Sign in to follow this  

Cisco Pix 501 / DNS - DNS resolution stops working over time

Recommended Posts

andrew22    0


It's been quite some time since I was on this forum (Hello Neobound from the old ibelite!) I am currently experiencing a very strange problem for one of my clients and can't seem to figure out why this is happening.

The client has a Cisco Pix 501 with the configuration listed below. It connects to the public internet via a cable modem and acts as a DCHP server for the local LAN.

When it first turns on, all computers obtain the correct IP settings and can access the internet. Within 10-15 minutes, computers begin to loose access to the Internet. What?s strange is that each computer that lost Internet access can ping the remote address but cannot perform an nslookup. (it shows as Server UnKnown)

The DNS server is which is the external dns server provided by my ISP. I can ping this address but the local computer is unable to use it for domain to ip resolution.

The network used to have an existing Windows Small Business Server that was a DNS and WINS Server. I ran dcpromo to remove the role of the server and uninstalled dns via add/remove components.

Can someone please help me determine why the computers over time loose the ability to resolve domain names and therefore loose internet access? Can there be some bad DNS entries created? Is there anything I can run on the local computers to further troubleshoot dns errors? Is it possible that the existing Windows SBS server is still running DNS and therefore causing conficts in some way?

One thing to note is that when I reset the Pix 501, everything begins to work again but only for a short time until one by one each computer can no longer resolve domain names. Also, I noticed that once someone connects via VPN and disconnects, one of the local computers looses the ability to resolve DNS.

Cisco Pix Config


PIX# show config

: Saved

: Written by enable_15 at 08:55:56.390 UTC Fri Mar 15 2013

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password chiuzjKkSD33lwEw encrypted

passwd chiuzjKkSD33lwEw encrypted

hostname PIX

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list VPNGROUP_splitTunnelAcl permit ip any

access-list inside_outbound_nat0_acl permit ip

access-list outside_cryptomap_dyn_30 permit ip any

access-list ping_acl permit icmp any any

pager lines 24

logging timestamp

logging monitor debugging

logging buffered debugging

logging history debugging

logging queue 0

icmp permit any echo-reply outside

icmp permit any unreachable outside

icmp permit any echo outside

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN mask

pdm location inside

pdm location inside

pdm logging informational 512

no pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0 0

access-group ping_acl in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server ACS protocol tacacs+

aaa-server ACS max-failed-attempts 3

aaa-server ACS deadtime 10

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http inside

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map VPNMAP 10 set transform-set ESP-3DES-MD5

crypto dynamic-map VPNMAP 30 match address outside_cryptomap_dyn_30

crypto dynamic-map VPNMAP 30 set transform-set ESP-3DES-MD5

crypto map MYMAP 10 ipsec-isakmp dynamic VPNMAP

crypto map MYMAP client authentication LOCAL

crypto map MYMAP interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup VPNGRP idle-time 1800

vpngroup VPNGROUP address-pool VPN

vpngroup VPNGROUP dns-server

vpngroup VPNGROUP wins-server

vpngroup VPNGROUP default-domain advancedarthritiscarecenter.local

vpngroup VPNGROUP split-tunnel VPNGROUP_splitTunnelAcl

vpngroup VPNGROUP idle-time 1800

vpngroup VPNGROUP password ********

telnet inside

telnet inside

telnet timeout 30

ssh inside

ssh inside

ssh timeout 60

console timeout 0

dhcpd address inside

dhcpd dns

dhcpd lease 7200

dhcpd ping_timeout 750

dhcpd enable inside

username admin password pO9NW1GJpm4IIIFK encrypted privilege 15

username andrew password A340D92MQ0zV0hGs encrypted privilege 15

terminal width 80


Share this post

Link to post
Share on other sites
giantsnyy    57


"dhcpd dns"

Why do you have the entry twice?

Type in

"no dhcpd dns"

Then, add it back without the duplicate entry. I know it's not a big deal to have it is Primary and Secondary, but I'm just curious. If you need a secondary, add Might be causing a conflict using the same address twice.

Share this post

Link to post
Share on other sites
andrew22    0

hmm maybe, someone on a cisco forum just told me it could be due to a 10 concurrent license restriction on pix 501. Did you ever hear of this?

"The Cisco PIX 501 10-user license supports up to 10 concurrent source IP addresses from your internal network to traverse through the Cisco PIX 501"

Share this post

Link to post
Share on other sites
trek    181

do a sho ver and see what your pix is licensed for

Share this post

Link to post
Share on other sites
andrew22    0

Thanks, I'll give that a shot!

Share this post

Link to post
Share on other sites
+BudMan    2,921

so I can not do queries to that dns server, which is common to not allow non isp users use their dns.

I show .1 .2 and .3 as dns servers via PTR query


.3 answers pings but .1 and .2 do not - you could try doing dns to .1 and .3 see if any of those answer.

You could also as mentioned just use something more reliable than many isp dns - like the mentioned which is level3 public dns


Or you could use googledns I do believe or opendns, etc. See any of those work when your having issues using the others. Have your clients just change their nslookup to the other server vs the nslookup server command

budman@ubuntu:~$ nslookup

> server

Default server:





Non-authoritative answer:






as to your license question - how many IP would be accessing the internet from the inside? If your close to over 10 then sure that could cause problems

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.