Cisco Support Community
Community Member

need help understanding pix

i need to undersatnd the logic for the following:


i have a total of 6 interfaces on my pix. 3 are configures (in, out n dmz) with valid ip addresses, the other 3 are configured as follows:

ip address statefailover:5

ip address none2

ip address statefailover

Why do we have these 3 and 2 statefailover interfaces?


What exactly is a xlate slot and why do we need to free it using timeout command?


Duration before authentication and authorization cache times out and user has to re authenticate next connection. This duration must be shorter than the xlate values. Set to 0 to disable caching. Do not set to zero if passive FTP is used on the connections.Why?


I have vpn configured , but I want to know if I need a VPN concentrator to terminate IP sec lines from clients, how do I find out if I already have one?

and what address should the vpn clients dial?


Re: need help understanding pix

1.A crossover cable is used to connect the statefailover interfaces .

ip address statefailover

failover ip address statefailover

failover link statefailover

are the commands used.

You could refer to

2.Translation slots can persist after key changes have been made. The slot contains the translations that have been made , and inorder to release the Global IPs back to the pool, the clear xlate command has to be used.

clear xlate command can be used to clear single IP address or interface also. Another option would be to save the configuration and reboot the PIX.

Always use clear xlate or reload after adding, changing, or removing alias, conduit, global, nat, route, or static commands in your configuration.

3.The absolute timer must be shorter than the xlate timer; otherwise, a user could be reprompted after their session already ended.

The timeout command sets the idle time for connection, translation UDP, RPC, and H.323 slots. If the slot has not been used for the idle time specified, the resource is returned to the free pool. TCP connection slots are freed approximately 60 seconds after a normal connection close sequence. Do not use timeout uauth 0:0:0 if passive FTP for the connection, or if the virtual command is used for Web authentication.

4. The VPN clients need not necessarily terminate the IPsec lines on the Concentrator. A PIX firewall would suffice. The following is a configuration example.Check it.

CreatePlease to create content