Licensing trouble with PIX 501

Answered Question
Sep 24th, 2008

I am fairly new to the PIX 501 and so this is the first time I have run up against this type of issue. I have installed a PIX 501 for a client with a small network. The firewall has the 10-user license. Not long after that they had an issue where a user could not connect to the Internet. Near as I could tell this was because of the licensing limitation on the router.

However it's not clear how the ten xlate connections were used up, because their network only has eight computers and one server which communicate through the firewall. They do have a wireless access point, which could cause the number of connections to go over ten.

It also seemed that the server was taking up two licenses because it has both a physical network adapter and a virtual network adapter created by the VPN service (Windows RRAS).

We were able to resolve the issue by shortening the xlate timeout to 15 minutes, removing the wireless access point and disabling the virtual network adapter.

Now my question is:

How do we configure the network so that the virtual network adapter on the server does not make connections through the firewall?

Thanks for any assistance you can provide.

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 8 years 2 months ago

it is possible to make your server virtual ip not use global interface for nat.

your firewall probably nats all inside hosts via outside interface as follow.

global (outside) 1 interface

nat (inside) 1 0 0

above means all hosts behind firewall will be using global interface for outbound internet connections. ok so far this is undertandable and general configuration for your inside folks connecting to internet.

now if you want one system IP address not to use global the make it a no nat host in the firewall.

you can do it like this.

create host localtion and create no nat statement, say your server virtual ip is 10.20.20.20

pdm location 10.20.20.20 255.255.255.255 inside

nat (inside) 0 10.20.20.20 255.255.255.255

0 means no nat, unlike nat inside 1 which is different using outside interface for outbound nat.

after you implement above statements your system virtual adapter ip will not use global outside interface nor have any internet connection.

Rgds

Jorge

PLS rate any helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
JORGE RODRIGUEZ Wed, 09/24/2008 - 15:12

it is possible to make your server virtual ip not use global interface for nat.

your firewall probably nats all inside hosts via outside interface as follow.

global (outside) 1 interface

nat (inside) 1 0 0

above means all hosts behind firewall will be using global interface for outbound internet connections. ok so far this is undertandable and general configuration for your inside folks connecting to internet.

now if you want one system IP address not to use global the make it a no nat host in the firewall.

you can do it like this.

create host localtion and create no nat statement, say your server virtual ip is 10.20.20.20

pdm location 10.20.20.20 255.255.255.255 inside

nat (inside) 0 10.20.20.20 255.255.255.255

0 means no nat, unlike nat inside 1 which is different using outside interface for outbound nat.

after you implement above statements your system virtual adapter ip will not use global outside interface nor have any internet connection.

Rgds

Jorge

PLS rate any helpful posts

zacmutrux Thu, 09/25/2008 - 15:22

Thanks Jorge for your help, that is great. Now what I find is that the problem is that I need to exclude from NAT not just the one IP address that gets assigned to the virtual PPP adapter associated with RRAS--I need to exclude an entire range of IP addresses which are handed out by DHCP to remote access users for use on the network.

In this case, I have defined the pool of IP addresses from 192.168.71.201-220 for use by remote access clients. How do I describe this range in my config file using the command you recommended?

Thanks in advance for any assistance you can provide.

Jon Marshall Thu, 09/25/2008 - 15:36

You can use

nat (inside) 0 192.168.71.192 255.255.255.224

this would cover hosts

192.168.7.193 -> 192.168.7.223

This is as close as you can get with an individual statement. If you must match just those specific addresses

nat (inside) 0 192.168.71.200 255.255.255.248

nat (inside) 0 192.168.71.208 255.255.255.248

nat (inside) 0 192.168.71.216 255.255.255.252

nat (inside) 0 192.168.71.220 255.255.255.255

Jon

JORGE RODRIGUEZ Fri, 09/26/2008 - 14:01

Zac, sorry for late reply but I can see my friend Jon covered it and do agree with his proposed nat statments.. try that and it should cover those ranges.

Rgds

Jorge

Actions

This Discussion