i have a total of 6 interfaces on my pix. 3 are configures (in, out n dmz) with valid ip addresses, the other 3 are configured as follows:
ip address statefailover:5 188.8.131.52 255.255.255.0
ip address none2 184.108.40.206 255.255.255.0
ip address statefailover 220.127.116.11 255.255.255.0
Why do we have these 3 and 2 statefailover interfaces?
What exactly is a xlate slot and why do we need to free it using timeout command?
Duration before authentication and authorization cache times out and user has to re authenticate next connection. This duration must be shorter than the xlate values. Set to 0 to disable caching. Do not set to zero if passive FTP is used on the connections.Why?
I have vpn configured , but I want to know if I need a VPN concentrator to terminate IP sec lines from clients, how do I find out if I already have one?
2.Translation slots can persist after key changes have been made. The slot contains the translations that have been made , and inorder to release the Global IPs back to the pool, the clear xlate command has to be used.
clear xlate command can be used to clear single IP address or interface also. Another option would be to save the configuration and reboot the PIX.
Always use clear xlate or reload after adding, changing, or removing alias, conduit, global, nat, route, or static commands in your configuration.
3.The absolute timer must be shorter than the xlate timer; otherwise, a user could be reprompted after their session already ended.
The timeout command sets the idle time for connection, translation UDP, RPC, and H.323 slots. If the slot has not been used for the idle time specified, the resource is returned to the free pool. TCP connection slots are freed approximately 60 seconds after a normal connection close sequence. Do not use timeout uauth 0:0:0 if passive FTP for the connection, or if the virtual command is used for Web authentication.
4. The VPN clients need not necessarily terminate the IPsec lines on the Concentrator. A PIX firewall would suffice. The following is a configuration example.Check it.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...