Seemingly Random Malfunctions 1

[kopar]

We have just implemented a new network involving a PIX 515e and a Catalyst 3550 switch.

The network swap went well, and the network is running smooth, for the most part.

Occasionally, a (only Windows so far) computer on the network will loose internet connectivity. They are able to get DNS resolution and to ping, but they cannot load a web page, log into an external ftp server or use remote desktop. This problem was non-existent before the new Cisco hardware.

After a reboot, the machine is fine. We can't figure out what could be happening, any help would be appreciated.


3550 Config File:
############################################################

Current configuration : 3755 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log datetime
service password-encryption
service hide-telnet-addresses
service sequence-numbers
!
hostname <catalyst3550>
!
enable secret 5 ***
!
clock timezone UTC -7
ip subnet-zero
ip routing
no ip domain-lookup
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
interface FastEthernet0/1
 description WINDOWS Network Port
 switchport access vlan 102
 switchport mode access
 no ip address
 ntp disable
!
interface FastEthernet0/2
 description WINDOWS Network Port
 switchport access vlan 102
 switchport mode access
 no ip address
 ntp disable
!
interface FastEthernet0/3
 description WINDOWS Network Port
 switchport access vlan 102
 switchport mode access
 no ip address
 ntp disable
!
interface FastEthernet0/4
 description WINDOWS Network Port
 switchport access vlan 102
 switchport mode access
 no ip address
 ntp disable
!
interface FastEthernet0/5
 description WINDOWS Network Port
 switchport access vlan 102
 switchport mode access
 no ip address
 ntp disable
!
interface FastEthernet0/6
 description WINDOWS Network Port
 switchport access vlan 102
 switchport mode access
 no ip address
 ntp disable
!
interface FastEthernet0/7
 description WINDOWS Network Port
 switchport access vlan 103
 switchport mode access
 no ip address
 ntp disable
!
interface FastEthernet0/8
 switchport access vlan 103
 switchport mode access
 no ip address
 ntp disable
!
interface FastEthernet0/9
 switchport access vlan 103
 switchport mode access
 no ip address
 ntp disable
!
interface FastEthernet0/10
 switchport access vlan 103
 switchport mode access
 no ip address
 ntp disable
!
interface FastEthernet0/11
 switchport access vlan 103
 switchport mode access
 no ip address
 ntp disable
!
interface FastEthernet0/12
 switchport access vlan 103
 switchport mode access
 no ip address
 ntp disable
!
interface FastEthernet0/13
 switchport access vlan 104
 switchport mode access
 no ip address
 ntp disable
!
interface FastEthernet0/14
 switchport access vlan 104
 switchport mode access
 no ip address
 ntp disable
!
interface FastEthernet0/15
 switchport access vlan 104
 switchport mode access
 no ip address
 ntp disable
!
interface FastEthernet0/16
 switchport access vlan 104
 switchport mode access
 no ip address
 ntp disable
!
interface FastEthernet0/17
 no ip address
 ntp disable
!
interface FastEthernet0/18
 no ip address
 ntp disable
!
interface FastEthernet0/19
 no ip address
 ntp disable
!
interface FastEthernet0/20
 no ip address
 ntp disable
!
interface FastEthernet0/21
 switchport access vlan 105
 no ip address
 ntp disable
!
interface FastEthernet0/22
 switchport access vlan 105
 no ip address
 ntp disable
!
interface FastEthernet0/23
 switchport access vlan 10
 switchport mode access
 no ip address
 ntp disable
!
interface FastEthernet0/24
 description UpLink to PIX
 no switchport
 ip address 10.1.1.x 255.255.0.0
 ntp disable
!
interface GigabitEthernet0/1
 no ip address
!
interface GigabitEthernet0/2
 no ip address
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 description Management Vlan
 ip address 10.100.1.1 255.255.0.0
!
interface Vlan102
 description Windows Network Vlan
 ip address 10.2.1.1 255.255.0.0
!
interface Vlan103
 description Linux Network Vlan
 ip address 10.3.1.1 255.255.0.0
!
interface Vlan104
 description Laboratory Network Vlan
 ip address 10.4.1.1 255.255.0.0
!
interface Vlan105
 description Corporate Network Vlan
 ip address 10.5.1.1 255.255.0.0
!
ip default-gateway 10.1.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip http server

PIX 515E Config:
############################################################

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password *** encrypted
passwd *** encrypted
hostname <PIX515e>
domain-name <ourcompanyname>
fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name w.x.y.z FTP2_
name w.x.y.z SSH_
name w.x.y.z FTP2DMZ_
name w.x.y.z SSHDMZ_
name w.x.y.z WEB_
name w.x.y.z MAIL_
name w.x.y.z WEBDMZ_
name w.x.y.z MAILDMZ_
name w.x.y.z WEBDATA_
access-list public permit icmp any any echo-reply
access-list public permit icmp any any unreachable
access-list public permit icmp any any time-exceeded
access-list public permit icmp any host FTP2_ echo
access-list public permit icmp any host WEB_ echo
access-list public permit icmp any host SSH_ echo
access-list public permit icmp any host MAIL_ echo
access-list public permit tcp any host FTP2_ eq ftp
access-list public permit tcp any host SSH_ eq ssh
access-list public permit udp any host SSH_ eq 22
access-list public permit tcp any host WEB_ eq www
access-list public permit tcp any host WEB_ eq https
access-list public permit tcp any host WEB_ eq <port>
access-list public permit tcp any host MAIL_ eq smtp
access-list public permit tcp any host MAIL_ eq 993
access-list public permit udp any host MAIL_ eq 993
access-list public permit tcp any host MAIL_ eq www
access-list public permit tcp any host MAIL_ eq https
access-list public permit udp any host MAIL_ eq 443
access-list dmz permit icmp any any
access-list dmz permit tcp host FTP2DMZ_ any eq domain
access-list dmz permit udp host FTP2DMZ_ any eq domain
access-list dmz permit udp host FTP2DMZ_ any eq ntp
access-list dmz permit tcp host SSHDMZ_ any eq ssh
access-list dmz permit udp host SSHDMZ_ any eq 22
access-list dmz permit tcp host WEBDMZ_ host WEBDATA_ eq <port>
access-list dmz permit udp host WEBDMZ_ host WEBDATA_ eq <port>
access-list dmz permit tcp host WEBDMZ_ host WEBDATA_ eq <port>
access-list dmz permit udp host WEBDMZ_ host WEBDATA_ eq <port>
access-list dmz permit tcp host WEBDMZ_ host WEBDATA_ eq <port>
access-list dmz permit udp host WEBDMZ_ host WEBDATA_ eq <port>
access-list dmz permit tcp host WEBDMZ_ host WEBDATA_ eq <port>
access-list dmz permit udp host WEBDMZ_ host WEBDATA_ eq <port>
access-list dmz permit tcp host WEBDMZ_ host WEBDATA_ eq <port>
access-list dmz permit udp host WEBDMZ_ host WEBDATA_ eq <port>
access-list dmz permit tcp host WEBDMZ_ host WEBDATA_ eq <port>
access-list dmz permit udp host WEBDMZ_ host WEBDATA_ eq <port>
access-list dmz permit tcp host WEBDMZ_ host WEBDATA_ eq <port>
access-list dmz permit udp host WEBDMZ_ host WEBDATA_ eq <port>
access-list dmz permit tcp host WEBDMZ_ host WEBDATA_ eq <port>
access-list dmz permit udp host WEBDMZ_ host WEBDATA_ eq <port>
access-list dmz permit tcp host WEBDMZ_ host WEBDATA_ eq <port>
access-list dmz permit udp host WEBDMZ_ host WEBDATA_ eq <port>
access-list private deny tcp any range 3127 3198 any
access-list private permit icmp any any
access-list private permit tcp any any
access-list private permit udp any any
access-list vpn permit ip 10.0.0.0 255.0.0.0 w.x.y.z 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside w.x.y.z 255.255.255.224
ip address inside 10.1.1.1 255.255.0.0
ip address dmz w.x.y.z 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
pdm history enable
arp timeout 14400
global (outside) 1 w.x.y.z netmask 255.255.255.224
global (dmz) 1 w.x.y.z
nat (inside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) FTP2_ FTP2DMZ_ 255.255.255.255
alias (inside) SSH_ SSHDMZ_ 255.255.255.255
alias (inside) WEB_ WEBDMZ_ 255.255.255.255
alias (inside) MAIL_ MAILDMZ_ 255.255.255.255
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (dmz,outside) FTP2_ FTP2DMZ_ netmask 255.255.255.255 0 0
static (dmz,outside) SSH_ SSHDMZ_ netmask 255.255.255.255 0 0
static (dmz,outside) MAIL_ MAILDMZ_ netmask 255.255.255.255 0 0
static (dmz,outside) WEB_ WEBDMZ_ netmask 255.255.255.255 0 0
access-group public in interface outside
access-group private in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 w.x.y.z 1
route inside 10.2.0.0 255.255.0.0 10.1.1.50 1
route inside 10.3.0.0 255.255.0.0 10.1.1.50 1
route inside 10.4.0.0 255.255.0.0 10.1.1.50 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto map <name> 1 ipsec-isakmp
crypto map <name> 1 match address vpn
crypto map <name> 1 set peer w.x.y.z
crypto map <name> 1 set transform-set strong
crypto map <name> interface outside
isakmp enable outside
isakmp key ******** address w.x.y.z netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet w.x.y.z 255.255.255.0 inside
telnet timeout 5
ssh w.x.y.z 255.255.255.255 inside
ssh timeout 5
console timeout 0
terminal width 80

Thanks in Advance!

 

[baddos]

Replace this line in your pix:

global (outside) 1 w.x.y.z netmask 255.255.255.224

with this line:

global (outside) interface

You also might want to set "spanning-tree portfast" on each access interface on your 3550.

 

[kopar]

None of the computers are connected directly to the 3550, there are unmanaged switched between the user machines and the 3550, so portfast shouldn't, in my understanding, produce a performance difference (and may be detrimental if a loop is created somehow).

We have our global address different from our interface address for security reasons. I can't see how that would effect a single internal machine without creating a larger problem with our network.

Any other ideas?

 

[baddos]

Ok... You are using NAT not PAT on your PIX... With NAT, there is a 1-1 ratio of users to NAT Ip addresses. With PAT you can have many users on one IP.

If you don't like using the interface's ip address, just pick another IP to use from that subnet, and not just a netblock.

To show you what you are using, your NAT pool only allows 32 inside users at any time through.

 

[DaHui]

Actually if you only provide the pix with one ip for the global it will default to PAT.

Therefore, KOPAR you are correct.

Sorry I can't help you with your actual problem.

 

[DaHui]

Here is a cisco page that explains NAT Vs. PAT

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml

Mix NAT and PAT Global Statements

"In this example, the ISP has again provided the network manager with a range of addresses from 199.199.199.1 through 199.199.199.63 for the company's use. The network manager has decided to use 199.199.199.1 for the inside interface on the Internet router and 199.199.199.2 for the outside interface on the PIX. So, you are left with 199.199.199.3 through 199.199.199.62 to use for the NAT pool. However, the network manager knows that, at any one time, there may be more than 60 people trying to go out of the PIX, so the network manager has decided to take 199.199.199.62 and make it a PAT address so that multiple users can share one address at the same time.

global (outside) 1 199.199.199.3-199.199.199.61 netmask 255.255.255.192
global (outside) 1 199.199.199.62 netmask 255.255.255.192
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

These commands instruct the PIX to translate the source address to 199.199.199.3 through 199.199.199.61 for the first 59 internal users to pass across the PIX. After these addresses have been exhausted, the PIX then translates all subsequent source addresses to 199.199.199.62 until one of the addresses in the NAT pool becomes free. "

 

[DaHui]

KOPAR -

I would suspect the problem to be in this line of code on your pix.

access-list private deny tcp any range 3127 3198 any

I am assuming you are using this rule to block the payload in the NoVarg.a virus?

Good idea however, Windows cycles through tcp ports for different net requests, therefore the computers will get flagged as bad traffic while they are in that port range.

-DaHui

 

[kopar]

BRILLIANT!!

That did it!

--Kopar