Pix 515E --> After a few minutes inside hosts lose internet and dmz

[ForumKid1]

Here is my issue. It's the strangest thing that i have been battling for 2 weeks now and I need some guidance because Im just stuck against a wall.

After a few minutes, maybe 10, maybe 5, all clients on the inside interface lose internet access and lose access to the dmz. Once it happens, it happens for all users on the inside interface at the same exact time.

However, the dmz seems to never lose internet access. I think I'm missing or screwed something up with NAT/PAT, but I cannot be sure.

I've tried two separate firewalls. One on version 6.2(3) and 8.0(2) and it's the same issue, so it's most likely a config issue. I've bypassed all switches, changed cables, etc, so it's directly related to the firewall.

Also I know the static statements below are ridiculous, but I couldnt figure out how to give the entire inside interface access to the server on the dmz. Thats a separate issue.

I only have one server on the dmz and the ip address is 192.168.2.2 and the gateway is obviously 192.168.2.200.

The only error I saw was an ARP collision on 192.168.1.200 which is the ip address of the inside interface, but when that popped up, users on the inside interface still had access to internet and dmz.

PIX Version 8.0(2)
!
hostname pixfirewall
enable password xxx encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address xx.xx.45.82 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.200 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 10
ip address 192.168.2.200 255.255.255.0
!
passwd xxx encrypted
ftp mode passive
access-list in_out extended permit ip any any
access-list dmz_out extended permit ip any any
access-list acl_out extended permit tcp any host xx.xx.45.83 eq 3389
pager lines 24
logging enable
logging console warnings
logging trap warnings
logging host inside 192.168.1.2
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 192.168.2.0 255.255.255.0
static (dmz,outside) xx.xx.45.83 192.168.2.2 netmask 255.255.255.255
static (inside,dmz) 192.168.1.24 192.168.1.24 netmask 255.255.255.255
static (inside,dmz) 192.168.1.14 192.168.1.14 netmask 255.255.255.255
static (inside,dmz) 192.168.1.3 192.168.1.3 netmask 255.255.255.255
static (inside,dmz) 192.168.1.4 192.168.1.4 netmask 255.255.255.255
static (inside,dmz) 192.168.1.5 192.168.1.5 netmask 255.255.255.255
static (inside,dmz) 192.168.1.6 192.168.1.6 netmask 255.255.255.255
static (inside,dmz) 192.168.1.7 192.168.1.7 netmask 255.255.255.255
static (inside,dmz) 192.168.1.8 192.168.1.8 netmask 255.255.255.255
static (inside,dmz) 192.168.1.9 192.168.1.9 netmask 255.255.255.255
static (inside,dmz) 192.168.1.10 192.168.1.10 netmask 255.255.255.255
static (inside,dmz) 192.168.1.11 192.168.1.11 netmask 255.255.255.255
static (inside,dmz) 192.168.1.12 192.168.1.12 netmask 255.255.255.255
static (inside,dmz) 192.168.1.13 192.168.1.13 netmask 255.255.255.255
static (inside,dmz) 192.168.1.15 192.168.1.15 netmask 255.255.255.255
static (inside,dmz) 192.168.1.16 192.168.1.16 netmask 255.255.255.255
static (inside,dmz) 192.168.1.17 192.168.1.17 netmask 255.255.255.255
static (inside,dmz) 192.168.1.18 192.168.1.18 netmask 255.255.255.255
static (inside,dmz) 192.168.1.19 192.168.1.19 netmask 255.255.255.255
static (inside,dmz) 192.168.1.20 192.168.1.20 netmask 255.255.255.255
static (inside,dmz) 192.168.1.23 192.168.1.23 netmask 255.255.255.255
static (inside,dmz) 192.168.1.25 192.168.1.25 netmask 255.255.255.255
static (inside,dmz) 192.168.1.26 192.168.1.26 netmask 255.255.255.255
static (inside,dmz) 192.168.1.27 192.168.1.27 netmask 255.255.255.255
static (inside,dmz) 192.168.1.28 192.168.1.28 netmask 255.255.255.255
static (inside,dmz) 192.168.1.29 192.168.1.29 netmask 255.255.255.255
static (inside,dmz) 192.168.1.30 192.168.1.30 netmask 255.255.255.255
static (inside,dmz) 192.168.1.31 192.168.1.31 netmask 255.255.255.255
static (inside,dmz) 192.168.1.32 192.168.1.32 netmask 255.255.255.255
static (inside,dmz) 192.168.1.33 192.168.1.33 netmask 255.255.255.255
static (inside,dmz) 192.168.1.34 192.168.1.34 netmask 255.255.255.255
static (inside,dmz) 192.168.1.35 192.168.1.35 netmask 255.255.255.255
static (inside,dmz) 192.168.1.36 192.168.1.36 netmask 255.255.255.255
static (inside,dmz) 192.168.1.37 192.168.1.37 netmask 255.255.255.255
static (inside,dmz) 192.168.1.38 192.168.1.38 netmask 255.255.255.255
static (inside,dmz) 192.168.1.39 192.168.1.39 netmask 255.255.255.255
static (inside,dmz) 192.168.1.40 192.168.1.40 netmask 255.255.255.255
static (inside,dmz) 192.168.1.41 192.168.1.41 netmask 255.255.255.255
static (inside,dmz) 192.168.1.42 192.168.1.42 netmask 255.255.255.255
static (inside,dmz) 192.168.1.43 192.168.1.43 netmask 255.255.255.255
static (inside,dmz) 192.168.1.44 192.168.1.44 netmask 255.255.255.255
static (inside,dmz) 192.168.1.45 192.168.1.45 netmask 255.255.255.255
static (inside,dmz) 192.168.1.46 192.168.1.46 netmask 255.255.255.255
static (inside,dmz) 192.168.1.47 192.168.1.47 netmask 255.255.255.255
static (inside,dmz) 192.168.1.48 192.168.1.48 netmask 255.255.255.255
static (inside,dmz) 192.168.1.49 192.168.1.49 netmask 255.255.255.255
static (inside,dmz) 192.168.1.50 192.168.1.50 netmask 255.255.255.255
static (inside,dmz) 192.168.1.51 192.168.1.51 netmask 255.255.255.255
static (inside,dmz) 192.168.1.52 192.168.1.52 netmask 255.255.255.255
static (inside,dmz) 192.168.1.53 192.168.1.53 netmask 255.255.255.255
static (inside,dmz) 192.168.1.54 192.168.1.54 netmask 255.255.255.255
static (inside,dmz) 192.168.1.55 192.168.1.55 netmask 255.255.255.255
static (inside,dmz) 192.168.1.56 192.168.1.56 netmask 255.255.255.255
static (inside,dmz) 192.168.1.57 192.168.1.57 netmask 255.255.255.255
static (inside,dmz) 192.168.1.58 192.168.1.58 netmask 255.255.255.255
static (inside,dmz) 192.168.1.59 192.168.1.59 netmask 255.255.255.255
static (inside,dmz) 192.168.1.60 192.168.1.60 netmask 255.255.255.255
static (inside,dmz) 192.168.1.61 192.168.1.61 netmask 255.255.255.255
static (inside,dmz) 192.168.1.62 192.168.1.62 netmask 255.255.255.255
static (inside,dmz) 192.168.1.63 192.168.1.63 netmask 255.255.255.255
static (inside,dmz) 192.168.1.64 192.168.1.64 netmask 255.255.255.255
static (inside,dmz) 192.168.1.65 192.168.1.65 netmask 255.255.255.255
static (inside,dmz) 192.168.1.66 192.168.1.66 netmask 255.255.255.255
static (inside,dmz) 192.168.1.67 192.168.1.67 netmask 255.255.255.255
static (inside,dmz) 192.168.1.68 192.168.1.68 netmask 255.255.255.255
static (inside,dmz) 192.168.1.69 192.168.1.69 netmask 255.255.255.255
static (inside,dmz) 192.168.1.70 192.168.1.70 netmask 255.255.255.255
static (inside,dmz) 192.168.1.22 192.168.1.22 netmask 255.255.255.255
static (inside,dmz) 192.168.1.21 192.168.1.21 netmask 255.255.255.255
static (inside,dmz) 192.168.1.2 192.168.1.2 netmask 255.255.255.255
access-group acl_out in interface outside
access-group in_out in interface inside
access-group dmz_out in interface dmz
route outside 0.0.0.0 0.0.0.0 xx.xx.45.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 167.206.112.138
!
dhcpd address 192.168.1.2-192.168.1.70 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
prompt hostname context
Cryptochecksum:482f6b69b4e0b353a5bb6924c2ad84c8
: end
[OK]

 

[kmills]

Kid,
I use the ASDM so am not real good with the posted config. However, I see that you are logging. Is it possible your log files are filling up, and stopping your firewall. Somewhere there is a setting to tell the firewall to continue running, even if it can't keep all the log files.
-- Just a thought.

Kmills

 

[Supergrrover]

Set the level for you syslog to debug and find out when it boks. Check to see what's there and post it.

Once your done, turn logging back to warnings of you might have serious resource issues.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Bassig]

I`m not very good with the config files either, but I have a similar problem.

I have various public IPs which im using to PAT my internal hosts, when I put to many hosts through one IP address they loose connection after 5 to 10 minutes.
So what I do is balance the amount of hosts that use every public IP address.

I'm not expert but i assume the problem is caused by the amount of connections that the hosts are making to the outside and are consuming all the ports available to PAT.

Hope this helps.

BASSIG

 

[ForumKid1]

I have solved the issue. The issue was that there was a network printer on the inside interface with the same exact ip address of the inside interface of the pix. Hence that was the reason for the arp collision on 192.168.1.200. I have changed the network printer ip to something else and for the last few days everything is rocking and rolling.

So I guess the translation in the pix was getting screwed up and trying to send inside interface traffic to the printer, thus killing internet and dmz.

Hope that helps!