C4006 WITH SUPII AND Pix 515 ver 6.3

mingchieh · ‎07-10-2003

I am a strange problem

I have serval servers on inside

and internet user can access normally

but when I key "clear xlate" command or reboot the firewall

some server can not access from outside

unless I go to the server and key ping command to outside (like Isp DNS)

the server become normal and internet user can access again

why ??

shannong · ‎07-10-2003

How are you exposing that server to the outside? With a [static], [nat 0 x.x.x.x y.y.y.y], [nat 0 access-list xxx], or [nat,global]?

mingchieh · ‎07-10-2003

only

assume my server is 123.123.123.123

my command is only

nat (inside) 0 123.123.123.0 255.255.255.0

=======================================

but, after I key the question

I try a method and key the command

static (inside,outside) 123.123.123.123 123.123.123.123

everythiing is OK

I do not understand the command means

static (inside,outside) 123.123.123.123 123.123.123.123

Woud you explain that ??

Thanks a lot

shannong · ‎07-11-2003

The static command is the proper one to use for this. "static" meaning a permanent translation that does not time out.

static (pre-nat interface, post-nat interface) pre-nat-address post-nat-address netmask x.x.x.x

Your use of the nat 0 command created a dynamin no-nat entry that is created when traffic is sent from inside to out. Translations timeout when no traffic is sent from the inside host for the configured time period, thus making the host unavailable. When you would ping out, the translation was built again.

You can accomplish this with Nat 0 using an ACL. Nat 0 commands using ACLs also make permanent entries in the translation table.