06-17-2009 10:39 AM - edited 03-11-2019 08:44 AM
I setup a Pix 501 with PAT. Static NAT systems and computers that are on do not have any issues. Any computer that is turned off and then back on can't access the internet. ICMP works. TCP does not. I have to go in a clear xlate then the computer can access the internet. Last couple of mornings users have complained they can't get on the Internet until I get in a clear xlate. Below is my nat config and xlate timeout.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 1:00:00 absolute
Solved! Go to Solution.
06-18-2009 09:50 AM
A deny statement would keep licenses from being used, but would also keep that person from getting on the internet. =)
HTH,
John
*Please rate if it helped*
06-17-2009 11:20 AM
How many licenses do you have for this device? Are they being tapped out? Clearing the xlate table would fix the issue since it would allow for all new connections, but if you have a 10 user license and you have 15 users, 5 users won't be able to get on until some others time out.
You can do a "sh ver" to see what your license count is.
HTH,
John
06-18-2009 09:38 AM
Thanks, that was it. For some reason I though I had the unlimited. Didn't even think about that. I am assuming it is using the arp table to cound licenses. Will a deny acl block systems from using up one of the licenses?
06-18-2009 09:50 AM
A deny statement would keep licenses from being used, but would also keep that person from getting on the internet. =)
HTH,
John
*Please rate if it helped*
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: