cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
817
Views
0
Helpful
11
Replies

PIX 515E NAT issue for DNS

dataline
Level 1
Level 1

I hv a PIX 515E(6.3).we have proxy in LAN which is behind PIX.For users to access internet should be only via proxy.So we have done NAT'ing on PIX for Proxy & only proxy IP address is allowed to access internet. Config is as follows

access-list FOR_PROXY permit tcp host 172.18.1.38 any eq https

access-list FOR_PROXY permit tcp host 172.18.1.38 any eq www

access-list FOR_PROXY permit tcp host 172.18.1.38 any eq domain

access-list FOR_PROXY permit udp host 172.18.1.38 any eq domain

access-list FOR_PROXY permit tcp host 172.18.1.38 any eq ftp-data

access-list FOR_PROXY permit tcp host 172.18.1.38 any eq ftp

nat (inside) 1 access-list FOR_PROXY 0 0

Th issue is that sometimes users are not able to access internet via URL.I mean internet sites would be open but with IP address not with DNS name.

If i do 'clear xlate' for few minutues then it seems to be fine but this issue happens continuously randomely 3-4 times in a week & sometimes even clear nat entries won't help & i had no choice but to reboot PIX.

Interestingly when issue occurs only DNS is not working.Can anybody guide me how to fix this or is it a bug for 6.3 PIX OS ? Is it related with embroyonic connections value ?? Please help me..

11 Replies 11

5220
Level 4
Level 4

When the problem is experienced on users, does the DNS work on Proxy?

Check this to isolate if this is a PIX or a proxy issue.

I presume the hosts get the DNS from the proxy.

Regards,

Daniel

User PC's are not using any DNS but proxy is having DNS entry that is external DNS (ISP provided DNS).

When users are experiencing this problem at the same time DNS also doesn't work on proxy as proxy IP is NAT'd on PIX but in any cases after clearing xlate or rebooting PIX only its working..

Farrukh Haroon
VIP Alumni
VIP Alumni

Have you changed the embryonic value from default (as you suspect this as a problem)? Also what version are you running spefically? 6.3.5?

Regards

Farrukh

Hi,

I hv PIX Version 6.3(3).

Can you please guide me how to change default value for embryonic connections ?What;s default value & whether value should be increased or decreased ? What is the command to do this task ?

Thanks in Advance..

In PIX 6.x you can do this at the end of static or nat commands. But there is very little chance that this is causing any issues, the default is good enough!

I would recommend uprgading your PIX to the latest version in your train 6.3(X)

Regards

Farrukh

Hi,

Thank you so much for your suggestion.But is this causing due to PIX OS version & will upgrade to new IOS fix this issue.

Is there another way to overcome this issue without upgarding PIX IOS ?

Once again thnx for ur suggestions

Since what you are trying to do is something pretty basic, I suggested the OS upgrade. These kind of things should work on the firewall straight away, if they don't its usually a bug. (Specially since the DNS's server belongs to the ISP, so not much help there).

What stops you from the software upgrade?

Regards

Farrukh

How can you determine that upgrade will fix the

issue?

There are policies in an enterprise environment

that will not allow upgrade unless the code is

tested for that particular environment and that

it is stable.

What happened if the issue still persists after

the upgrade? Another upgrade?

Nobody 'determined' anything :) Lookup the word in a dictionary mate.

http://www.merriam-webster.com/dictionary/determine

Also have faced the exact similar issue on an ED 7.x release in a real life customer, not a video game.

Regards

Farrukh

Be careful when you upgrade with 7.x code.

These are E.D. code so use them at your own

risk.

One time I upgrade from version 7.2 to 7.2.2(22)

and after the upgrade "show run + q" rebooted

a production box.

I am very skeptical everytime mentioned upgrade.

Only you know your environment better than

everyone else.

I agree with that David, I just meant an upgrade to the latest release in that major train e.g 6.3(5).

Regards

Farrukh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: