1. Home
  2. Networking Firewalls
  3. pix 515e problem

pix 515e problem

We have a small company network- about 50 computers. Two weeks ago we changed firewall on Pix 515E. Everything was working fine until yesterday. It's a simple configuration- connecting users to the Internet. I din't change enything after first configuration. Now users after about 10 minutes of using Internet are disconected. They can use local network except Internet. When I refresh Ip addess: ipconfig /release ipconfig /renew on client workstation he can use Internet again for few minutes. After firewall restart they can use Inernet few minutes too. does anybody had a problem like this? Thank you for help.

Reply to
Kevin
Loading thread data ...

Multiple DHCP servers with overlapping ranges perhaps? Duplicated IP addresses will cause that symptom.

Reply to
MyndPhlyp

If you have to do a release and renew I would look at you DHCP servers. What are your DHCP lease times set at? Do you have multiple? What are they ISC or Windbows? What do your firewall logs say?

Michael

Reply to
Michael Pelletier

I have following configuration PIX firewall :

PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security4 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names pager lines 24 mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip address outside 192.168.100.2 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 no ip address intf2 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 192.168.100.11-192.168.100.50 netmask 255.255.255.0 global (outside) 1 192.168.100.10 netmask 255.255.255.0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 192.168.100.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:23e4127087b3567a28687f69b416f468

I have one DHCP server which is Windows 2003 Server DHCP and following configuration:

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : xxx.local Description . . . . . . . . . . . : Intel(R) PRO/1000 MTW Network Con tion Physical Address. . . . . . . . . : 00-0B-DB-3E-3E-B4 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.1.35 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.8 DNS Servers . . . . . . . . . . . : 192.168.1.5 192.168.1.8 192.168.1.2 Primary WINS Server . . . . . . . : 192.168.1.5 Secondary WINS Server . . . . . . : 192.168.1.8 Lease Obtained. . . . . . . . . . : Friday, April 22, 2005

9:35:00 AM Lease Expires . . . . . . . . . . : Friday, April 22, 2005 1:35:00 PM

When I use : ipconfig /release ipconfig /renew I have the same configuration- but fresh lease.

When I was connected to firewall via telnet the last insormation was:

pixfirewall(config)# show conn

16 in use, 35 most used TCP out 212.77.100.101:80 in 192.168.1.37:1310 idle 0:00:35 Bytes 0 flags A TCP out 193.17.41.53:443 in 192.168.1.49:3134 idle 0:00:04 Bytes 1590 flags UIO TCP out 63.214.53.8:80 in 192.168.1.40:1690 idle 0:06:18 Bytes 521 flags UIO TCP out 207.46.107.127:1863 in 192.168.1.40:1681 idle 0:00:04 Bytes 3712 flags U IO TCP out 217.17.41.83:443 in 192.168.1.40:1704 idle 0:00:17 Bytes 1829 flags UIO TCP out 63.214.53.31:80 in 192.168.1.40:1688 idle 0:06:18 Bytes 4320 flags UIO TCP out 63.214.53.31:80 in 192.168.1.40:1686 idle 0:06:18 Bytes 4752 flags UIO TCP out 207.46.107.6:1863 in 192.168.1.49:3139 idle 0:00:04 Bytes 4586 flags UIO TCP out 207.68.178.16:80 in 192.168.1.40:1687 idle 0:01:36 Bytes 2339 flags UFRI O TCP out 207.68.178.16:80 in 192.168.1.40:1689 idle 0:01:36 Bytes 2325 flags UFRI O TCP out 66.45.113.36:443 in 192.168.1.39:2300 idle 0:01:19 Bytes 0 flags A TCP out 64.233.167.104:80 in 192.168.1.35:1602 idle 0:00:19 Bytes 37209 flags UI O TCP out 64.233.167.104:80 in 192.168.1.35:1603 idle 0:00:19 Bytes 18970 flags UI O TCP out 64.236.40.143:80 in 192.168.1.40:1692 idle 0:06:15 Bytes 504 flags UIO TCP out 64.233.161.99:80 in 192.168.1.48:2966 idle 0:00:52 Bytes 0 flags A TCP out 64.12.145.152:80 in 192.168.1.40:1693 idle 0:06:15 Bytes 628 flags UIO pixfirewall(config)# show conn 11 in use, 35 most used TCP out 212.77.100.101:80 in 192.168.1.37:1310 idle 0:01:49 Bytes 0 flags A TCP out 193.17.41.53:443 in 192.168.1.49:3134 idle 0:00:03 Bytes 1595 flags UIO TCP out 63.214.53.8:80 in 192.168.1.40:1690 idle 0:07:31 Bytes 521 flags UIO TCP out 207.46.107.127:1863 in 192.168.1.40:1681 idle 0:00:27 Bytes 3725 flags U IO TCP out 217.17.41.83:443 in 192.168.1.40:1704 idle 0:01:30 Bytes 1829 flags UIO TCP out 63.214.53.31:80 in 192.168.1.40:1688 idle 0:07:31 Bytes 4320 flags UIO TCP out 63.214.53.31:80 in 192.168.1.40:1686 idle 0:07:31 Bytes 4752 flags UIO TCP out 207.46.107.6:1863 in 192.168.1.49:3139 idle 0:00:36 Bytes 4599 flags UIO TCP out 64.236.40.143:80 in 192.168.1.40:1692 idle 0:07:29 Bytes 504 flags UIO TCP out 64.233.161.107:80 in 192.168.1.40:1712 idle 0:00:29 Bytes 686 flags UIO TCP out 64.12.145.152:80 in 192.168.1.40:1693 idle 0:07:28 Bytes 628 flags UIO pixfirewall(config)# show conn 11 in use, 35 most used TCP out 193.17.41.53:443 in 192.168.1.49:3134 idle 0:00:10 Bytes 1693 flags UIO TCP out 63.214.53.8:80 in 192.168.1.40:1690 idle 0:08:08 Bytes 521 flags UIO TCP out 66.45.113.36:443 in 192.168.1.44:2092 idle 0:00:28 Bytes 0 flags A TCP out 207.46.107.127:1863 in 192.168.1.40:1681 idle 0:00:20 Bytes 3738 flags U IO TCP out 217.17.41.83:443 in 192.168.1.40:1704 idle 0:00:14 Bytes 1851 flags UIO TCP out 63.214.53.31:80 in 192.168.1.40:1688 idle 0:08:08 Bytes 4320 flags UIO TCP out 63.214.53.31:80 in 192.168.1.40:1686 idle 0:08:08 Bytes 4752 flags UIO TCP out 207.46.107.6:1863 in 192.168.1.49:3139 idle 0:00:29 Bytes 4612 flags UIO TCP out 67.19.81.94:110 in 192.168.1.45:1752 idle 0:00:21 Bytes 0 flags A TCP out 64.236.40.143:80 in 192.168.1.40:1692 idle 0:08:05 Bytes 504 flags UIO TCP out 64.12.145.152:80 in 192.168.1.40:1693 idle 0:08:05 Bytes 628 flags UIO pixfirewall(config)# s

Connection to host lost.

C:\\Documents and Settings\\administrator>telnet 192.168.1.1 Connecting To 192.168.1.1...Could not open connection to the host, on port 23: C onnect failed

And some users cannot connect to the Internet until I won't refresh IP address. Some of them can still use Internet by few minutes- sfter that they have the same problem.

Thank you for help.

Kevin.

Reply to
Kevin

I solved a problem- that was a network device with the same address as a firewall. Thank you

Reply to
Kevin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.