11-19-2002 08:22 AM - edited 02-20-2020 10:23 PM
Hi i'm new at this and am faced with a pix whose translation table loops and fills up so that even though i have almost a full class c in my nat adress pool, i run out of adresses and can no longer access the internet.
Could anyone tell me how to check to see what is causing this and how to avoid it ?
Thanks
11-19-2002 07:55 PM
What error are you seeing that says your translation table is "looping"? What do you mean by that anyway? How many internal hosts do you have?
What does your NAT/global configuration look like? Do you have something like the following:
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 211.2.3.1 - 211.2.3.254
If so, then you should define the last address to be a PAT address, that way if you run out of NAT addresses you'll have an additional 60,000 or so translations to use. Change the above (if that's what you have) to:
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 211.2.3.1 - 211.2.3.253
global (outside) 1 211.2.3.254
You'll get a message saying 211.2.3.254 will be port address translated. Keep in mind that one user can chew up a large number of NAT addresses just by going to a single Web page, so it's always best to have the one PAT address available.
11-20-2002 06:46 AM
Thanks for the reply
I'm not getting error messages as such, but we have approximately 30 hosts Mac and PC and every so often, no can any longer reach the internet.
To resolve the problem, i do a "clear xlate".
By loop, i mean that when this situation occurs, a "sh xlate" displays the following
Global 216.208.143.141 Local 216.208.143.140
Global 216.208.143.140 Local 216.208.143.139
Global 216.208.143.143 Local 216.208.143.142
Global 216.208.143.142 Local 216.208.143.141
Global 216.208.143.137 Local 216.208.143.136
Global 216.208.143.136 Local 216.208.143.135
Global 216.208.143.139 Local 216.208.143.138
Global 216.208.143.138 Local 216.208.143.137
Global 216.208.143.133 Local 216.208.143.132
Global 216.208.143.132 Local 216.208.143.131
Global 216.208.143.135 Local 216.208.143.134
Global 216.208.143.134 Local 216.208.143.133
Global 216.208.143.129 Local 216.208.143.128
Global 216.208.143.128 Local 216.208.143.127
Global 216.208.143.131 Local 216.208.143.130
Global 216.208.143.130 Local 216.208.143.129
Global 216.208.143.157 Local 216.208.143.156
Global 216.208.143.156 Local 216.208.143.155
Global 216.208.143.159 Local 216.208.143.158
Global 216.208.143.158 Local 216.208.143.157
Global 216.208.143.153 Local 216.208.143.152
Global 216.208.143.152 Local 216.208.143.151
Global 216.208.143.155 Local 216.208.143.154
Global 216.208.143.154 Local 216.208.143.153
Global 216.208.143.149 Local 216.208.143.148
and so on from global 216.208.143.15 local 216.208.143.16 to
global 216.208.143.245 local 216.208.143.15
Then no one can reach the outside.
the nat/global config was :
global (outside) 1 216.208.143.15-216.208.143.245
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
I have changed it to :
global (outside) 1 216.208.143.15-216.208.143.244
global (outside) 1 216.208.143.245
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
as per your suggestion, I think this should work.
Thanks.
I would like to know however if ther is a way of finding out which host is causing this situation and how to prevent it.
Thanks again
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: