PIX deny access to Internet on some Servers and Workstations

ewai · ‎12-12-2003

Hi all,

My PIX was working fine a few months back. Suddenly it's been doing some crazy things recently. I have some servers and workstations that can't access the Internet all of a sudden. The workstations resides on the Lan interface and the servers on the DMZ interface. The things that makes this hard to troubleshoot is that some workstations can connect to the Internet while some can't. So goes for the servers. In my mind, I'm thinking maybe it's a connection limitations issue on the Interface of both the LAN and DMZ NIC. Anyway, once I reload the PIX, everything is fine. Everyone can connect. But after 2-3 days, it starts to clog up and deny access to some workstations (LAN) and servers (DMZ).

Can someone help me out? Thanks

Tom

r.crist · ‎12-12-2003

Use the 'sh conn count' and 'sh xlate count' commands to see how many connections and translations are in use on your PIX. Also, enable logging and set it to level 6 - informational. Maybe you can get a better idea of what's going on by taking a peek at the logs. One mo' thing.. Are you using PAT, or do you have a NAT pool configured?

ewai · ‎12-12-2003

I'm using NAT for the Servers on the DMZ. I did testing on one of the DMZ server. That server is a webserver that host a few websites. Somehow I can access those websites while the server can't see the Internet. Is that normal?

Thomas