Verifone Terminals used with PIX 501

[bjitima]

We are using Verifone Omni 3750 credit card terminals over the internet. They are behind a PIX 501 firewall at each location that we have them. Two of the locations have random terminals kicking over to the dial-up backup. We have nine locations total that are set up this way, and the other seven are having no problems. When the terminals kick over to dial-up, it may be only one that does it, or as many as two or three at a time, while all of the other lanes continue to work correctly (we have five lanes at both of the stores having the problem).

The Omni terminals have a diagnostic / troubleshooting option that pings the gateway, DNS server, and then tries to resolve a DNS name, followed by connecting to SSL by a DNS name. When one or more of the terminals switches to dial-up, the machine is able to ping IP addresses all over the internet, but it times out when connecting to something using a DNS name.

I thought perhaps it was a problem with our internal DNS server, so I tried the ISP DNS as well as a public DNS server, none of which fixed the problem. It is occurring on two separate service providers, so I don't think it is a matter of the ISP blocking anything (why they would block DNS anyway, I don't know).

I have compared the PIX firewall configurations and the only difference that I can see is that the two having the problem do not have the line
pdm logging informational 100
I don't know how PDM logging would have any effect on the problem, but I went ahead and added the line a few minutes ago, just to rule it out 100%.

Both of the stores that are having this problem are on cable internet, but on two different providers.

All of the LAN cabling is brand new, installed specifically for this purpose. The cabling has been tested and shows no problems. (I also don't think the cabling has anything to do with the issue because even when they are having the problem, a constant, uninterrupted ping can be done both from and to the terminals).

According to the company that we purchased the terminals from, all of the programming is identical, aside from the terminal ID.

I can not think of anything else to rule out. Does anyone know of something within a PIX that might be causing this that would not be evident when comparing configurations using the SHOW RUN command?

Does anyone have any ideas as to where I should look next?

Thanks,
Ben
Forth Foods, Inc.

 

[brianinms]

Post up a sanitized configuration of the pix

 

[bjitima]

I think I cleaned out all of the public IP addresses and anything really important. As you see I have an internal IP address for primary DNS and the ISP DNS server for the secondary. I tried flipping those, taking the secondary out completely so there was only one, and using the public 4.2.2.1 address, none of which worked.

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname pix
domain-name domain.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit icmp any any
access-list dyn_int permit ip 192.168.6.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.13.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 10.11.6.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 10.24.6.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 10.24.8.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 10.24.10.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 10.24.12.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 10.24.30.0 255.255.255.0
access-list vpn permit ip 192.168.6.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn permit ip 192.168.6.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list vpn permit ip 192.168.6.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list vpn permit ip 192.168.6.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list vpn permit ip 192.168.6.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list vpn permit ip 192.168.6.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list vpn permit ip 192.168.6.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list vpn permit ip 192.168.6.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list vpn permit ip 192.168.6.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list vpn permit ip 192.168.6.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list vpn permit ip 192.168.6.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list vpn permit ip 192.168.6.0 255.255.255.0 192.168.13.0 255.255.255.0
access-list vpn permit ip 192.168.6.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list vpn permit ip 192.168.6.0 255.255.255.0 10.11.6.0 255.255.255.0
access-list vpn permit ip 192.168.6.0 255.255.255.0 10.24.6.0 255.255.255.0
access-list vpn permit ip 192.168.6.0 255.255.255.0 10.24.8.0 255.255.255.0
access-list vpn permit ip 192.168.6.0 255.255.255.0 10.24.10.0 255.255.255.0
access-list vpn permit ip 192.168.6.0 255.255.255.0 10.24.12.0 255.255.255.0
access-list vpn permit ip 192.168.6.0 255.255.255.0 10.24.30.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.4 255.255.255.252
ip address inside 192.168.6.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool dynamic_pool 192.168.100.60-192.168.100.69
pdm history enable
pdm logging informational 100
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside 5.6.7.8
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3des_md5 esp-3des esp-md5-hmac
crypto dynamic-map dynamic 10 set transform-set 3des_md5
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address vpn
crypto map vpn 10 set peer 5.6.7.8
crypto map vpn 10 set transform-set 3des_md5
crypto map vpn 65000 ipsec-isakmp dynamic dynamic
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 5.6.7.8 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup forthfoods address-pool dynamic_pool
vpngroup forthfoods dns-server 4.2.2.1 4.2.2.2
vpngroup forthfoods wins-server 192.168.4.100
vpngroup forthfoods default-domain domain.local
vpngroup forthfoods split-tunnel dyn_int
vpngroup forthfoods idle-time 1800
vpngroup forthfoods password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.0.0 inside
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 192.168.6.120-192.168.6.150 inside
dhcpd dns 192.168.4.10 68.168.160.5
dhcpd wins 192.168.4.100
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain forth.local
dhcpd enable inside
terminal width 80
Cryptochecksum:e4923d4bf0643af2f7b68390dd9538db
: end

 

[brianinms]

I don't see anything wrong with the configuration of the firewall. Can you post a 'show ver'?

 

[bjitima]

Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(2)

Compiled on Fri 02-Jul-04 00:07 by morlee

pix up 16 days 22 hours

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 0012.d963.0215, irq 9
1: ethernet1: address is 0012.d963.0216, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 10
Throughput: Unlimited
IKE peers: 10

This PIX has a Restricted (R) license.

Serial Number:
Running Activation Key:

Configuration last modified by enable_15 at 04:21:23.969 UTC Tue Sep 4 2007

 

[brianinms]

You are limited to 10 internal devices at the stores, do a show arp and see how many devices are listed.

 

[bjitima]

I have 11 listed. However, I have another store that is working with no problems whatsoever that has 18 listed with a show arp.

 

[brianinms]

Yeah, its not the arp's that are counted, its actually the number of xlates through the firewall.

 

[bjitima]

So do you think that is what is causing the problem? If so, why would a store with 5 lanes (computer and credit card terminal per lane), a server, and a back room computer being having problems when a store with 7 lanes (again, 1 computer and 1 terminal), a server, and a back room computer has never had a problem from day one :-/

The next upgrade from a 10 user license is a 50, correct? If you really think that is what is causing the problem, buying an additional license really isn't that big of a deal.

 

[brianinms]

It really depends on how the devices are configured. You still could have a different network issue as i am merely attempting to assist you to troubleshoot. In the pix issue the "show local" command and it will tell you how many devices are being translated.