Very odd that we're unable to get to Internet from PIX 506E

Hi, folks, I hope you could kindly take some time to look at our PIX problem. We have a PIX 506E (ver 6.3(1)) working for VPN and for the Internet connection. It has been working very well for a long time. Yesterday in order to test our new fiber connection to the ISP, i changed two lines on the PIX: the IP address of the external interface and the route outside. When the testing completed, I changes these lines back to the previous setting. The PIX worked. Unfortunately, the PIX suddenly malfunctioned this morning and couldn't connect to the Internet. I'm sure that its external IP and gateway assigned by the ISP are both working. I've tried out my ideas to diagnose where the problem is. Hopefully you could offer me some hints. I'd like to copy the PIX's configuration as following:

pix# sh conf : Saved : Written by enable_15 at 12:23:13.395 UTC Mon Apr 9 2007 PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ******** encrypted passwd ******* encrypted hostname pix domain-name xxxxx fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list inbound permit tcp any host 206.124.x.x eq www access-list inbound permit tcp any host 206.124.x.x eq 5900 access-list inbound permit tcp any host 206.124.x.x eq 5900 access-list inbound permit tcp any host 206.124.x.x eq www access-list inbound permit tcp any host 206.124.x.x eq smtp access-list inbound permit tcp any host 206.124.x.x eq pop3 access-list inbound permit icmp any any access-list inbound permit tcp any host 206.124.x.x eq smtp access-list inbound permit tcp any host 206.124.x.x eq ssh access-list inbound permit udp any host 206.124.x.x eq ntp access-list 101 permit ip 192.168.0.0 255.255.0.0 172.16.0.0

255.255.0.0 access-list 101 permit ip 192.168.0.0 255.255.0.0 172.168.60.0 255.255.255.0 access-list 101 permit ip 192.168.0.0 255.255.0.0 172.168.61.0 255.255.255.0 access-list 101 permit ip 192.168.0.0 255.255.0.0 172.168.62.0 255.255.255.0 access-list 101 permit ip 192.168.0.0 255.255.0.0 172.168.63.0 255.255.255.0 access-list 101 permit ip 192.168.0.0 255.255.0.0 172.168.65.0 255.255.255.0 access-list 101 permit ip 192.168.0.0 255.255.0.0 172.168.64.0 255.255.255.0 access-list 101 permit ip 192.168.0.0 255.255.0.0 172.168.66.0 255.255.255.0 access-list 101 permit ip 192.168.0.0 255.255.0.0 172.168.67.0 255.255.255.0 access-list 102 permit ip 192.168.0.0 255.255.0.0 172.168.60.0 255.255.255.0 access-list 103 permit ip 192.168.0.0 255.255.0.0 172.168.61.0 255.255.255.0 access-list 104 permit ip 192.168.0.0 255.255.0.0 172.168.66.0 255.255.255.0 access-list 105 permit ip 192.168.0.0 255.255.0.0 172.168.63.0 255.255.255.0 access-list 107 permit ip 192.168.0.0 255.255.0.0 172.168.64.0 255.255.255.0 access-list 106 permit ip 192.168.0.0 255.255.0.0 172.168.65.0 255.255.255.0 access-list outbound deny udp any any eq tftp access-list outbound deny tcp any any eq 135 access-list outbound deny udp any any eq 135 access-list outbound deny tcp any any eq 137 access-list outbound deny udp any any eq netbios-ns access-list outbound deny tcp any any eq 138 access-list outbound deny udp any any eq netbios-dgm access-list outbound deny tcp any any eq netbios-ssn access-list outbound deny udp any any eq 139 access-list outbound deny tcp any any eq 445 access-list outbound deny tcp any any eq 593 access-list outbound deny tcp any any eq 4444 access-list outbound permit ip any any access-list 108 permit ip 192.168.0.0 255.255.0.0 172.168.67.0 255.255.255.0 pager lines 24 logging console debugging logging trap debugging mtu outside 1500 mtu inside 1500 ip address outside x.x.x.x x.x.x.x ip address inside 192.168.2.2 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool ippool 172.16.1.100-172.16.1.200 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) x.x.x.x 192.168.2.29 netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.x 192.168.2.3 netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.x 192.168.2.35 netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.x 192.168.2.34 netmask 255.255.255.255 0 0 access-group inbound in interface outside access-group outbound in interface inside conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 route inside 192.168.1.0 255.255.255.0 192.168.2.1 1 route inside 192.168.3.0 255.255.255.0 192.168.2.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap 20 ipsec-isakmp crypto map mymap 20 match address 102 crypto map mymap 20 set peer 206.124.196.106 crypto map mymap 20 set transform-set myset crypto map mymap 30 ipsec-isakmp crypto map mymap 30 match address 103 crypto map mymap 30 set peer 64.237.79.142 crypto map mymap 30 set transform-set myset crypto map mymap 40 ipsec-isakmp crypto map mymap 40 match address 106 crypto map mymap 40 set peer 72.151.6.4 crypto map mymap 40 set transform-set myset crypto map mymap 50 ipsec-isakmp crypto map mymap 50 match address 107 crypto map mymap 50 set peer 209.124.252.94 crypto map mymap 60 ipsec-isakmp crypto map mymap 60 match address 104 crypto map mymap 60 set peer 216.115.142.2 crypto map mymap 60 set transform-set myset crypto map mymap 70 ipsec-isakmp crypto map mymap 70 match address 105 crypto map mymap 70 set peer 66.186.243.22 crypto map mymap 70 set transform-set myset crypto map mymap 80 ipsec-isakmp crypto map mymap 80 match address 108 crypto map mymap 80 set peer 209.124.253.22 crypto map mymap 80 set transform-set myset crypto map mymap 90 ipsec-isakmp isakmp enable outside isakmp key ******** address 206.124.196.106 netmask 255.255.255.255 isakmp key ******** address 64.237.79.142 netmask 255.255.255.255 isakmp key ******** address 66.186.243.22 netmask 255.255.255.255 isakmp key ******** address 209.124.252.94 netmask 255.255.255.252 isakmp key ******** address 72.151.6.4 netmask 255.255.255.255 isakmp key ******** address 216.115.142.2 netmask 255.255.255.252 isakmp key ******** address 209.124.253.22 netmask 255.255.255.252 isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 vpngroup apg address-pool ippool vpngroup apg dns-server 192.168.1.25 vpngroup apg wins-server 192.168.1.25 vpngroup apg split-tunnel 101 vpngroup apg idle-time 1800 vpngroup apg password ******** vpngroup vendor address-pool ippool vpngroup vendor dns-server 192.168.1.25 vpngroup vendor split-tunnel 101 vpngroup vendor idle-time 1800 vpngroup vendor password ******** telnet 192.168.1.0 255.255.255.0 inside telnet 192.168.2.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:830ac66bccf0632512daeb9d53271b09

Please let me know if you find any error on my configuration. Thank you very much for your help.

Reply to
szhang3
Loading thread data ...

Just a guess,

Since you nat using the outside interface IP address , i strongly suggest that you do a clear xlate after changing your outside IP address.

What's may happening here is that some inside device creates a translation using the old outside IP. But even if you change the IP, the translation remains, so your device tries to reach internet using the old outside IP wich can't reach the new default gateway. So by deleting your translation you may resolve your problem.

You can do a show xlate to see if you still have old entries

Reply to
mcaissie

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.