Pix 501 blocks TCP traffic until xl xlate

Answered Question

I setup a Pix 501 with PAT. Static NAT systems and computers that are on do not have any issues. Any computer that is turned off and then back on can't access the internet. ICMP works. TCP does not. I have to go in a clear xlate then the computer can access the internet. Last couple of mornings users have complained they can't get on the Internet until I get in a clear xlate. Below is my nat config and xlate timeout.


global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0


timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 1:00:00 absolute



Correct Answer by John Blakley about 8 years 1 month ago

A deny statement would keep licenses from being used, but would also keep that person from getting on the internet. =)


HTH,

John


*Please rate if it helped*

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
John Blakley Wed, 06/17/2009 - 11:20
User Badges:
  • Purple, 4500 points or more

How many licenses do you have for this device? Are they being tapped out? Clearing the xlate table would fix the issue since it would allow for all new connections, but if you have a 10 user license and you have 15 users, 5 users won't be able to get on until some others time out.


You can do a "sh ver" to see what your license count is.


HTH,

John

Correct Answer
John Blakley Thu, 06/18/2009 - 09:50
User Badges:
  • Purple, 4500 points or more

A deny statement would keep licenses from being used, but would also keep that person from getting on the internet. =)


HTH,

John


*Please rate if it helped*

Actions

This Discussion