Pix 520 xlate loop

blackrock · ‎11-19-2002

Hi i'm new at this and am faced with a pix whose translation table loops and fills up so that even though i have almost a full class c in my nat adress pool, i run out of adresses and can no longer access the internet.

Could anyone tell me how to check to see what is causing this and how to avoid it ?

Thanks

gfullage · ‎11-19-2002

What error are you seeing that says your translation table is "looping"? What do you mean by that anyway? How many internal hosts do you have?

What does your NAT/global configuration look like? Do you have something like the following:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 211.2.3.1 - 211.2.3.254

If so, then you should define the last address to be a PAT address, that way if you run out of NAT addresses you'll have an additional 60,000 or so translations to use. Change the above (if that's what you have) to:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 211.2.3.1 - 211.2.3.253

global (outside) 1 211.2.3.254

You'll get a message saying 211.2.3.254 will be port address translated. Keep in mind that one user can chew up a large number of NAT addresses just by going to a single Web page, so it's always best to have the one PAT address available.

blackrock · ‎11-20-2002

Thanks for the reply

I'm not getting error messages as such, but we have approximately 30 hosts Mac and PC and every so often, no can any longer reach the internet.

To resolve the problem, i do a "clear xlate".

By loop, i mean that when this situation occurs, a "sh xlate" displays the following

Global 216.208.143.141 Local 216.208.143.140

Global 216.208.143.140 Local 216.208.143.139

Global 216.208.143.143 Local 216.208.143.142

Global 216.208.143.142 Local 216.208.143.141

Global 216.208.143.137 Local 216.208.143.136

Global 216.208.143.136 Local 216.208.143.135

Global 216.208.143.139 Local 216.208.143.138

Global 216.208.143.138 Local 216.208.143.137

Global 216.208.143.133 Local 216.208.143.132

Global 216.208.143.132 Local 216.208.143.131

Global 216.208.143.135 Local 216.208.143.134

Global 216.208.143.134 Local 216.208.143.133

Global 216.208.143.129 Local 216.208.143.128

Global 216.208.143.128 Local 216.208.143.127

Global 216.208.143.131 Local 216.208.143.130

Global 216.208.143.130 Local 216.208.143.129

Global 216.208.143.157 Local 216.208.143.156

Global 216.208.143.156 Local 216.208.143.155

Global 216.208.143.159 Local 216.208.143.158

Global 216.208.143.158 Local 216.208.143.157

Global 216.208.143.153 Local 216.208.143.152

Global 216.208.143.152 Local 216.208.143.151

Global 216.208.143.155 Local 216.208.143.154

Global 216.208.143.154 Local 216.208.143.153

Global 216.208.143.149 Local 216.208.143.148

and so on from global 216.208.143.15 local 216.208.143.16 to

global 216.208.143.245 local 216.208.143.15

Then no one can reach the outside.

the nat/global config was :

global (outside) 1 216.208.143.15-216.208.143.245

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

I have changed it to :

global (outside) 1 216.208.143.15-216.208.143.244

global (outside) 1 216.208.143.245

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

as per your suggestion, I think this should work.

Thanks.

I would like to know however if ther is a way of finding out which host is causing this situation and how to prevent it.

Thanks again