PIX 515E NAT issue for DNS

Unanswered Question

I hv a PIX 515E(6.3).we have proxy in LAN which is behind PIX.For users to access internet should be only via proxy.So we have done NAT'ing on PIX for Proxy & only proxy IP address is allowed to access internet. Config is as follows

access-list FOR_PROXY permit tcp host any eq https

access-list FOR_PROXY permit tcp host any eq www

access-list FOR_PROXY permit tcp host any eq domain

access-list FOR_PROXY permit udp host any eq domain

access-list FOR_PROXY permit tcp host any eq ftp-data

access-list FOR_PROXY permit tcp host any eq ftp

nat (inside) 1 access-list FOR_PROXY 0 0

Th issue is that sometimes users are not able to access internet via URL.I mean internet sites would be open but with IP address not with DNS name.

If i do 'clear xlate' for few minutues then it seems to be fine but this issue happens continuously randomely 3-4 times in a week & sometimes even clear nat entries won't help & i had no choice but to reboot PIX.

Interestingly when issue occurs only DNS is not working.Can anybody guide me how to fix this or is it a bug for 6.3 PIX OS ? Is it related with embroyonic connections value ?? Please help me..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Daniel Voicu Mon, 08/11/2008 - 01:23

When the problem is experienced on users, does the DNS work on Proxy?

Check this to isolate if this is a PIX or a proxy issue.

I presume the hosts get the DNS from the proxy.



Farrukh Haroon Mon, 08/11/2008 - 02:04

Have you changed the embryonic value from default (as you suspect this as a problem)? Also what version are you running spefically? 6.3.5?



Farrukh Haroon Mon, 08/11/2008 - 05:08

In PIX 6.x you can do this at the end of static or nat commands. But there is very little chance that this is causing any issues, the default is good enough!

I would recommend uprgading your PIX to the latest version in your train 6.3(X)



Farrukh Haroon Mon, 08/18/2008 - 10:38

Since what you are trying to do is something pretty basic, I suggested the OS upgrade. These kind of things should work on the firewall straight away, if they don't its usually a bug. (Specially since the DNS's server belongs to the ISP, so not much help there).

What stops you from the software upgrade?



cisco24x7 Mon, 08/18/2008 - 11:33

How can you determine that upgrade will fix the


There are policies in an enterprise environment

that will not allow upgrade unless the code is

tested for that particular environment and that

it is stable.

What happened if the issue still persists after

the upgrade? Another upgrade?

cisco24x7 Mon, 08/18/2008 - 12:36

Be careful when you upgrade with 7.x code.

These are E.D. code so use them at your own


One time I upgrade from version 7.2 to 7.2.2(22)

and after the upgrade "show run + q" rebooted

a production box.

I am very skeptical everytime mentioned upgrade.

Only you know your environment better than

everyone else.

Farrukh Haroon Mon, 08/18/2008 - 20:30

I agree with that David, I just meant an upgrade to the latest release in that major train e.g 6.3(5).




This Discussion