×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Slackers losing internet connection from the LAN

Unanswered Question
Oct 10th, 2005
User Badges:

Hi Guys,


Having an issue with a 515(r) pix.


We are loosing connection to the internet on the internal network on a few internal hosts. These seem to belong to the slackers who are last to reach there desks in the morning..


When I clear xlate were all good again for a while.


This is going to be 1 of 2 things. Either this is the restricted version interfering but I don’t think we are hitting the 50k concurrent sessions by a long chalk.


More likely that this is a NAT / PAT issue. Mine is setup along these lines….


global (outside) 1 123.123.123.100-123.123.123.110

global (outside) 1 123.123.123.111


I cant really issue anymore external ips as the range isn’t huge.


Any thought?


Thanks in advance.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mgaysek Mon, 10/10/2005 - 08:57
User Badges:

How many xlates are built at the time when you clear them? What is your xlate timer set for? What errors do you see in the log? You may want to incorporate the .111 into the other global pool.

jackko Mon, 10/10/2005 - 17:21
User Badges:
  • Gold, 750 points or more

try applying netmask with the global commands. i guess by specifying the netmask, the pix will understand the pool is for pat, not nat.


e.g.

global (outside) 1 123.123.123.100-123.123.123.110 netmask 255.255.255.240



poperob123 Tue, 10/11/2005 - 13:13
User Badges:

I think what is happening is the xlate NAT addresses are filling up. The PAT address should then take the excess connections but isnt doing so. Xlate timeout is 3:00:00 Any more thoughts? What logging should i enable to monitor this?


Thanks again.

mgaysek Tue, 10/11/2005 - 17:47
User Badges:

Please post your nat and global commands. The show xlate command will show you how many transalatoins are built and if your PAT is working. What is the purpose of having two different pools.



jackko Tue, 10/11/2005 - 18:19
User Badges:
  • Gold, 750 points or more

global (outside) 1 123.123.123.100-123.123.123.110

global (outside) 1 123.123.123.111


i agree with you that the pix should start performing pat after those 11 ip are natted.


just wondering what version is the pix running. do "sh xlate" when the issue occurs.


also timeout xlate 3:00:00 is the default and it works fine so far with all the pix i have been playing with.

jackko Wed, 10/19/2005 - 22:46
User Badges:
  • Gold, 750 points or more

just wondering how you go.

Actions

This Discussion