Jump to content



Photo

Cisco Pix 501 / DNS - DNS resolution stops working over time


  • Please log in to reply
5 replies to this topic

#1 andrew22

andrew22

    Neowinian

  • Joined: 14-July 01

Posted 25 March 2013 - 00:21

Hello,

It's been quite some time since I was on this forum (Hello Neobound from the old ibelite!) I am currently experiencing a very strange problem for one of my clients and can't seem to figure out why this is happening.


The client has a Cisco Pix 501 with the configuration listed below. It connects to the public internet via a cable modem and acts as a DCHP server for the local LAN.

When it first turns on, all computers obtain the correct IP settings and can access the internet. Within 10-15 minutes, computers begin to loose access to the Internet. What’s strange is that each computer that lost Internet access can ping the remote address but cannot perform an nslookup. (it shows as Server UnKnown)

The DNS server is 167.206.254.2 which is the external dns server provided by my ISP. I can ping this address but the local computer is unable to use it for domain to ip resolution.

The network used to have an existing Windows Small Business Server that was a DNS and WINS Server. I ran dcpromo to remove the role of the server and uninstalled dns via add/remove components.

Can someone please help me determine why the computers over time loose the ability to resolve domain names and therefore loose internet access? Can there be some bad DNS entries created? Is there anything I can run on the local computers to further troubleshoot dns errors? Is it possible that the existing Windows SBS server is still running DNS and therefore causing conficts in some way?

One thing to note is that when I reset the Pix 501, everything begins to work again but only for a short time until one by one each computer can no longer resolve domain names. Also, I noticed that once someone connects via VPN and disconnects, one of the local computers looses the ability to resolve DNS.

Cisco Pix Config
-----------------------------------------------------------
PIX# show config
: Saved
: Written by enable_15 at 08:55:56.390 UTC Fri Mar 15 2013
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password chiuzjKkSD33lwEw encrypted
passwd chiuzjKkSD33lwEw encrypted
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list VPNGROUP_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.128
access-list outside_cryptomap_dyn_30 permit ip any 192.168.3.0 255.255.255.128
access-list ping_acl permit icmp any any
pager lines 24
logging timestamp
logging monitor debugging
logging buffered debugging
logging history debugging
logging queue 0
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any echo outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 192.168.3.2-192.168.3.100 mask 255.255.255.0
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.3.0 255.255.255.0 inside
pdm logging informational 512
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
access-group ping_acl in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server ACS protocol tacacs+
aaa-server ACS max-failed-attempts 3
aaa-server ACS deadtime 10
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map VPNMAP 10 set transform-set ESP-3DES-MD5
crypto dynamic-map VPNMAP 30 match address outside_cryptomap_dyn_30
crypto dynamic-map VPNMAP 30 set transform-set ESP-3DES-MD5
crypto map MYMAP 10 ipsec-isakmp dynamic VPNMAP
crypto map MYMAP client authentication LOCAL
crypto map MYMAP interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup VPNGRP idle-time 1800
vpngroup VPNGROUP address-pool VPN
vpngroup VPNGROUP dns-server 167.206.254.2
vpngroup VPNGROUP wins-server 192.168.2.50
vpngroup VPNGROUP default-domain advancedarthritiscarecenter.local
vpngroup VPNGROUP split-tunnel VPNGROUP_splitTunnelAcl
vpngroup VPNGROUP idle-time 1800
vpngroup VPNGROUP password ********
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.2.0 255.255.255.0 inside
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.2.2-192.168.2.33 inside
dhcpd dns 167.206.254.2 167.206.254.2
dhcpd lease 7200
dhcpd ping_timeout 750
dhcpd enable inside
username admin password pO9NW1GJpm4IIIFK encrypted privilege 15
username andrew password A340D92MQ0zV0hGs encrypted privilege 15
terminal width 80
Cryptochecksum:aacfb7d8ae07a6075baf8656a724fbec


#2 +giantsnyy

giantsnyy

    Neowinian

  • Joined: 21-January 02

Posted 25 March 2013 - 00:56

...


"dhcpd dns 167.206.254.2 167.206.254.2"

Why do you have the entry twice?

Type in

"no dhcpd dns"

Then, add it back without the duplicate entry. I know it's not a big deal to have it is Primary and Secondary, but I'm just curious. If you need a secondary, add 4.2.2.2. Might be causing a conflict using the same address twice.

#3 OP andrew22

andrew22

    Neowinian

  • Joined: 14-July 01

Posted 25 March 2013 - 03:50

hmm maybe, someone on a cisco forum just told me it could be due to a 10 concurrent license restriction on pix 501. Did you ever hear of this?

"The Cisco PIX 501 10-user license supports up to 10 concurrent source IP addresses from your internal network to traverse through the Cisco PIX 501"

#4 trek

trek

    Neowinian Senior

  • Joined: 11-August 02
  • Location: Vancouver, Canada

Posted 25 March 2013 - 03:57

do a sho ver and see what your pix is licensed for

#5 OP andrew22

andrew22

    Neowinian

  • Joined: 14-July 01

Posted 25 March 2013 - 11:05

Thanks, I'll give that a shot!

#6 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 27 March 2013 - 20:22

so I can not do queries to that dns server, which is common to not allow non isp users use their dns.

I show .1 .2 and .3 as dns servers via PTR query

;; ANSWER SECTION:
3.254.206.167.in-addr.arpa. 21344 IN PTR vdns3.srv.hcvlny.cv.net.

.3 answers pings but .1 and .2 do not - you could try doing dns to .1 and .3 see if any of those answer.

You could also as mentioned just use something more reliable than many isp dns - like the mentioned 4.2.2.2 which is level3 public dns

;; ANSWER SECTION:
2.2.2.4.in-addr.arpa. 7174 IN PTR b.resolvers.Level3.net.

Or you could use googledns 8.8.8.8 8.8.4.4 I do believe or opendns, etc. See any of those work when your having issues using the others. Have your clients just change their nslookup to the other server vs the nslookup server command

budman@ubuntu:~$ nslookup
> server 4.2.2.2
Default server: 4.2.2.2
Address: 4.2.2.2#53
> www.google.com
Server: 4.2.2.2
Address: 4.2.2.2#53

Non-authoritative answer:
Name: www.google.com
Address: 173.194.64.99
Name: www.google.com
Address: 173.194.64.147
Name: www.google.com

as to your license question - how many IP would be accessing the internet from the inside? If your close to over 10 then sure that could cause problems