PIX 501: DHCP on outside interface will not renew
in [Cisco]
|
Prev: High CPU util on 3825
Next: 6509 High Cpu Utilization
From: Lee on 29 Nov 2007 02:22 Greetings. I am trying to set up a PIX 501 for use in a SOHO environment, with cable Internet access and a dynamic IP address. I want to open up a port for public access so I am trying to test the PIX's ability to handle a change in my public IP address from my ISP. I cannot get my actual ISP-assigned public IP address to change on demand, so I put a Linksys router in between my cable modem and the PIX. I have the PIX getting its outside IP address from the Linksys via DHCP. The problem is that the PIX will successfully get its outside IP address dynamically when I first boot the PIX, but if I tamper with the DHCP server (my Linksys router) at all--even changes that should have no effect on DHCP (like just re-saving the Linksys config with no changes right after the PIX successfully get its outside IP via DHCP), the PIX will lose its outside IP address and never get it back. My config and testing appears below. Any help will be greatly appreciated! --------------------------------------------------------------------------- pixfirewall(config)# wr t Building configuration... : Saved : PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall domain-name ciscopix.com clock timezone EST -5 clock summer-time EDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.1.66 wwwServer name 192.168.1.71 EcWorkstation_01 access-list inbound permit tcp any interface outside eq www pager lines 24 icmp deny any echo outside mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.1.1 255.255.255.0 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm pdm location wwwServer 255.255.255.255 inside pdm location EcWorkstation_01 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface www wwwServer www netmask 255.255.255.255 0 0 access-group inbound in interface outside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http EcWorkstation_01 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:cd27035eb1aaf10a257e562b16c8b3e2 : end [OK] pixfirewall(config)# reload Proceed with reload? [confirm] Rebooting.... CISCO SYSTEMS PIX-501 Embedded BIOS Version 4.3.200 07/31/01 15:58:22.08 Compiled by morlee 16 MB RAM PCI Device Table. Bus Dev Func VendID DevID Class Irq 00 00 00 1022 3000 Host Bridge 00 11 00 8086 1209 Ethernet 9 00 12 00 8086 1209 Ethernet 10 Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001 Platform PIX-501 Flash=E28F640J3 @ 0x3000000 Use BREAK or ESC to interrupt flash boot. Use SPACE to begin flash boot immediately. Reading 1962496 bytes of image from flash. ################################################################################ ############################### 16MB RAM mcwa i82559 Ethernet at irq 9 MAC: 0011.935f.0123 mcwa i82559 Ethernet at irq 10 MAC: 0011.935f.0124 Flash=E28F640J3 @ 0x3000000 BIOS Flash=E28F640J3 @ 0xD8000 ----------------------------------------------------------------------- || || || || |||| |||| ..:||||||:..:||||||:.. c i s c o S y s t e m s Private Internet eXchange ----------------------------------------------------------------------- Cisco PIX Firewall Cisco PIX Firewall Version 6.3(4) Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Enabled Maximum Physical Interfaces: 2 Maximum Interfaces: 2 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: 10 Throughput: Unlimited IKE peers: 10 This PIX has a Restricted (R) license. ****************************** Warning ******************************* Compliance with U.S. Export Laws and Regulations - Encryption. This product performs encryption and is regulated for export by the U.S. Government. This product is not authorized for use by persons located outside the United States and Canada that do not have prior approval from Cisco Systems, Inc. or the U.S. Government. This product may not be exported outside the U.S. and Canada either by physical or electronic means without PRIOR approval of Cisco Systems, Inc. or the U.S. Government. Persons outside the U.S. and Canada may not re-export, resell or transfer this product by either physical or electronic means without prior approval of Cisco Systems, Inc. or the U.S. Government. ******************************* Warning ******************************* Copyright (c) 1996-2003 by Cisco Systems, Inc. Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. Cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 ..... Allocated IP address = 192.168.15.100, netmask = 255.255.255.0, gateway = 192.1 68.15.1 outside interface address added to PAT pool .. Cryptochecksum(unchanged): cd27035e b1aaf10a 257e562b 16c8b3e2 Type help or '?' for a list of available commands. pixfirewall> Cannot select private key pixfirewall> en Password: pixfirewall# wr t Building configuration... : Saved : PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall domain-name ciscopix.com clock timezone EST -5 clock summer-time EDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.1.66 wwwServer name 192.168.1.71 EcWorkstation_01 access-list inbound permit tcp any interface outside eq www pager lines 24 icmp deny any echo outside mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.1.1 255.255.255.0 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm pdm location wwwServer 255.255.255.255 inside pdm location EcWorkstation_01 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface www wwwServer www netmask 255.255.255.255 0 0 access-group inbound in interface outside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http EcWorkstation_01 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:cd27035eb1aaf10a257e562b16c8b3e2 : end [OK] pixfirewall# show ip address outside dhcp Temp IP addr: 192.168.15.100 for peer on Interface: outside Temp sub net mask: 255.255.255.0 DHCP Lease server: 192.168.15.1, state: 3 Bound DHCP transaction id: 0x624E Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs Temp default-gateway addr: 192.168.15.1 Next timer fires after: 43150 seconds Retry count: 0 Client-ID: cisco-0011.935f.0123-outside pixfirewall# show ip address outside dhcp Temp IP addr: 192.168.15.100 for peer on Interface: outside Temp sub net mask: 255.255.255.0 DHCP Lease server: 192.168.15.1, state: 3 Bound DHCP transaction id: 0x624E Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs Temp default-gateway addr: 192.168.15.1 Next timer fires after: 43097 seconds Retry count: 0 Client-ID: cisco-0011.935f.0123-outside (Now I simply save existing config on DHCP server (Linksys router)-- with no changes of any kind.) pixfirewall# show ip address outside dhcp Temp IP addr: 0.0.0.0 for peer on Interface: outside Temp sub net mask: 0.0.0.0 DHCP Lease server: 0.0.0.0, state: 1 Selecting DHCP transaction id: 0xE1E6 Lease: 0 secs, Renewal: 0 secs, Rebind: 0 secs Next timer fires after: 0 seconds Retry count: 1 Client-ID: cisco-0011.935f.0123-outside pixfirewall# debug dhcpc packet pixfirewall# DHCP: allocate request DHCP: zapping entry in DHC_PURGING state for outside DHCP: new entry. add to queue DHCP: SDiscover attempt # 1 for entry: DHCP: SDiscover: sending 278 byte length DHCP packet DHCP: SDiscover 278 bytes DHCP Broadcast to 255.255.255.255 from 0.0.0.0 DHCP: SDiscover attempt # 2 for entry: DHCP: SDiscover: sending 278 byte length DHCP packet DHCP: SDiscover 278 bytes DHCP Broadcast to 255.255.255.255 from 0.0.0.0 DHCP: SDiscover attempt # 3 for entry: DHCP: SDiscover: sending 278 byte length DHCP packet DHCP: SDiscover 278 bytes DHCP Broadcast to 255.255.255.255 from 0.0.0.0 DHCP: allocate request DHCP: zapping entry in DHC_PURGING state for outside DHCP: new entry. add to queue DHCP: SDiscover attempt # 1 for entry: DHCP: SDiscover: sending 278 byte length DHCP packet DHCP: SDiscover 278 bytes DHCP Broadcast to 255.255.255.255 from 0.0.0.0 DHCP: deleting entry a8b434 0.0.0.0 from list Temp IP addr: 0.0.0.0 for peer on Interface: unknown Temp sub net mask: 0.0.0.0 DHCP Lease server: 0.0.0.0, state: 8 Purging DHCP transaction id: 0x1D715 Lease: 0 secs, Renewal: 0 secs, Rebind: 0 secs No timer running Retry count: 0 Client-ID: DHCP: SDiscover attempt # 2 for entry: DHCP: SDiscover: sending 278 byte length DHCP packet DHCP: SDiscover 278 bytes DHCP Broadcast to 255.255.255.255 from 0.0.0.0 DHCP: SDiscover attempt # 3 for entry: DHCP: SDiscover: sending 278 byte length DHCP packet DHCP: SDiscover 278 bytes DHCP Broadcast to 255.255.255.255 from 0.0.0.0 DHCP: deleting entry aada64 0.0.0.0 from list Temp IP addr: 0.0.0.0 for peer on Interface: unknown Temp sub net mask: 0.0.0.0 DHCP Lease server: 0.0.0.0, state: 8 Purging DHCP transaction id: 0x21F2E Lease: 0 secs, Renewal: 0 secs, Rebind: 0 secs No timer running Retry count: 0 Client-ID: DHCP: allocate request DHCP: zapping entry in DHC_PURGING state for outside DHCP: new entry. add to queue DHCP: SDiscover attempt # 1 for entry: DHCP: SDiscover: sending 278 byte length DHCP packet DHCP: SDiscover 278 bytes DHCP Broadcast to 255.255.255.255 from 0.0.0.0debug dhcpc packet DHCP: SDiscover attempt # 2 for entry: DHCP: SDiscover: sending 278 byte length DHCP packet DHCP: SDiscover 278 bytes DHCP Broadcast to 255.255.255.255 from 0.0.0.0 pixfirewall# pixfirewall# no debug dhcpc packet pixfirewall# debug dhcpc detail pixfirewall# DHCP: QScan: Purging entry DHCP get addr: existing ip lease str = 0xaabc64 DHCP: new ip lease str = 0xa8b434 DHCP: QScan: Purging entry DHCP: QScan: Timed out Selecting state DHCP get addr: existing ip lease str = 0xa8b434 DHCP: new ip lease str = 0xaada64 DHCP: QScan: Purging entry DHCP: QScan: Timed out Selecting state DHCP get addr: existing ip lease str = 0xaada64 DHCP: new ip lease str = 0xaadc04 DHCP: QScan: Purging entry DHCP: QScan: Timed out Selecting state DHCP get addr: existing ip lease str = 0xaadc04 DHCP: new ip lease str = 0xaadda4 DHCP: QScan: Timed out Selecting state DHCP get addr: existing ip lease str = 0xaadda4 DHCP: new ip lease str = 0xaabc64 pixfirewall# no debug dhcpc detail DHCP: QScan: Purging entry pixfirewall# reload Proceed with reload? [confirm] Rebooting.... CISCO SYSTEMS PIX-501 Embedded BIOS Version 4.3.200 07/31/01 15:58:22.08 Compiled by morlee 16 MB RAM PCI Device Table. Bus Dev Func VendID DevID Class Irq 00 00 00 1022 3000 Host Bridge 00 11 00 8086 1209 Ethernet 9 00 12 00 8086 1209 Ethernet 10 Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001 Platform PIX-501 Flash=E28F640J3 @ 0x3000000 Use BREAK or ESC to interrupt flash boot. Use SPACE to begin flash boot immediately. Reading 1962496 bytes of image from flash. ################################################################################ ############################### 16MB RAM mcwa i82559 Ethernet at irq 9 MAC: 0011.935f.0123 mcwa i82559 Ethernet at irq 10 MAC: 0011.935f.0124 Flash=E28F640J3 @ 0x3000000 BIOS Flash=E28F640J3 @ 0xD8000 ----------------------------------------------------------------------- || || || || |||| |||| ..:||||||:..:||||||:.. c i s c o S y s t e m s Private Internet eXchange ----------------------------------------------------------------------- Cisco PIX Firewall Cisco PIX Firewall Version 6.3(4) Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Enabled Maximum Physical Interfaces: 2 Maximum Interfaces: 2 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: 10 Throughput: Unlimited IKE peers: 10 This PIX has a Restricted (R) license. ****************************** Warning ******************************* Compliance with U.S. Export Laws and Regulations - Encryption. This product performs encryption and is regulated for export by the U.S. Government. This product is not authorized for use by persons located outside the United States and Canada that do not have prior approval from Cisco Systems, Inc. or the U.S. Government. This product may not be exported outside the U.S. and Canada either by physical or electronic means without PRIOR approval of Cisco Systems, Inc. or the U.S. Government. Persons outside the U.S. and Canada may not re-export, resell or transfer this product by either physical or electronic means without prior approval of Cisco Systems, Inc. or the U.S. Government. ******************************* Warning ******************************* Copyright (c) 1996-2003 by Cisco Systems, Inc. Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. Cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 ..... Allocated IP address = 192.168.15.100, netmask = 255.255.255.0, gateway = 192.1 68.15.1 outside interface address added to PAT pool .. Cryptochecksum(unchanged): cd27035e b1aaf10a 257e562b 16c8b3e2 Type help or '?' for a list of available commands. pixfirewall> Cannot select private key pixfirewall> -------------------------------------------------------------------------- Cordially, Lee
|
Pages: 1 Prev: High CPU util on 3825 Next: 6509 High Cpu Utilization |