Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
0
Helpful
4
Replies

Licensing trouble with PIX 501

Go to solution
zacmutrux
Level 1
Level 1

‎09-24-2008 08:44 AM - edited ‎03-06-2019 01:34 AM

I am fairly new to the PIX 501 and so this is the first time I have run up against this type of issue. I have installed a PIX 501 for a client with a small network. The firewall has the 10-user license. Not long after that they had an issue where a user could not connect to the Internet. Near as I could tell this was because of the licensing limitation on the router.

However it's not clear how the ten xlate connections were used up, because their network only has eight computers and one server which communicate through the firewall. They do have a wireless access point, which could cause the number of connections to go over ten.

It also seemed that the server was taking up two licenses because it has both a physical network adapter and a virtual network adapter created by the VPN service (Windows RRAS).

We were able to resolve the issue by shortening the xlate timeout to 15 minutes, removing the wireless access point and disabling the virtual network adapter.

Now my question is:

How do we configure the network so that the virtual network adapter on the server does not make connections through the firewall?

Thanks for any assistance you can provide.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎09-24-2008 03:12 PM

it is possible to make your server virtual ip not use global interface for nat.

your firewall probably nats all inside hosts via outside interface as follow.

global (outside) 1 interface

nat (inside) 1 0 0

above means all hosts behind firewall will be using global interface for outbound internet connections. ok so far this is undertandable and general configuration for your inside folks connecting to internet.

now if you want one system IP address not to use global the make it a no nat host in the firewall.

you can do it like this.

create host localtion and create no nat statement, say your server virtual ip is 10.20.20.20

pdm location 10.20.20.20 255.255.255.255 inside

nat (inside) 0 10.20.20.20 255.255.255.255

0 means no nat, unlike nat inside 1 which is different using outside interface for outbound nat.

after you implement above statements your system virtual adapter ip will not use global outside interface nor have any internet connection.

Rgds

Jorge

PLS rate any helpful posts

Jorge Rodriguez

View solution in original post

0 Helpful
4 Replies 4

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎09-24-2008 03:12 PM

it is possible to make your server virtual ip not use global interface for nat.

your firewall probably nats all inside hosts via outside interface as follow.

global (outside) 1 interface

nat (inside) 1 0 0

above means all hosts behind firewall will be using global interface for outbound internet connections. ok so far this is undertandable and general configuration for your inside folks connecting to internet.

now if you want one system IP address not to use global the make it a no nat host in the firewall.

you can do it like this.

create host localtion and create no nat statement, say your server virtual ip is 10.20.20.20

pdm location 10.20.20.20 255.255.255.255 inside

nat (inside) 0 10.20.20.20 255.255.255.255

0 means no nat, unlike nat inside 1 which is different using outside interface for outbound nat.

after you implement above statements your system virtual adapter ip will not use global outside interface nor have any internet connection.

Rgds

Jorge

PLS rate any helpful posts

Jorge Rodriguez
0 Helpful

Go to solution
zacmutrux
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎09-25-2008 03:22 PM

Thanks Jorge for your help, that is great. Now what I find is that the problem is that I need to exclude from NAT not just the one IP address that gets assigned to the virtual PPP adapter associated with RRAS--I need to exclude an entire range of IP addresses which are handed out by DHCP to remote access users for use on the network.

In this case, I have defined the pool of IP addresses from 192.168.71.201-220 for use by remote access clients. How do I describe this range in my config file using the command you recommended?

Thanks in advance for any assistance you can provide.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to zacmutrux

‎09-25-2008 03:36 PM

You can use

nat (inside) 0 192.168.71.192 255.255.255.224

this would cover hosts

192.168.7.193 -> 192.168.7.223

This is as close as you can get with an individual statement. If you must match just those specific addresses

nat (inside) 0 192.168.71.200 255.255.255.248

nat (inside) 0 192.168.71.208 255.255.255.248

nat (inside) 0 192.168.71.216 255.255.255.252

nat (inside) 0 192.168.71.220 255.255.255.255

Jon

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to Jon Marshall

‎09-26-2008 02:01 PM

Zac, sorry for late reply but I can see my friend Jon covered it and do agree with his proposed nat statments.. try that and it should cover those ranges.

Rgds

Jorge

Jorge Rodriguez
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card