Hello

I was hoping someone could help me here.


My home lab is set up as this;


Speedtouch 536 ADSL router - Cisco PIX 506 Firewall - Linksys WAP 54G -

Laptop


The router just handles connection to the ISP. The PIX is responsible
for NAT'ing and DHCP. The inside interface of the PIX is connected to
the ethernet port of the Linksys by RJ-45.


I'm using a pre-shared key to be able to authenticate the laptop to the

Linksys WAP.


However, I'm having some connectivity problems. Every 10mins or so, I
will lose connection to the internet. I can still ping the firewall's
internal address but cannot telnet into it or connect to it via HTTPS.
Disabling and re-enabling the Wireless connection on my laptop seems to

fix it until about 10mins later when exactly the same thing happens.
When this problem occurs, I have directly connected my laptop to the
PIX's inside interface and it works perfectly, so the problem does not
seem to be with the PIX alone.


Additionally, removing the PIX from the network and having the router
handle NAT and DHCP results in no problems either. So, it's not
completely the Linksys's fault either.


So, somehow there is a problem between the Linksys and the PIX
firewall.


Does anyone have any ideas?


Thanks in advance.


Reply »

On 4 Sep 2006 04:22:24 -0700, dilan.weerasinghe@gmail.com wrote:

<lots of extra blank lines removed. easier to read>

PIX - sh ver?

A few quick checks, PIX connections and DHCP info.

PIX console cable, allows access via dumb terminal. Look at

sh xlate

sh con details

The 2 of those show connections through the PIX IP address / ports, so
if you do an ipconfig/renew then you will see the connections to the
router open, and will close as per the timeouts.

For example do an nslookup and see if it's going to the right places.

sh ip address outside dhcp

This should show the PIX picking up the correct lease from the router.


sh ip address inside dhcp server
This shows the PIX picking up ISP settings for DNS

sh ip address

Show IP for inside and outside.


Make the PIX a static address in the router range.

That's only the lease of the laptop.

The output of ipconfig/all is? It also looks okay? After the problem
it's?

Ah ok, was going to suggest adding a PC wired to the PIX. If you do this
anyway it will give you telnet access.

If the PIX is removed then there is no problem, so none of the other kit
is an issue at all :-)

why? wrote:
Thanks for picking this up.

I've updated the network somewhat since the original question. It's now

Speedtouch ADSL router - Cisco PIX - Cisco 2924 switch - Linksys WAP

To clarify, the PIX handles DHCP and NAT.

There are two VLAN's set up...one on 192.168.10.0 and one on
192.168.2.0 both /24. The PIX outside interface is x.x.x.193, it has
two logical inside interfaces 192.168.10.1 and 192.168.2.1 (VLAN's 1
and 2 respectively).

Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Fri 02-Jul-04 00:07 by morlee
pixfirewall up 3 hours 32 mins
Hardware: PIX-506, 32 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 8MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
0: ethernet0: address is 0007.50b2.8e30, irq 11
1: ethernet1: address is 0007.50b2.8e31, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Disabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Limited
IKE peers: Unlimited
This PIX has a Restricted (R) license.
Serial Number: <snip>
Running Activation Key: <snip>
Configuration has not been modified since last system restart.


sh xlate was carried when two machines were connected - one via wire
(192.168.2.5) and one by wireless (192.168.10.6).

PAT Global x.x.x.193(2305) Local 192.168.2.5(1377)
PAT Global x.x.x.193(2309) Local 192.168.2.5(1381)
PAT Global x.x.x.193(2316) Local 192.168.2.5(1388)
PAT Global x.x.x.193(2317) Local 192.168.10.6(1838)
PAT Global x.x.x.193(1215) Local 192.168.10.6(1025

this command doesn't work, the PIX response is 'ambigious command'?
The PIX has a static address configured for both the inside and outside
interface already, so there would no output when running these
commands.

Before the problem occurs, the output of ipconfig/all is

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/Wireless 2200
Connection
Physical Address. . . . . . . . . : 00-12-F0-6D-1C-DD
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.10.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DHCP Server . . . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 212.23.3.100
Lease Obtained. . . . . . . . . . : 05 September 2006 21:50:40
Lease Expires . . . . . . . . . . : 05 September 2006 22:50:40

The problem hasn't occured since, so there is no IP config all I can do
to follow up, but can you see anything strange at all anywhere?

Thanks.

On 5 Sep 2006 14:32:22 -0700, dilan.weerasinghe@gmail.com wrote:


sh conn detail

2 typos :-)




<big snip>

Me

On 5 Sep 2006 14:32:22 -0700, dilan.weerasinghe@gmail.com wrote:

Fine, usually do that.

I only got my hands on my first 506E a few days ago and haven't got the
config setup for logical interfaces. Not something I am going to do
today <grin>, it's still in the box and at work. The 501 here doesn't do
logical interfaces :-(

You may prefer to hop on over to
comp.dcom.sys.cisco

<snip>


1 of the commands would, as an example

outside dhcp, inside static via config using

ip address outside dhcp setroute
ip address inside 192.168.99.1 255.255.255.0


pixfirewall#
pixfirewall# sh ip address
System IP Addresses:
ip address outside 192.168.0.11 255.255.255.0
ip address inside 192.168.99.1 255.255.255.0
Current IP Addresses:
ip address outside 192.168.0.11 255.255.255.0
ip address inside 192.168.99.1 255.255.255.0
pixfirewall#


See if the PIX, (considering asking you to post oput of sh run) , is
rejecting anything when the lease expires, get some logging turned on.

pixfirewall# conf t
pixfirewall# logging on
pixfirewall(config)# logging timestamp
pixfirewall(config)# logging buffered 7

as required

pixfirewall(config)# sh log

or

pixfirewall# sh log

On my laptop ipconfig/release

604104: DHCP daemon interface inside: address released
0100.b0d0.8946.82 (192.168.99.2)


then a /renew

302010: 0 in use, 1 most used
604103: DHCP daemon interface inside: address granted 0100.b0d0.8946.82
(192.168.99.2)
106023: Deny udp src inside:192.168.99.2/137 dst outside:x.x.x.x/137 by
access-group "acl-in"

I also setup an internal syslog server to record the messages, 3
options

www.kiwisyslog.com
The Cisco PFSS , pix firewall syslog server, Google for it.
Loglady, www.kaska.demon.co.uk



Would, for myself change the default lease from 1 hour, 1st renew check
would be 30 minutes, (should be) , if a check for the DHCP server is
earlier and it fails then it's really the other ipconfig/all required.

You could also at that time quickly do another sh xlate and see what
ports are active on the PIX.


Always the same :-)


Me