01-23-2002 07:00 AM - edited 03-08-2019 09:39 PM
I have configured a 10.10.1.0 255.255.255.0 as a private address for NAT translation on the PIX515 which running ios version (5.1.2).
Every so often I can not access servers on the LAN as well as outbound connections to the internet stops working. I use the clear xlate command to fix the problem.
I have defined a global ip range of 4 public addresses and a PAT address.
Recently I have changed the xlate timeout from 3 hrors to 3 minutes.
Any suggestions
Thanxs
01-23-2002 07:13 AM
First, you can't access internal servers based on NAT command. To access servers, you should use static & access-list/access-group command.
Second, the xlate timeout shouldn't be modified to 3 minutes except for a really good reason. This is making pressure on the PIX to make xlation too often for nothing. Xlate isn't probably the problem. The problem is elsewhere.
Post your config, but replace your public IP addresses (network part) by letters, and we will be able to help you.
Regards
Benoit
01-23-2002 07:54 AM
Following the pix 515 connectivity problem, please find the pix config.
PIX Version 5.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security10
nameif ethernet3 pix/intf3 security15
nameif ethernet4 pix/intf4 security20
nameif ethernet5 failover security50
hostname pix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol rsh 514
names
access-list acl_in permit ip any AAA.AAA.AAA.0 255.255.255.0
access-list acl_in permit ip any BBB.BBB.BBB.0 255.255.255.0
access-list acl_in permit ip any AAA.AAA.AAA.0 255.255.255.0
access-list acl_in permit tcp host AAA.AAA.AAA.130 any eq smtp
access-list acl_in permit ip host AAA.AAA.AAA.130 host CCC.CCC.CCC.38
access-list acl_in permit ip host CCC.CCC.CCC.130 host CCC.CCC.36.49
access-list acl_in permit ip host CCC.CCC.CCC.10 any
access-list acl_in permit ip host DDD.DDD.DDD.25 any
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq 8080
access-list acl_in permit tcp any any eq 443
access-list acl_in permit udp any any eq domain
access-list acl_in permit tcp any any eq whois
access-list acl_in permit tcp host DDD.DDD.DDD.138 any eq ftp
access-list acl_in permit tcp host AAA.AAA.AAA.138 any eq ftp-data
access-list acl_in permit tcp host AAA.AAA.AAA.138 any eq ftp
access-list acl_in permit tcp host AAA.BBB.AAA.132 any eq ftp-data
access-list acl_in permit tcp any host AAA.AAA.1.254 eq ftp
access-list acl_in permit tcp any host AAA.AAA.A.254 eq ftp-data
access-list acl_in permit tcp any host AAA.AA.AAA.140 eq ftp
access-list acl_in permit tcp any host AAA.AA.AAA.140 eq ftp-data
access-list acl_in permit tcp any host AAA.CCC.DDD.10 eq ftp
access-list acl_in permit tcp any host AAA.DDD.AAA.10 eq ftp-data
access-list acl_in deny ip any any
access-list acl_in permit ip any any
pager lines 20
logging on
logging timestamp
no logging standby
no logging console
logging monitor debugging
no logging buffered
logging trap warnings
logging history warnings
logging facility 20
logging queue 512
logging host inside AAA.AAA.AAA.149
logging host inside AAA.AAA.AAA.49
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto
interface ethernet5 100full
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
ip address outside AA.0.2.2 255.255.255.224
ip address inside AA.168.2.38 255.255.255.224
ip address dmz1 AAA.AAA.AAA.37 255.255.255.252
ip address pix/intf3 0.0.0.0 255.255.255.255
ip address pix/intf4 AAA.168.15.1 255.255.255.0
ip address failover AAA.168.2.253 255.255.255.252
failover
failover timeout 0:00:00
failover ip address outside AA.168.2.3
failover ip address inside AA.168.2.36
failover ip address dmz1 0.0.0.0
failover ip address pix/intf3 0.0.0.0
failover ip address pix/intf4 0.0.0.0
failover ip address failover AAA.168.2.254
failover link failover
arp timeout 240
global (outside) 1 AAA.AAA.AAA.26-AAA.AAA.AAA.28
global (outside) 1 AAA.AAA.AAA.29
nat (inside) 0 AAA.AAA.AAA.0 255.255.255.255 0 0
nat (inside) 0 AAA.AAA.AAA.0 255.255.255.252 0 0
nat (inside) 0 AAA.AAA.AAA.AAA.128 255.255.255.224 0 0
nat (inside) 0 AAA.168.3.0 255.255.255.0 0 0
nat (inside) 1 10.30.1.0 255.255.255.0 0 0
nat (inside) 0 AAA.AAA.AAA.10 255.255.255.0 0 0
nat (inside) 0 AAA.AAA.AAA.11 255.255.255.0 0 0
nat (pix/intf4) 1 AAA.168.15.0 255.255.255.0 0 0
static (dmz1,outside) AAA.AAA.AAA.38 AAA.AAA.AAA.38 netmask 255.255.255.255 0 50
0
static (inside,outside) AAA.AAA.AAA.128 AAA.AAA.AAA.128 netmask 255.255.255.224
0 0
static (pix/intf4,outside) AAA.AAA.AAA.6 10.0.15.5 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.3.0 10.0.3.0 netmask 255.255.255.0 0 0
static (inside,outside) AAA.AAA.AAA.0 AAA.AAA.AAA.0 netmask 255.255.255.224 0 0
access-group acl_in in interface inside
conduit permit tcp AAA.AAA.AAA.128 255.255.255.224 eq 6000 host AAA.AAA.AAA.190
conduit permit tcp AAA.AAA.AAA.128 255.255.255.224 eq ident host AAA.AAA.AAA.253
conduit permit tcp AAA.AAA.AAA.128 AAA.AAA.AAA.224 eq lpd host AAA.AAA.AAA.7
conduit permit tcp host AAA.AAA.AAA.145 eq ftp host AAA.AAA.AAA.190
conduit permit tcp host AAA.AAA.AAA.145 eq ftp-data host AAA.AAA.AAA.190
conduit permit tcp host AAA.AAA.AAA.145 eq ftp host AAA.AAA.AAA.29
conduit permit ip host 10.0.10.10 host AAA.AAA.AAA.145
route outside 0.0.0.0 0.0.0.0 10.0.10.1 1
route inside 10.0.3.0 255.255.255.0 10.0.2.34 1
route inside 10.50.1.0 255.255.255.0 10.0.2.34 1
route inside AAA.AAA.AAA.AAA 255.255.255.224 10.0.2.34 1
route inside 195.206.162.0 255.255.255.224 10.0.2.34 1
timeout xlate 0:03:00 conn 5:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:02:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community pigsinspace
snmp-server enable traps
tftp-server inside 195.206.160.157 /pix-confg
no floodguard enable
isakmp identity hostname
telnet AAA.AAA.AAA.128 255.255.255.224 inside
telnet AAA.AAA.AAA..128 255.255.255.224 dmz1
telnet .AAA.AAA.AAA.128 255.255.255.224 pix/intf3
telnet ZZZ.ZZZ.ZZZ.128 255.255.255.224 pix/intf4
telnet ZZZ.ZZZ.ZZZ.128 255.255.255.224 failover
telnet 10.0.15.0 255.255.255.0 pix/intf4
telnet timeout 5
01-23-2002 11:29 AM
Check your hotmail account...
Ben
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide