Cisco Pix 501 / DNS - DNS resolution stops working over time

[andrew22]

Hello,

It's been quite some time since I was on this forum (Hello Neobound from the old ibelite!) I am currently experiencing a very strange problem for one of my clients and can't seem to figure out why this is happening.

The client has a Cisco Pix 501 with the configuration listed below. It connects to the public internet via a cable modem and acts as a DCHP server for the local LAN.

When it first turns on, all computers obtain the correct IP settings and can access the internet. Within 10-15 minutes, computers begin to loose access to the Internet. What?s strange is that each computer that lost Internet access can ping the remote address but cannot perform an nslookup. (it shows as Server UnKnown)

The DNS server is 167.206.254.2 which is the external dns server provided by my ISP. I can ping this address but the local computer is unable to use it for domain to ip resolution.

The network used to have an existing Windows Small Business Server that was a DNS and WINS Server. I ran dcpromo to remove the role of the server and uninstalled dns via add/remove components.

Can someone please help me determine why the computers over time loose the ability to resolve domain names and therefore loose internet access? Can there be some bad DNS entries created? Is there anything I can run on the local computers to further troubleshoot dns errors? Is it possible that the existing Windows SBS server is still running DNS and therefore causing conficts in some way?

One thing to note is that when I reset the Pix 501, everything begins to work again but only for a short time until one by one each computer can no longer resolve domain names. Also, I noticed that once someone connects via VPN and disconnects, one of the local computers looses the ability to resolve DNS.

Cisco Pix Config

-----------------------------------------------------------

PIX# show config

: Saved

: Written by enable_15 at 08:55:56.390 UTC Fri Mar 15 2013

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password chiuzjKkSD33lwEw encrypted

passwd chiuzjKkSD33lwEw encrypted

hostname PIX

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list VPNGROUP_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any

access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.128

access-list outside_cryptomap_dyn_30 permit ip any 192.168.3.0 255.255.255.128

access-list ping_acl permit icmp any any

pager lines 24

logging timestamp

logging monitor debugging

logging buffered debugging

logging history debugging

logging queue 0

icmp permit any echo-reply outside

icmp permit any unreachable outside

icmp permit any echo outside

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN 192.168.3.2-192.168.3.100 mask 255.255.255.0

pdm location 192.168.2.0 255.255.255.0 inside

pdm location 192.168.3.0 255.255.255.0 inside

pdm logging informational 512

no pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 192.168.2.0 255.255.255.0 0 0

access-group ping_acl in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server ACS protocol tacacs+

aaa-server ACS max-failed-attempts 3

aaa-server ACS deadtime 10

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.2.0 255.255.255.0 inside

http 192.168.3.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map VPNMAP 10 set transform-set ESP-3DES-MD5

crypto dynamic-map VPNMAP 30 match address outside_cryptomap_dyn_30

crypto dynamic-map VPNMAP 30 set transform-set ESP-3DES-MD5

crypto map MYMAP 10 ipsec-isakmp dynamic VPNMAP

crypto map MYMAP client authentication LOCAL

crypto map MYMAP interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup VPNGRP idle-time 1800

vpngroup VPNGROUP address-pool VPN

vpngroup VPNGROUP dns-server 167.206.254.2

vpngroup VPNGROUP wins-server 192.168.2.50

vpngroup VPNGROUP default-domain advancedarthritiscarecenter.local

vpngroup VPNGROUP split-tunnel VPNGROUP_splitTunnelAcl

vpngroup VPNGROUP idle-time 1800

vpngroup VPNGROUP password ********

telnet 192.168.2.0 255.255.255.0 inside

telnet 192.168.3.0 255.255.255.0 inside

telnet timeout 30

ssh 192.168.2.0 255.255.255.0 inside

ssh 192.168.3.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

dhcpd address 192.168.2.2-192.168.2.33 inside

dhcpd dns 167.206.254.2 167.206.254.2

dhcpd lease 7200

dhcpd ping_timeout 750

dhcpd enable inside

username admin password pO9NW1GJpm4IIIFK encrypted privilege 15

username andrew password A340D92MQ0zV0hGs encrypted privilege 15

terminal width 80

Cryptochecksum:aacfb7d8ae07a6075baf8656a724fbec

[giantsnyy]

...

"dhcpd dns 167.206.254.2 167.206.254.2"

Why do you have the entry twice?

Type in

"no dhcpd dns"

Then, add it back without the duplicate entry. I know it's not a big deal to have it is Primary and Secondary, but I'm just curious. If you need a secondary, add 4.2.2.2. Might be causing a conflict using the same address twice.

[andrew22]

hmm maybe, someone on a cisco forum just told me it could be due to a 10 concurrent license restriction on pix 501. Did you ever hear of this?

"The Cisco PIX 501 10-user license supports up to 10 concurrent source IP addresses from your internal network to traverse through the Cisco PIX 501"

[trek]

do a sho ver and see what your pix is licensed for

[andrew22]

Thanks, I'll give that a shot!

[+BudMan MVC]

so I can not do queries to that dns server, which is common to not allow non isp users use their dns.

I show .1 .2 and .3 as dns servers via PTR query

;; ANSWER SECTION:

3.254.206.167.in-addr.arpa. 21344 IN PTR vdns3.srv.hcvlny.cv.net.

.3 answers pings but .1 and .2 do not - you could try doing dns to .1 and .3 see if any of those answer.

You could also as mentioned just use something more reliable than many isp dns - like the mentioned 4.2.2.2 which is level3 public dns

;; ANSWER SECTION:

2.2.2.4.in-addr.arpa. 7174 IN PTR b.resolvers.Level3.net.

Or you could use googledns 8.8.8.8 8.8.4.4 I do believe or opendns, etc. See any of those work when your having issues using the others. Have your clients just change their nslookup to the other server vs the nslookup server command

budman@ubuntu:~$ nslookup

> server 4.2.2.2

Default server: 4.2.2.2

Address: 4.2.2.2#53

> www.google.com

Server: 4.2.2.2

Address: 4.2.2.2#53

Non-authoritative answer:

Name: www.google.com

Address: 173.194.64.99

Name: www.google.com

Address: 173.194.64.147

Name: www.google.com

as to your license question - how many IP would be accessing the internet from the inside? If your close to over 10 then sure that could cause problems