High Xlate Count

b.calsing · ‎03-30-2008

I have a PIX 515E 6.3(5). Our network is obviously being attacked by viruses and the xlate count is skyrocketing to > 50,000 which basically shuts down our internet. Is there anything I can do on the PIX to block traffic to prevent this from happening. Any advice?

ray_stone · ‎03-30-2008

can you please send configuration file.

husycisco · ‎03-31-2008

Hi Brian

Please open your PDM or ASDM syslog and check if any critical logs appear. Copy and paste one if any.

And please copy and paste a part of "show xlate debug" output.

If this is a DOS attack, that supposed to be outside oriented. Then we would apply a max session limit to the static you created.

If this is an attempt from inside, most probably the xlate or syslog outputs will show one or two public IP addresses that inside host try to connect. Then we would stop this with an ACL to inside interface.

Regards

bmanderson · ‎03-31-2008

I've had that happen before, and here is a quick work around, it does'nt fix your problem with machines on teh inside having virus's, but it stops them from tying up the outside interface and using up xlate's.

what you need to do is do a show xlate from the CLI, you will start to see a pattern of what internal IP's are using up the xlate sessions, you then SHUN those ip's , this will stop them from accessing the internet, you then do a clear xlate, this disconnects all the current sessions,(interupst FTP's and streaming connections also).

This will buy you some time in order to download the latest DAT's and fix the virus' on the machines you shunned.

Hope this helps..