Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

clear xlate

I work with a pix 515. Three Zones are defined on the three existing interfaces: Inside, DMZ and Outside. Access-List grant the necessary access for users on lower security interfaces to the specific host on higher security interfaces. I also have configured vpn access for extrenal host to Inside and DMZ, this also works fine.

Cisco recommends after changing your access-list to put a "clear xlate" on your CLI and that's when things start going wrong. after the "clear xlate" inside users still habe access to the granted subnets/host, but people from the outside interface, can't reach host on dmz anymore (which has been possible before the xlate) and VPN users can establish their tunnel, but have no more access to DMZ and Inside (which has also been possible before xlate). After some time (I don't know how long, but it seams to be several hours) everyting works fine again.

Looks like some kind of timeout problem to me ... but I can't find a solution to this. I work with the following time features (default settings):

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s0

timeout uauth 0:05:00 absolute

Can some one please help me to find the bug? A reboot or disconnect from power doesn't solve the problem either.

Thanks for your effort.

Hans

2 REPLIES
New Member

Re: clear xlate

Just a thought... Did you define "static" for internal/dmz hosts and servers? If not, this is a must.

New Member

Re: clear xlate

I have tried, but it still doesn't work ... what do I have to do exactly, when I want to reach hosts on dmz with regular ip adresses (like 50.0.0.0/24) from outside?

f.e.

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

ip address outside 70.0.0.1 255.255.255.0

ip address inside 192.168.15.10 255.255.255.0

ip address dmz 50.0.0.1 255.255.255.0

access-list dmz_interface permit icmp any host 50.0.0.1 echo-reply

access-list outside_interface permit ip any any

access-group outside_interface in interface outside

access-group dmz_interface in interface dmz

nat (inside) 1 192.168.15.0 255.255.255.0 0 0

nat (dmz) 0 50.0.0.1 255.255.255.0 0 0

global (outside) 1 interface

global (dmz) 1 interface

something must be missing ...

greetings

91
Views
0
Helpful
2
Replies
CreatePlease to create content