Interesting problem with pix 515 UR

just an interesting problem with a pix515E-UR:

running 6.3(5)

This pix have only 2 ethernet interfaces; i have connected the ethernet0(outside) via a cross cable
to the 1760 installed by my connectivity provider; this have public IP addresses. To compensate for
the lack of other ethernet interfaces, i have configured the ethernet1 to do 802.1Q encap and
connected to the GE0/2 of a catalyst2950.

All the servers are directly connected to the catalyst 2950 and i see the error counters on the
phisical interfaces involved all at 0; all are at a correct speed/duplex setting as reported at both ends.

My problem is related to the basic connectivity. what i see is that the connectivity is present either
from the pix itself (i can ping to destinations from it) and through the pix (i can use the connections)
but every now and then, i cannot reach destinations *though* the pix and i *cannot ping from the pix*
itself the destinations.

The simple "clear arp" solves the problem, for another quantum of time, that is as longer as smaller is
the "arp timeout" programmed in the pix; with the default (14400 secs) i can see the problem in 10 minutes
or so, with a much smaller (150) seconds i see the problem only then there are no traffic for a time
(typically at night).

I have checked the arp cache and the mac-address-table on the switch and i can positively conclude that
the addresses are correct and in the correct vlan.

because i can always connect to the pix externally even during the problem, i sent the pix log to a server
and noted simply that there aren't abnormal messages. I see the connections built, and some time later the
SYN timeout because evidently the pix cannot send the traffic to the destination.

Any ideas? i'm frankly run out of ideas
(and quite tempted to leave this *as is* and go to the beach for some days... :)

following i am sending the pix config and the relevant part of the 2950 config
(with any sensitive information purged)

*PLEASE DO NOT TELL ME TO REVISE THE SECURITY POLICY* i know that, this is a fresh install and
i want to have a stable connectivity before hardening IP security and opening the ipsec VPNs i
need to. In fact, i have sensed this problem without access-lists or security at all, directly
from the pix console while installing the device.

bye
Andrea


-------------
Catalyst 2950 vlan config
Switch#sh vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11,Fa0/12
Fa0/13, Fa0/14,Fa0/15,Fa0/16
Fa0/17, Fa0/18,Fa0/19,Fa0/20
2 server active Fa0/21, Fa0/22,Fa0/23,Fa0/24
3 external active
4 extra active
999 NativeForTrunks active

Switch#sh run
Building configuration...

Current configuration : 2034 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
logging buffered 32768 debugging
enable secret 5 XXXXXXXXXXXXXXXXXXXX
!
username root privilege 15 password 0 XXXXXXXXXXX
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
[..]
!
interface FastEthernet0/21
description server webvecchio
switchport access vlan 2
load-interval 30
spanning-tree portfast
!
interface FastEthernet0/22
description server readytec
switchport access vlan 2
load-interval 30
spanning-tree portfast
!
interface FastEthernet0/23
description www server
switchport access vlan 2
load-interval 30
spanning-tree portfast
!
interface FastEthernet0/24
description Mail Server
switchport access vlan 2
load-interval 30
spanning-tree portfast
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
description Link to firewall PIX515 mode .1Q eth1
switchport trunk native vlan 999
switchport mode trunk
load-interval 30
duplex full
speed 100
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan2
ip address 10.10.10.2 255.255.255.0
no ip route-cache
!
ip default-gateway 10.10.10.1
no ip http server
!
logging trap debugging
logging facility local3
logging source-interface Vlan2
logging 10.10.10.60
!
[..]
!
end

-------------------------
Pix config:

pix# sh ver

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: ethernet0: address is 0017.9514.6751, irq 10
1: ethernet1: address is 0017.9514.6752, irq 11
This PIX has an Unrestricted (UR) license.

pix# sh run
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet1 vlan1 physical
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security90
enable password XXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
hostname pix
domain-name XXXXXXX.it
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.10.10.60 mail
name 10.10.10.50 www
name 10.10.10.70 www-vecchio
name X.Y.Z.0 my-net
name X.X.X.40 public-net
name 10.10.10.80 rtec
name 10.10.10.2 switch1
name 192.168.3.0 Vpn
name 10.10.10.0 dmz-net
name 192.168.1.0 inside-net
name X.X.X.41 fastweb-gw
object-group service public-services tcp
description public services
port-object eq www
port-object eq smtp
port-object eq 90
port-object eq pop3
port-object eq imap4
object-group service my-access-tcp tcp
description Service access TCP Protocol
port-object eq 24
port-object eq telnet
port-object eq 81
port-object eq 3389
access-list outside_access_in permit tcp any interface outside object-group public-services
access-list outside_access_in permit tcp my-net 255.255.255.128 interface outside object-group my-access-tcp
access-list outside_access_in permit icmp any any
access-list outside_access_in permit ip Vpn 255.255.255.0 dmz-net 255.255.255.0
access-list inside_outbound_nat0_acl remark local traffic
access-list inside_outbound_nat0_acl permit ip inside-net 255.255.255.0 dmz-net 255.255.255.0
access-list dmz_outbound_nat0_acl permit ip dmz-net 255.255.255.0 Vpn 255.255.255.0
pager lines 24
logging on
logging monitor debugging
logging buffered debugging
logging trap debugging
logging facility 21
logging device-id string fw
logging host dmz mail
logging host outside X.Y.Z.66
icmp permit any outside
icmp permit any inside
icmp permit any dmz
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.42 255.255.255.252
ip address inside 192.168.1.10 255.255.255.0
ip address dmz 10.10.10.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm
ip local pool vpdn_pool 192.168.3.1-192.168.3.250
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
pdm location mail 255.255.255.255 dmz
pdm location www 255.255.255.255 dmz
pdm location www-vecchio 255.255.255.255 dmz
pdm location my-net 255.255.255.128 outside
pdm location rtec 255.255.255.255 dmz
pdm location switch1 255.255.255.255 dmz
pdm location Vpn 255.255.255.0 outside
pdm location dmz-net 255.255.255.0 dmz
pdm location inside-net 255.255.255.0 inside
pdm location fastweb-gw 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 150
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 inside-net 255.255.255.0 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
nat (dmz) 1 dmz-net 255.255.255.0 0 0
static (dmz,outside) tcp interface smtp mail smtp netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface www www-vecchio www netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface 24 mail ssh netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface 90 mail www netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface pop3 mail pop3 netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface imap4 mail imap4 netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface 3389 www-vecchio 3389 netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface telnet switch1 telnet netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 fastweb-gw 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
ntp server 84.16.227.160 source outside
ntp server 194.100.206.70 source outside
ntp server 83.245.15.97 source outside
ntp server 85.214.43.186 source outside
ntp server 80.74.144.230 source outside
ntp server 192.36.143.150 source outside
ntp server 195.228.155.101 source outside
ntp server 80.203.145.142 source outside
http server enable
http my-net 255.255.255.128 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet inside-net 255.255.255.0 inside
telnet mail 255.255.255.255 dmz
telnet timeout 5
ssh my-net 255.255.255.128 outside
ssh timeout 60
console timeout 0
vpdn group pptp_vpn accept dialin pptp
vpdn group pptp_vpn ppp authentication chap
vpdn group pptp_vpn ppp authentication mschap
vpdn group pptp_vpn ppp encryption mppe 40 required
vpdn group pptp_vpn client configuration address local vpdn_pool
vpdn group pptp_vpn pptp echo 300
vpdn group pptp_vpn client authentication local
vpdn username XXXXXXXX password *********
vpdn enable outside
dhcpd address 192.168.1.200-192.168.1.254 inside
dhcpd dns mail
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain XXXXXXXX.it
dhcpd auto_config outside
dhcpd enable inside
username root password XXXXXXXXXXXXXX encrypted privilege 15
terminal width 80



.

Relevant Pages

  • Remote access vpn using PPTP
    ... I have a PIX 515e version 6.3.The PIX is front end firewall ... with the ISA2004 connected to the inside interface of the PIX. ... fixup protocol dns maximum-length 512 ... access-group outside_access_in in interface outside ...
    (comp.security.firewalls)
  • Re: Pix 501 and Local Network Router (No VPN Needed)
    ... If you are putting a router in between the PC's and the PIX then the inside ... interface of the PIX would have to be on a different subnet from the PC's. ... > fixup protocol dns maximum-length 512 ...
    (comp.dcom.sys.cisco)
  • Re: Interesting problem with pix 515 UR
    ... Consider diabling Proxy arp on inside interface. ... This pix have only 2 ethernet interfaces; i have connected the ethernet0via a cross cable ... fixup protocol dns maximum-length 512 ... ntp server 194.100.206.70 source outside ...
    (comp.dcom.sys.cisco)
  • Re: One internal network, VPN, 2 PIX
    ... all I can ping is the internal interface on the PIX that I'm VPN'ing in to. ... Do I need to add ACL's into the Corp PIX to allow the VPN traffic (I already ... the 192.168.200.* inside hosts, the inside hosts are going to ... so the interior hosts send responses to the 501); ...
    (comp.dcom.sys.cisco)
  • [fw-wiz] Double firewall setup (long)
    ... One PIX 515E w/ 3 interfaces: inside, outside, DMZ. ... access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq www ... interface ethernet0 auto ...
    (Firewall-Wizards)