Question about PIX nat pools

spfister336 · ‎04-22-2009

I've got a PIX 525 that has a pool of NAT addresses that looks like:

x.y.170.0 - x.y.175.253

x.y.175.254

Recently, a user had problems with Internet access and I noticed her address was mapped to x.y.174.255. Traceroutes went several hops to their destination and began timing out. Pings worked some places and some places not. I'm assuming some device along the line saw it as a directed broadcast and dropped it. Clearing the translation and allowing it to be assigned again worked and the user had normal access.

- Is my assumption about what happened correct?

- Is it possible to exclude the .255 addresses in that range, or do I need to delete it and put in 6 separate ranges?

- What will be the impact to existing sessions? Will they all be reestablished?

Thanks!

--Steve

John Blakley · ‎04-23-2009

- Is my assumption about what happened correct?

Possibly, but hard to say really.

- Is it possible to exclude the .255 addresses in that range, or do I need to delete it and put in 6 separate ranges?

I would recreate the pool and exclude your .0 and .255 addresses (x.x.170.1-x.x.170.254), and you would need to create 170 - 175 (so 6 pools).

- What will be the impact to existing sessions? Will they all be reestablished?

When you remove the global pools to create the separate split pools, the sessions will *probably* be torn down but will be reestablished. I would create downtime to do this. :-)

HTH,

John

HTH, John *** Please rate all useful posts ***