Here is my issue. It's the strangest thing that i have been battling for 2 weeks now and I need some guidance because Im just stuck against a wall.
After a few minutes, maybe 10, maybe 5, all clients on the inside interface lose internet access and lose access to the dmz. Once it happens, it happens for all users on the inside interface at the same exact time.
However, the dmz seems to never lose internet access. I think I'm missing or screwed something up with NAT/PAT, but I cannot be sure.
I've tried two separate firewalls. One on version 6.2(3) and 8.0(2) and it's the same issue, so it's most likely a config issue. I've bypassed all switches, changed cables, etc, so it's directly related to the firewall.
Also I know the static statements below are ridiculous, but I couldnt figure out how to give the entire inside interface access to the server on the dmz. Thats a separate issue.
I only have one server on the dmz and the ip address is 192.168.2.2 and the gateway is obviously 192.168.2.200.
The only error I saw was an ARP collision on 192.168.1.200 which is the ip address of the inside interface, but when that popped up, users on the inside interface still had access to internet and dmz.
PIX Version 8.0(2)
!
hostname pixfirewall
enable password xxx encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address xx.xx.45.82 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.200 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 10
ip address 192.168.2.200 255.255.255.0
!
passwd xxx encrypted
ftp mode passive
access-list in_out extended permit ip any any
access-list dmz_out extended permit ip any any
access-list acl_out extended permit tcp any host xx.xx.45.83 eq 3389
pager lines 24
logging enable
logging console warnings
logging trap warnings
logging host inside 192.168.1.2
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 192.168.2.0 255.255.255.0
static (dmz,outside) xx.xx.45.83 192.168.2.2 netmask 255.255.255.255
static (inside,dmz) 192.168.1.24 192.168.1.24 netmask 255.255.255.255
static (inside,dmz) 192.168.1.14 192.168.1.14 netmask 255.255.255.255
static (inside,dmz) 192.168.1.3 192.168.1.3 netmask 255.255.255.255
static (inside,dmz) 192.168.1.4 192.168.1.4 netmask 255.255.255.255
static (inside,dmz) 192.168.1.5 192.168.1.5 netmask 255.255.255.255
static (inside,dmz) 192.168.1.6 192.168.1.6 netmask 255.255.255.255
static (inside,dmz) 192.168.1.7 192.168.1.7 netmask 255.255.255.255
static (inside,dmz) 192.168.1.8 192.168.1.8 netmask 255.255.255.255
static (inside,dmz) 192.168.1.9 192.168.1.9 netmask 255.255.255.255
static (inside,dmz) 192.168.1.10 192.168.1.10 netmask 255.255.255.255
static (inside,dmz) 192.168.1.11 192.168.1.11 netmask 255.255.255.255
static (inside,dmz) 192.168.1.12 192.168.1.12 netmask 255.255.255.255
static (inside,dmz) 192.168.1.13 192.168.1.13 netmask 255.255.255.255
static (inside,dmz) 192.168.1.15 192.168.1.15 netmask 255.255.255.255
static (inside,dmz) 192.168.1.16 192.168.1.16 netmask 255.255.255.255
static (inside,dmz) 192.168.1.17 192.168.1.17 netmask 255.255.255.255
static (inside,dmz) 192.168.1.18 192.168.1.18 netmask 255.255.255.255
static (inside,dmz) 192.168.1.19 192.168.1.19 netmask 255.255.255.255
static (inside,dmz) 192.168.1.20 192.168.1.20 netmask 255.255.255.255
static (inside,dmz) 192.168.1.23 192.168.1.23 netmask 255.255.255.255
static (inside,dmz) 192.168.1.25 192.168.1.25 netmask 255.255.255.255
static (inside,dmz) 192.168.1.26 192.168.1.26 netmask 255.255.255.255
static (inside,dmz) 192.168.1.27 192.168.1.27 netmask 255.255.255.255
static (inside,dmz) 192.168.1.28 192.168.1.28 netmask 255.255.255.255
static (inside,dmz) 192.168.1.29 192.168.1.29 netmask 255.255.255.255
static (inside,dmz) 192.168.1.30 192.168.1.30 netmask 255.255.255.255
static (inside,dmz) 192.168.1.31 192.168.1.31 netmask 255.255.255.255
static (inside,dmz) 192.168.1.32 192.168.1.32 netmask 255.255.255.255
static (inside,dmz) 192.168.1.33 192.168.1.33 netmask 255.255.255.255
static (inside,dmz) 192.168.1.34 192.168.1.34 netmask 255.255.255.255
static (inside,dmz) 192.168.1.35 192.168.1.35 netmask 255.255.255.255
static (inside,dmz) 192.168.1.36 192.168.1.36 netmask 255.255.255.255
static (inside,dmz) 192.168.1.37 192.168.1.37 netmask 255.255.255.255
static (inside,dmz) 192.168.1.38 192.168.1.38 netmask 255.255.255.255
static (inside,dmz) 192.168.1.39 192.168.1.39 netmask 255.255.255.255
static (inside,dmz) 192.168.1.40 192.168.1.40 netmask 255.255.255.255
static (inside,dmz) 192.168.1.41 192.168.1.41 netmask 255.255.255.255
static (inside,dmz) 192.168.1.42 192.168.1.42 netmask 255.255.255.255
static (inside,dmz) 192.168.1.43 192.168.1.43 netmask 255.255.255.255
static (inside,dmz) 192.168.1.44 192.168.1.44 netmask 255.255.255.255
static (inside,dmz) 192.168.1.45 192.168.1.45 netmask 255.255.255.255
static (inside,dmz) 192.168.1.46 192.168.1.46 netmask 255.255.255.255
static (inside,dmz) 192.168.1.47 192.168.1.47 netmask 255.255.255.255
static (inside,dmz) 192.168.1.48 192.168.1.48 netmask 255.255.255.255
static (inside,dmz) 192.168.1.49 192.168.1.49 netmask 255.255.255.255
static (inside,dmz) 192.168.1.50 192.168.1.50 netmask 255.255.255.255
static (inside,dmz) 192.168.1.51 192.168.1.51 netmask 255.255.255.255
static (inside,dmz) 192.168.1.52 192.168.1.52 netmask 255.255.255.255
static (inside,dmz) 192.168.1.53 192.168.1.53 netmask 255.255.255.255
static (inside,dmz) 192.168.1.54 192.168.1.54 netmask 255.255.255.255
static (inside,dmz) 192.168.1.55 192.168.1.55 netmask 255.255.255.255
static (inside,dmz) 192.168.1.56 192.168.1.56 netmask 255.255.255.255
static (inside,dmz) 192.168.1.57 192.168.1.57 netmask 255.255.255.255
static (inside,dmz) 192.168.1.58 192.168.1.58 netmask 255.255.255.255
static (inside,dmz) 192.168.1.59 192.168.1.59 netmask 255.255.255.255
static (inside,dmz) 192.168.1.60 192.168.1.60 netmask 255.255.255.255
static (inside,dmz) 192.168.1.61 192.168.1.61 netmask 255.255.255.255
static (inside,dmz) 192.168.1.62 192.168.1.62 netmask 255.255.255.255
static (inside,dmz) 192.168.1.63 192.168.1.63 netmask 255.255.255.255
static (inside,dmz) 192.168.1.64 192.168.1.64 netmask 255.255.255.255
static (inside,dmz) 192.168.1.65 192.168.1.65 netmask 255.255.255.255
static (inside,dmz) 192.168.1.66 192.168.1.66 netmask 255.255.255.255
static (inside,dmz) 192.168.1.67 192.168.1.67 netmask 255.255.255.255
static (inside,dmz) 192.168.1.68 192.168.1.68 netmask 255.255.255.255
static (inside,dmz) 192.168.1.69 192.168.1.69 netmask 255.255.255.255
static (inside,dmz) 192.168.1.70 192.168.1.70 netmask 255.255.255.255
static (inside,dmz) 192.168.1.22 192.168.1.22 netmask 255.255.255.255
static (inside,dmz) 192.168.1.21 192.168.1.21 netmask 255.255.255.255
static (inside,dmz) 192.168.1.2 192.168.1.2 netmask 255.255.255.255
access-group acl_out in interface outside
access-group in_out in interface inside
access-group dmz_out in interface dmz
route outside 0.0.0.0 0.0.0.0 xx.xx.45.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 167.206.112.138
!
dhcpd address 192.168.1.2-192.168.1.70 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
prompt hostname context
Cryptochecksum:482f6b69b4e0b353a5bb6924c2ad84c8
: end
[OK]
After a few minutes, maybe 10, maybe 5, all clients on the inside interface lose internet access and lose access to the dmz. Once it happens, it happens for all users on the inside interface at the same exact time.
However, the dmz seems to never lose internet access. I think I'm missing or screwed something up with NAT/PAT, but I cannot be sure.
I've tried two separate firewalls. One on version 6.2(3) and 8.0(2) and it's the same issue, so it's most likely a config issue. I've bypassed all switches, changed cables, etc, so it's directly related to the firewall.
Also I know the static statements below are ridiculous, but I couldnt figure out how to give the entire inside interface access to the server on the dmz. Thats a separate issue.
I only have one server on the dmz and the ip address is 192.168.2.2 and the gateway is obviously 192.168.2.200.
The only error I saw was an ARP collision on 192.168.1.200 which is the ip address of the inside interface, but when that popped up, users on the inside interface still had access to internet and dmz.
PIX Version 8.0(2)
!
hostname pixfirewall
enable password xxx encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address xx.xx.45.82 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.200 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 10
ip address 192.168.2.200 255.255.255.0
!
passwd xxx encrypted
ftp mode passive
access-list in_out extended permit ip any any
access-list dmz_out extended permit ip any any
access-list acl_out extended permit tcp any host xx.xx.45.83 eq 3389
pager lines 24
logging enable
logging console warnings
logging trap warnings
logging host inside 192.168.1.2
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 192.168.2.0 255.255.255.0
static (dmz,outside) xx.xx.45.83 192.168.2.2 netmask 255.255.255.255
static (inside,dmz) 192.168.1.24 192.168.1.24 netmask 255.255.255.255
static (inside,dmz) 192.168.1.14 192.168.1.14 netmask 255.255.255.255
static (inside,dmz) 192.168.1.3 192.168.1.3 netmask 255.255.255.255
static (inside,dmz) 192.168.1.4 192.168.1.4 netmask 255.255.255.255
static (inside,dmz) 192.168.1.5 192.168.1.5 netmask 255.255.255.255
static (inside,dmz) 192.168.1.6 192.168.1.6 netmask 255.255.255.255
static (inside,dmz) 192.168.1.7 192.168.1.7 netmask 255.255.255.255
static (inside,dmz) 192.168.1.8 192.168.1.8 netmask 255.255.255.255
static (inside,dmz) 192.168.1.9 192.168.1.9 netmask 255.255.255.255
static (inside,dmz) 192.168.1.10 192.168.1.10 netmask 255.255.255.255
static (inside,dmz) 192.168.1.11 192.168.1.11 netmask 255.255.255.255
static (inside,dmz) 192.168.1.12 192.168.1.12 netmask 255.255.255.255
static (inside,dmz) 192.168.1.13 192.168.1.13 netmask 255.255.255.255
static (inside,dmz) 192.168.1.15 192.168.1.15 netmask 255.255.255.255
static (inside,dmz) 192.168.1.16 192.168.1.16 netmask 255.255.255.255
static (inside,dmz) 192.168.1.17 192.168.1.17 netmask 255.255.255.255
static (inside,dmz) 192.168.1.18 192.168.1.18 netmask 255.255.255.255
static (inside,dmz) 192.168.1.19 192.168.1.19 netmask 255.255.255.255
static (inside,dmz) 192.168.1.20 192.168.1.20 netmask 255.255.255.255
static (inside,dmz) 192.168.1.23 192.168.1.23 netmask 255.255.255.255
static (inside,dmz) 192.168.1.25 192.168.1.25 netmask 255.255.255.255
static (inside,dmz) 192.168.1.26 192.168.1.26 netmask 255.255.255.255
static (inside,dmz) 192.168.1.27 192.168.1.27 netmask 255.255.255.255
static (inside,dmz) 192.168.1.28 192.168.1.28 netmask 255.255.255.255
static (inside,dmz) 192.168.1.29 192.168.1.29 netmask 255.255.255.255
static (inside,dmz) 192.168.1.30 192.168.1.30 netmask 255.255.255.255
static (inside,dmz) 192.168.1.31 192.168.1.31 netmask 255.255.255.255
static (inside,dmz) 192.168.1.32 192.168.1.32 netmask 255.255.255.255
static (inside,dmz) 192.168.1.33 192.168.1.33 netmask 255.255.255.255
static (inside,dmz) 192.168.1.34 192.168.1.34 netmask 255.255.255.255
static (inside,dmz) 192.168.1.35 192.168.1.35 netmask 255.255.255.255
static (inside,dmz) 192.168.1.36 192.168.1.36 netmask 255.255.255.255
static (inside,dmz) 192.168.1.37 192.168.1.37 netmask 255.255.255.255
static (inside,dmz) 192.168.1.38 192.168.1.38 netmask 255.255.255.255
static (inside,dmz) 192.168.1.39 192.168.1.39 netmask 255.255.255.255
static (inside,dmz) 192.168.1.40 192.168.1.40 netmask 255.255.255.255
static (inside,dmz) 192.168.1.41 192.168.1.41 netmask 255.255.255.255
static (inside,dmz) 192.168.1.42 192.168.1.42 netmask 255.255.255.255
static (inside,dmz) 192.168.1.43 192.168.1.43 netmask 255.255.255.255
static (inside,dmz) 192.168.1.44 192.168.1.44 netmask 255.255.255.255
static (inside,dmz) 192.168.1.45 192.168.1.45 netmask 255.255.255.255
static (inside,dmz) 192.168.1.46 192.168.1.46 netmask 255.255.255.255
static (inside,dmz) 192.168.1.47 192.168.1.47 netmask 255.255.255.255
static (inside,dmz) 192.168.1.48 192.168.1.48 netmask 255.255.255.255
static (inside,dmz) 192.168.1.49 192.168.1.49 netmask 255.255.255.255
static (inside,dmz) 192.168.1.50 192.168.1.50 netmask 255.255.255.255
static (inside,dmz) 192.168.1.51 192.168.1.51 netmask 255.255.255.255
static (inside,dmz) 192.168.1.52 192.168.1.52 netmask 255.255.255.255
static (inside,dmz) 192.168.1.53 192.168.1.53 netmask 255.255.255.255
static (inside,dmz) 192.168.1.54 192.168.1.54 netmask 255.255.255.255
static (inside,dmz) 192.168.1.55 192.168.1.55 netmask 255.255.255.255
static (inside,dmz) 192.168.1.56 192.168.1.56 netmask 255.255.255.255
static (inside,dmz) 192.168.1.57 192.168.1.57 netmask 255.255.255.255
static (inside,dmz) 192.168.1.58 192.168.1.58 netmask 255.255.255.255
static (inside,dmz) 192.168.1.59 192.168.1.59 netmask 255.255.255.255
static (inside,dmz) 192.168.1.60 192.168.1.60 netmask 255.255.255.255
static (inside,dmz) 192.168.1.61 192.168.1.61 netmask 255.255.255.255
static (inside,dmz) 192.168.1.62 192.168.1.62 netmask 255.255.255.255
static (inside,dmz) 192.168.1.63 192.168.1.63 netmask 255.255.255.255
static (inside,dmz) 192.168.1.64 192.168.1.64 netmask 255.255.255.255
static (inside,dmz) 192.168.1.65 192.168.1.65 netmask 255.255.255.255
static (inside,dmz) 192.168.1.66 192.168.1.66 netmask 255.255.255.255
static (inside,dmz) 192.168.1.67 192.168.1.67 netmask 255.255.255.255
static (inside,dmz) 192.168.1.68 192.168.1.68 netmask 255.255.255.255
static (inside,dmz) 192.168.1.69 192.168.1.69 netmask 255.255.255.255
static (inside,dmz) 192.168.1.70 192.168.1.70 netmask 255.255.255.255
static (inside,dmz) 192.168.1.22 192.168.1.22 netmask 255.255.255.255
static (inside,dmz) 192.168.1.21 192.168.1.21 netmask 255.255.255.255
static (inside,dmz) 192.168.1.2 192.168.1.2 netmask 255.255.255.255
access-group acl_out in interface outside
access-group in_out in interface inside
access-group dmz_out in interface dmz
route outside 0.0.0.0 0.0.0.0 xx.xx.45.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 167.206.112.138
!
dhcpd address 192.168.1.2-192.168.1.70 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
prompt hostname context
Cryptochecksum:482f6b69b4e0b353a5bb6924c2ad84c8
: end
[OK]