cleared out, the printer will then have access again and is able to send email no problem.

Is this a DNS issue or a network traffic issue, I am not sure.  If I do not have Internet access, I also cannot perform a Nslookup.  It says Cant find server name for the address Non-existent domain.  Machines with Internet access run Nslookup just fine.  I have tried to change to a DNS server at the other side, and even public DNS servers.  Still no help.  I cannot access the Internet.  

I can use some direction.  This office has grown from about 30 people to 80 over the past two years.  I was going to replace the PIX 501 with a 515E, but the Firewall failed, and I am awaiting a replacement.  In the meantime, any ideas.  By the way, it is quite now and I have full run of the network.  No access problems at all.

Thank You.

This office has a VPN link to my HQ office, and the VPN stays live.  These affected users still have
Who is Participating?
PugglewuggleConnect With a Mentor Commented:
I need the config of the PIXes (both please). Also, please post the sh ver output for both devices.
What it sounds like to me is that you have NAT configured on the ASA or PIX connecting to the internet instead of PAT. NAT will only allow a certain number of connections to the internet based on how many IP addresses there are. PAT will allow a virtually unlimited number on one IP address.
Another thing could be that you have exceeded the licensed limit of inside users on the PIX 501 (usually 10). If there are more than 10 computers/devices this is probably what's going on.
Here is a link to the Cisco article about how this works:
Cheers! Let me know!
?I donde estan en Mexico?
hi give this command on pix

clear xlate

and after giving this command if internet starts , it may be licence issue in pix 501 or may be natting issue
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

'tis what I said. Thanks for the echo! :D lol!
Javier196Author Commented:
Here is the PIX Config

I am not at the office right now, I can send the sh ver later if you like.

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password sO6bZHUWnsTA3HWu encrypted
passwd QH14vCtkJCLV82hU encrypted
hostname Exxxxx3
domain-name xxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name xxxxxxx
name xxxxxxx
name xxxxxxx
name Exxxxx2
access-list sitetosite_seg permit ip
access-list nat_avoid permit ip
access-list public_access_in permit tcp any host 201.xxx.xxx.147 eq xxx
access-list public_access_in permit tcp any host 201.xxx.xxx.150 eq xxx
pager lines 20
mtu outside 1500
mtu inside 1500
ip address outside 201.xxx.xxx.146
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool Vpn_IpPool
pdm location inside
pdm location inside
pdm location outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat_avoid
nat (inside) 1 0 0
static (inside,outside) 201.xxx.xxx.147 Exxxxx2 netmask 0 0
static (inside,outside) 201.xxx.xxx.148 netmask 0 0
static (inside,outside) 201.xxx.xxx.149 netmask 0 0
static (inside,outside) 201.xxx.xxx.150 Exxxxx2 netmask 0 0
access-group public_access_in in interface outside
route outside 201.xxx.xxx.145 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dynmap 20 set transform-set ESP-DES-MD5
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address sitetosite_seg
crypto map outside_map 10 set peer 64xxx.xxx.109
crypto map outside_map 10 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp dynamic outside_dynmap
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 64.xxx.xxx.109 netmask
isakmp key ******** address 200.xxx.xxx.0 netmask
isakmp key ******** address 201.xxx.xxx.0 netmask
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Rem0te address-pool Vpn_IpPool
vpngroup Rem0te dns-server Exxxxx2
vpngroup Rem0te wins-server Exxxxx2
vpngroup Rem0te default-domain exxxxx
vpngroup Rem0te idle-time 3600
vpngroup Rem0te password ********
vpngroup Remo0te idle-time 1800
telnet inside
telnet inside
telnet inside
telnet Exxxxx2 inside
telnet timeout 5
ssh 67.xxx.xxx.64 outside
ssh 64.xxx.xxx.96 outside
ssh timeout 30
management-access inside
console timeout 5
terminal width 80
Javier196Author Commented:
By the way, I can understand if this is a license issue, but the printer losing access to the POP3 server baffles me.  Also, why would this affect the Nslookup on the local LAN.  An why would I be able to pcAnywhere but not Remote Desktop on the VPN.

Just thinking out loud.
Javier196Author Commented:
Here is the sh ver of the PIX

Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(2)

Compiled on Fri 02-Jul-04 00:07 by morlee

EzionFW03 up 19 hours 10 mins

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 0012.d988.0f31, irq 9
1: ethernet1: address is 0012.d988.0f32, irq 10
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                50
Throughput:                  Unlimited
IKE peers:                   10

This PIX has a Restricted (R) license.

So, I guess this is a license issue.  I completely overlooked the license at this site.  This site is rather large and users are spread amonst three offices.  I guess it is possible that 50 people are gaining access, but since most are just using messenger, only those that try to access web pages complain about not gaining access.

This location has grown by about 20 people over the last 3 months, so it would make sense that this firewall was fine for the last 3 years, but until recently had probems.  

I have a few observations to verify.
This limit would not only block Internet access, but also access over the VPN, right.  
I suppose since the printer is being bumped by actual PCs, so that would explain why it would drop its access to the Exchange server.

One last question, I am going to implement a Web Blocking program to limit Intenet access for most of the staff.  If web is blocked with a proxy of some sort, will this fix my problem.
Javier196Author Commented:
Sometimes, it is good to leave a problem and come back to it later.  When the Internet was not working, I attibuted many problems to it, and one's mind can swirl with random ideas..  

Now that I knew it was a licensing issue, I attacked the nslookup problem.  The server was just installed and I thought all was configured fine.  By checking for the Nslookup problem, I found that my reverse lookup zone did not have a PTR record for this server that is also the DNS server.  Once I created a PTR record in the reverse lookup zone, my nslookup problem went away.

So, all I need to know is if the Web Blocking program will allow my designated users access, without interference from those who are blocked.  I think is should.  Your thoughts.

By the way, this firewall was going to be replaced with a PIX 515E with unlimited licenses.  Unfortunately, that firewall died after a day.  A replacement will be here Tuesday, so the problem will be moot, but it is nice to know the full solution to a problem.
The thing with the license is not the number of people on the network (or connecting) at any given point in time - it is the number of devices (MAC addresses) that the PIX sees - if at any point it sees more than 50 (from any source other than the outside interface) it will cause problems. Connections to devices will be spontaneous and erratic - it has no real way of picking the ones that don't work - some will work sometimes and not other times. Again, this affects ALL devices and is random.
As far as your blocking program, it depends on if it uses NAT or not. If not, then no, it won't solve your problem.
The best solution is to just buy a license upgrade for the PIX - it's cheap and you won't have the restriction any more - and there's no blocking program to setup/maintain.
Here's a link to the correct license upgrade you need - it's very affordable at only about $200 USD - part number is PIX501SW50UL:
Javier196Author Commented:
The license issue will not be a problem after Tuesday.  I wll be replacing this 501 with a PIX 515E with unlimited connections, so this problem will go away.
Cool! Good luck!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.