andrew22 Posted March 25, 2013 Share Posted March 25, 2013 Hello, It's been quite some time since I was on this forum (Hello Neobound from the old ibelite!) I am currently experiencing a very strange problem for one of my clients and can't seem to figure out why this is happening. The client has a Cisco Pix 501 with the configuration listed below. It connects to the public internet via a cable modem and acts as a DCHP server for the local LAN. When it first turns on, all computers obtain the correct IP settings and can access the internet. Within 10-15 minutes, computers begin to loose access to the Internet. What?s strange is that each computer that lost Internet access can ping the remote address but cannot perform an nslookup. (it shows as Server UnKnown) The DNS server is 167.206.254.2 which is the external dns server provided by my ISP. I can ping this address but the local computer is unable to use it for domain to ip resolution. The network used to have an existing Windows Small Business Server that was a DNS and WINS Server. I ran dcpromo to remove the role of the server and uninstalled dns via add/remove components. Can someone please help me determine why the computers over time loose the ability to resolve domain names and therefore loose internet access? Can there be some bad DNS entries created? Is there anything I can run on the local computers to further troubleshoot dns errors? Is it possible that the existing Windows SBS server is still running DNS and therefore causing conficts in some way? One thing to note is that when I reset the Pix 501, everything begins to work again but only for a short time until one by one each computer can no longer resolve domain names. Also, I noticed that once someone connects via VPN and disconnects, one of the local computers looses the ability to resolve DNS. Cisco Pix Config ----------------------------------------------------------- PIX# show config : Saved : Written by enable_15 at 08:55:56.390 UTC Fri Mar 15 2013 PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password chiuzjKkSD33lwEw encrypted passwd chiuzjKkSD33lwEw encrypted hostname PIX fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list VPNGROUP_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.128 access-list outside_cryptomap_dyn_30 permit ip any 192.168.3.0 255.255.255.128 access-list ping_acl permit icmp any any pager lines 24 logging timestamp logging monitor debugging logging buffered debugging logging history debugging logging queue 0 icmp permit any echo-reply outside icmp permit any unreachable outside icmp permit any echo outside mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.2.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool VPN 192.168.3.2-192.168.3.100 mask 255.255.255.0 pdm location 192.168.2.0 255.255.255.0 inside pdm location 192.168.3.0 255.255.255.0 inside pdm logging informational 512 no pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 192.168.2.0 255.255.255.0 0 0 access-group ping_acl in interface outside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa-server ACS protocol tacacs+ aaa-server ACS max-failed-attempts 3 aaa-server ACS deadtime 10 aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable http 192.168.2.0 255.255.255.0 inside http 192.168.3.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map VPNMAP 10 set transform-set ESP-3DES-MD5 crypto dynamic-map VPNMAP 30 match address outside_cryptomap_dyn_30 crypto dynamic-map VPNMAP 30 set transform-set ESP-3DES-MD5 crypto map MYMAP 10 ipsec-isakmp dynamic VPNMAP crypto map MYMAP client authentication LOCAL crypto map MYMAP interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 30 authentication pre-share isakmp policy 30 encryption 3des isakmp policy 30 hash md5 isakmp policy 30 group 2 isakmp policy 30 lifetime 86400 vpngroup VPNGRP idle-time 1800 vpngroup VPNGROUP address-pool VPN vpngroup VPNGROUP dns-server 167.206.254.2 vpngroup VPNGROUP wins-server 192.168.2.50 vpngroup VPNGROUP default-domain advancedarthritiscarecenter.local vpngroup VPNGROUP split-tunnel VPNGROUP_splitTunnelAcl vpngroup VPNGROUP idle-time 1800 vpngroup VPNGROUP password ******** telnet 192.168.2.0 255.255.255.0 inside telnet 192.168.3.0 255.255.255.0 inside telnet timeout 30 ssh 192.168.2.0 255.255.255.0 inside ssh 192.168.3.0 255.255.255.0 inside ssh timeout 60 console timeout 0 dhcpd address 192.168.2.2-192.168.2.33 inside dhcpd dns 167.206.254.2 167.206.254.2 dhcpd lease 7200 dhcpd ping_timeout 750 dhcpd enable inside username admin password pO9NW1GJpm4IIIFK encrypted privilege 15 username andrew password A340D92MQ0zV0hGs encrypted privilege 15 terminal width 80 Cryptochecksum:aacfb7d8ae07a6075baf8656a724fbec Link to comment Share on other sites More sharing options...
giantsnyy Posted March 25, 2013 Share Posted March 25, 2013 ... "dhcpd dns 167.206.254.2 167.206.254.2" Why do you have the entry twice? Type in "no dhcpd dns" Then, add it back without the duplicate entry. I know it's not a big deal to have it is Primary and Secondary, but I'm just curious. If you need a secondary, add 4.2.2.2. Might be causing a conflict using the same address twice. Link to comment Share on other sites More sharing options...
andrew22 Posted March 25, 2013 Author Share Posted March 25, 2013 hmm maybe, someone on a cisco forum just told me it could be due to a 10 concurrent license restriction on pix 501. Did you ever hear of this? "The Cisco PIX 501 10-user license supports up to 10 concurrent source IP addresses from your internal network to traverse through the Cisco PIX 501" Link to comment Share on other sites More sharing options...
trek Posted March 25, 2013 Share Posted March 25, 2013 do a sho ver and see what your pix is licensed for Link to comment Share on other sites More sharing options...
andrew22 Posted March 25, 2013 Author Share Posted March 25, 2013 Thanks, I'll give that a shot! Link to comment Share on other sites More sharing options...
+BudMan MVC Posted March 27, 2013 MVC Share Posted March 27, 2013 so I can not do queries to that dns server, which is common to not allow non isp users use their dns. I show .1 .2 and .3 as dns servers via PTR query ;; ANSWER SECTION: 3.254.206.167.in-addr.arpa. 21344 IN PTR vdns3.srv.hcvlny.cv.net. .3 answers pings but .1 and .2 do not - you could try doing dns to .1 and .3 see if any of those answer. You could also as mentioned just use something more reliable than many isp dns - like the mentioned 4.2.2.2 which is level3 public dns ;; ANSWER SECTION: 2.2.2.4.in-addr.arpa. 7174 IN PTR b.resolvers.Level3.net. Or you could use googledns 8.8.8.8 8.8.4.4 I do believe or opendns, etc. See any of those work when your having issues using the others. Have your clients just change their nslookup to the other server vs the nslookup server command budman@ubuntu:~$ nslookup > server 4.2.2.2 Default server: 4.2.2.2 Address: 4.2.2.2#53 > www.google.com Server: 4.2.2.2 Address: 4.2.2.2#53 Non-authoritative answer: Name: www.google.com Address: 173.194.64.99 Name: www.google.com Address: 173.194.64.147 Name: www.google.com as to your license question - how many IP would be accessing the internet from the inside? If your close to over 10 then sure that could cause problems Link to comment Share on other sites More sharing options...
Recommended Posts