02-08-2003 11:20 PM - edited 02-20-2020 10:33 PM
Hi All,
To access internet, we are using 2 DNS server. 1 is ISP's DNS server( out-side of PIX) and another is local DNS server which is in-side the PIX. We have configured global( outside) 1, nat( inside) 1. Also using tcp/udp access-list with any any. No ip access-list.
1) We are facing problem, when we try to connect to the internet PIX( or NAT) does not recognise the 'some' clients request, not all the client.
2) Is there any way to use 2 non-coniguous IP addresses( belongs to ISP) for gate-way from PIX Now we are using only one of them.
Thanks in advance..
richard
02-09-2003 03:55 PM
1) We'd have to see the syslog messages on the PIX at the time this failed to see what's going on.
2) No. You can only have one default gateway on the PIX.
02-09-2003 08:18 PM
hi gfullage,
We have seen the syslog messages. Should I send it to you?
Say, we try 5 times to reach cisco.com from any pc host, 3 times we succeed and 2 times fail. And there is no syslog message for that. For successful connection there is Built and tear-down UDP/53 but if it's not successful then no entry in syslog message.
Other thing is that, we have 4 IP addresses in global Ip pool. If someone get the 1st IP, with that IP he can resolve name. If 2nd person try to get internet he may get the 2nd IP address from the pool. Now, at this point 1st person cannot resolve domain-name. And 2nd person continues successfully.
thanks
richard
02-09-2003 08:54 PM
This sounds a little odd. Can you post the PIX configuration, make sure you xxxxxx out your passwords and just xxx out one number in the public addresses so we can still tell what's going on.
Thanks.
02-09-2003 10:19 PM
Hi gfullage,
Thanks for your reply. Here is my config.:
sh config
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password gyAGOSv.UG4R63yZ encrypted
passwd XcaLq5VlL2Wjo0YK encrypted
hostname Pix
domain-name grameenphone.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list dns_in permit tcp any any
<--- More --->
access-list dns_in permit udp any any
pager lines 24
logging on
logging trap debugging
logging host inside 10.10.20.154
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 203.105.151.6 255.255.255.240
ip address inside 10.10.20.14 255.255.248.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
<--- More --->
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 203.105.151.8-203.105.151.11 netmask 255.255.255.252
global (outside) 1 203.105.151.12
nat (inside) 1 10.10.20.152 255.255.255.248 0 0
access-group dns_in in interface inside
route outside 0.0.0.0 0.0.0.0 203.105.151.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
<--- More --->
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
service resetinbound
service resetoutside
telnet 10.10.20.154 255.255.255.255 inside
telnet 10.10.21.227 255.255.255.255 inside
telnet timeout 5
ssh 10.10.20.154 255.255.255.255 inside
ssh timeout 5
terminal width 80
Cryptochecksum:2888803cadc731805a23636df0d85e69
Pix# sh ver
Cisco PIX Firewall Version 6.1(4)
Cisco PIX Device Manager Version 1.1(2)
Compiled on Tue 21-May-02 08:40 by morlee
Pix up 3 days 22 hours
Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5
0: ethernet0: address is 000a.f45f.2464, irq 10
1: ethernet1: address is 000a.f45f.2465, irq 11
2: ethernet2: address is 00e0.b605.de7b, irq 11
3: ethernet3: address is 00e0.b605.de7a, irq 10
4: ethernet4: address is 00e0.b605.de79, irq 9
5: ethernet5: address is 00e0.b605.de78, irq 5
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES: Disabled
<--- More --->
Maximum Interfaces: 8
Cut-through Proxy: Enabled
Guards: Enabled
Websense: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
ISAKMP peers: Unlimited
Serial Number: 806371424 (0x30104060)
Activation Key: 0xf579b1f2 0xdc1df947 0x3ce369b7 0x4dee1252
Pix#
thanks again,
richard
02-10-2003 03:52 PM
Change
> global (outside) 1 203.105.151.8-203.105.151.11 netmask 255.255.255.252
to this:
> global (outside) 1 203.105.151.8-203.105.151.11 netmask 255.255.255.240
Also, you have this:
> ip address inside 10.10.20.14 255.255.248.0
> nat (inside) 1 10.10.20.152 255.255.255.248 0 0
Are those masks correct (you have both 255.255.248.0 and 255.255.255.248)? This says only hosts 10.10.20.152 - 10.10.20.159 on the inside will be able to go outside, is that really what you want?
02-10-2003 08:50 PM
hmm, it's my mistake. let me check. But I am sure of it that I don't want only those from 152 to 159 IP will pass. I want all of my inside user will reach the internet.
thank you very much, I will let you know
richard
02-10-2003 09:45 PM
Hi,richard:
You can use this following syntas
nat (inside) 1 0.0.0.0 0.0.0.0
But this syntas will permite all inside users to reach internet.
Or you can use this following syntas
nat (inside) 1 10.10.16.0 255.255.248.0
Upon syntas only permite network 10.10.16.0/28
02-11-2003 09:57 AM
hi,
thanks. I guess the last one is better option:
nat (inside) 1 10.10.16.0 255.255.248.0
thanks for the advice.
richard
02-16-2003 01:40 AM
Hi gfullage,
I have changed the global statement as you said:
global (outside) 1 203.105.151.8-203.105.151.11 netmask 255.255.255.240
and also the nat : nat (inside) 1 10.10.16.0 255.255.240.0.
But still some http requests fails. I am cut-pasting some of mine syslog messages:
Feb 10 14:50:18 10.10.20.14 %PIX-5-111007: Begin configuration: 10.10.21.227 reading from terminal
Feb 10 14:51:14 10.10.20.14 %PIX-6-302010: 1 in use, 20 most used
Feb 10 14:51:38 10.10.20.14 %PIX-5-111001: Begin configuration: 10.10.21.227 writing to memory
Feb 10 14:51:38 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/5934 laddr 10.10.20.152/1027
Feb 10 14:51:41 10.10.20.14 %PIX-5-111004: 10.10.21.227 end configuration: OK
Feb 10 14:51:43 10.10.20.14 %PIX-5-111005: 10.10.21.227 end configuration: OK
Feb 10 14:52:11 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/31 laddr 10.10.20.152/31
Feb 10 14:52:11 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/31 laddr 10.10.20.152/1482
Feb 10 14:52:11 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/32 laddr 10.10.20.152/32
Feb 10 14:52:11 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/32 laddr 10.10.20.152/1483
Feb 10 14:53:22 10.10.20.14 %PIX-6-609001: Built local-host inside:10.10.21.87
Feb 10 14:53:22 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1678 dst outside:203.105.151.2/53
Feb 10 14:53:22 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1678 dst outside:203.105.151.2/53
Feb 10 14:53:23 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1678 dst outside:203.105.151.2/53
Feb 10 14:53:46 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1681 dst outside:203.105.151.2/53
Feb 10 14:53:46 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1681 dst outside:203.105.151.2/53
Feb 10 14:53:47 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1681 dst outside:203.105.151.2/53
Feb 10 14:54:10 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1684 dst outside:203.105.151.2/53
Feb 10 14:54:10 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1684 dst outside:203.105.151.2/53
Feb 10 14:54:11 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1684 dst outside:203.105.151.2/53
Feb 10 14:54:11 10.10.20.14 %PIX-3-305005: No translation group found for udp src inside:10.10.21.87/1686 dst outside:203.105.151.2/53
Feb 10 14:54:16 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1688 dst outside:203.105.151.2/53
Feb 10 14:54:16 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1688 dst outside:203.105.151.2/53
Feb 10 14:54:17 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1688 dst outside:203.105.151.2/53
Feb 10 14:54:39 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1691 dst outside:203.105.151.2/53
Feb 10 14:54:40 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1691 dst outside:203.105.151.2/53
Feb 10 14:54:40 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1691 dst outside:203.105.151.2/53
Feb 10 14:55:03 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1694 dst outside:203.105.151.2/53
Feb 10 14:55:04 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1694 dst outside:203.105.151.2/53
Feb 10 14:55:04 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1694 dst outside:203.105.151.2/53
Feb 10 14:55:38 10.10.20.14 %PIX-6-609002: Teardown local-host inside:10.10.21.87 duration 0:02:17
Feb 10 14:57:10 10.10.20.14 %PIX-2-106006: Deny inbound UDP from 66.28.19.68/1066 to 203.105.151.9/1434 on interface outside
Feb 10 14:59:27 10.10.20.14 %PIX-6-110001: No route to 203.105.151.8 from 210.151.138.240
Feb 10 14:59:27 10.10.20.14 %PIX-2-106006: Deny inbound UDP from 210.151.138.240/44342 to 203.105.151.9/137 on interface outside
Feb 10 14:59:27 10.10.20.14 %PIX-2-106006: Deny inbound UDP from 210.151.138.240/44345 to 203.105.151.10/137 on interface outside
Feb 10 15:01:12 10.10.20.14 %PIX-6-302010: 0 in use, 20 most used
Feb 10 15:01:13 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6142 laddr 10.10.20.152/6142
Feb 10 15:01:13 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6142 laddr 10.10.20.152/1027
Feb 10 15:01:13 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6143 laddr 10.10.20.152/6143
Feb 10 15:01:13 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6143 laddr 10.10.20.152/1027
Feb 10 15:01:13 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6144 laddr 10.10.20.152/6144
Feb 10 15:01:13 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6144 laddr 10.10.20.152/1027
Feb 10 15:01:13 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6145 laddr 10.10.20.152/6145
Feb 10 15:01:13 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6145 laddr 10.10.20.152/1027
Feb 10 15:01:13 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6146 laddr 10.10.20.152/6146
Feb 10 15:01:13 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6146 laddr 10.10.20.152/1027
Feb 10 15:01:13 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6147 laddr 10.10.20.152/6147
Feb 10 15:01:13 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6147 laddr 10.10.20.152/1027
Feb 10 15:01:13 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6148 laddr 10.10.20.152/6148
Feb 10 15:01:13 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6148 laddr 10.10.20.152/1027
Feb 10 15:03:07 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6149 laddr 10.10.20.152/6149
Feb 10 15:03:07 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6149 laddr 10.10.20.152/1027
Feb 10 15:03:07 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6150 laddr 10.10.20.152/6150
Feb 10 15:03:07 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6150 laddr 10.10.20.152/1027
Feb 10 15:03:07 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6151 laddr 10.10.20.152/6151
Feb 10 15:03:07 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6151 laddr 10.10.20.152/1027
Feb 10 15:03:07 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6152 laddr 10.10.20.152/6152
Feb 10 15:03:07 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6152 laddr 10.10.20.152/1027
Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6153 laddr 10.10.20.152/6153
Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6153 laddr 10.10.20.152/1027
Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6154 laddr 10.10.20.152/6154
Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6154 laddr 10.10.20.152/1027
Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6155 laddr 10.10.20.152/6155
Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6155 laddr 10.10.20.152/1027
Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6156 laddr 10.10.20.152/6156
Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6156 laddr 10.10.20.152/1027
Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6157 laddr 10.10.20.152/6157
Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6157 laddr 10.10.20.152/1027
Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6158 laddr 10.10.20.152/6158
Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6158 laddr 10.10.20.152/1027
Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6159 laddr 10.10.20.152/6159
Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6159 laddr 10.10.20.152/1027
Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6160 laddr 10.10.20.152/6160
Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6160 laddr 10.10.20.152/1027
Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6161 laddr 10.10.20.152/6161
Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6161 laddr 10.10.20.152/1027
Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6162 laddr 10.10.20.152/6162
Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6162 laddr 10.10.20.152/1027
Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6163 laddr 10.10.20.152/6163
Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6163 laddr 10.10.20.152/1027
Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6164 laddr 10.10.20.152/6164
Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6164 laddr 10.10.20.152/1027
Feb 10 15:03:10 10.10.20.14 %PIX-6-302005: Built UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6165 laddr 10.10.20.152/6165
Feb 10 15:03:10 10.10.20.14 %PIX-6-302006: Teardown UDP connection for faddr 203.105.136.11/53 gaddr 203.105.151.9/6165 laddr 10.10.20.152/1027
You will find some deny message, although there is no blocking for those sites.
Any suggestion.
Is there any email address of you so I can send the whole syslog.
Thanks
richard
02-16-2003 03:42 PM
You don't need to send the whole syslog, I can see the problem. These messages:
Feb 10 14:53:22 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1678 dst outside:203.105.151.2/53
Feb 10 14:53:22 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1678 dst outside:203.105.151.2/53
Feb 10 14:53:23 10.10.20.14 %PIX-3-305005: No translation group found for tcp src inside:10.10.21.87/1678 dst outside:203.105.151.2/53
mean the PIX has run out of translation addresses to use. Can you do a "sho conn count" and send that info, you do have a global statement with a PAT address, so you should have thousands of translations available. In the meantime, to give you more translations, you can add a second PAT global by changing:
global (outside) 1 203.105.151.8-203.105.151.11 netmask 255.255.255.252
global (outside) 1 203.105.151.12
to:
global (outside) 1 203.105.151.8-203.105.151.10 netmask 255.255.255.252
global (outside) 1 203.105.151.11
global (outside) 1 203.105.151.12
That should resolve your problem for a while, but I'd be looking at why you're running out of translations. A "sho xlate" will show you the current translations outbound thru the PIX, check to see if one internal address seems to be using all of them up. It may just be that you have a large number of internal hosts and one PAT address isn't enough, which is fine and doing the above changes should resolve that, but you need to verify that you don't have one internal PC using up thousands of them cause it's got some worm or virus on it.
02-16-2003 06:56 PM
Thanks gfullage, for your reply.
But for your information( I should have told you earlier) we have connected only 3 pc in the in-side for testing purpose. No other pc's in the lan are connected with this PIX. With this 3 pc, we encounter this problem. Everything is good, but sometime some web sites cannot be resolved.
I will send you the info's you want to check.
thanks
richard
02-16-2003 08:10 PM
OK, all the more reason to check that one of these isn't going haywire and using up 1000's of connections. You're definately running out of available translations, so a "sho conn count" and a "sho xlate" will give you an idea of what's going on.
02-16-2003 10:38 PM
Hi,
These are the outputs.
Pix# sh conn count
3 in use, 21 most used
Pix# sh xlate
3 in use, 44 most used
Global 203.105.151.9 Local 10.10.20.153
Global 203.105.151.10 Local 10.10.20.152
Global 203.105.151.11 Local 10.10.21.87
Pix#
Is there any bug in PIX 6.1(4) regarding PAT?
Thanks
Richard
02-17-2003 02:56 AM
Hi,
This is my sh global and sh xlate output.
Pix# sh global
global (outside) 1 203.105.151.8-203.105.151.11 netmask 255.255.255.240
global (outside) 1 203.105.151.12 netmask 255.255.255.240
global (outside) 1 203.105.151.13 netmask 255.255.255.240
Pix# sh xlate
12 in use, 44 most used
PAT Global 203.105.151.12(1657) Local 10.10.21.227(1104)
PAT Global 203.105.151.12(1656) Local 10.10.21.227(1103)
PAT Global 203.105.151.12(157) Local 10.10.21.227(1)
Global 203.105.151.8 Local 10.10.20.154
Global 203.105.151.9 Local 10.10.20.153
Global 203.105.151.10 Local 10.10.20.152
Global 203.105.151.11 Local 10.10.21.87
PAT Global 203.105.151.12(1653) Local 10.10.21.227(1100)
PAT Global 203.105.151.12(1652) Local 10.10.21.227(1099)
PAT Global 203.105.151.12(1655) Local 10.10.21.227(1102)
PAT Global 203.105.151.12(1127) Local 10.10.21.227(1035)
PAT Global 203.105.151.12(1654) Local 10.10.21.227(1101)
Now there are 4 pc connected with PIX. Still we are encountering the resolution problem.
Again sending you the syslog messages:
on interface outside
Feb 17 16:45:05 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12295 faddr 192.6.118.44/80 gaddr 203.105.151.11/2542 laddr 10.10.21.87/2542 duration 0:00:00 bytes 0 (TCP Reset-I)
Feb 17 16:45:05 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12293 faddr 192.6.118.44/80 gaddr 203.105.151.11/2539 laddr 10.10.21.87/2539 duration 0:00:04 bytes 6330 (TCP FINs)
Feb 17 16:45:06 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12296 for faddr 63.218.7.135/80 gaddr 203.105.151.11/2543 laddr 10.10.21.87/2543
Feb 17 16:45:06 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12297 for faddr 63.218.7.135/80 gaddr 203.105.151.11/2544 laddr 10.10.21.87/2544
Feb 17 16:45:07 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 63.218.7.135:/country/us/eng/img/top/hpweb_topnav_country.gif
Feb 17 16:45:07 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 63.218.7.135:/country/us/eng/img/top/hpc60_topnav_home.gif
Feb 17 16:45:08 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12298 for faddr 63.218.7.135/80 gaddr 203.105.151.11/2545 laddr 10.10.21.87/2545
Feb 17 16:45:08 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12296 faddr 63.218.7.135/80 gaddr 203.105.151.11/2543 laddr 10.10.21.87/2543 duration 0:00:02 bytes 991 (TCP Reset-I)
Feb 17 16:45:09 10.10.20.14 %PIX-6-106015: Deny TCP (no connection) from 63.218.7.135/80 to 203.105.151.11/2543 flags ACK on interface outside
Feb 17 16:45:09 10.10.20.14 %PIX-6-106015: Deny TCP (no connection) from 63.218.7.135/80 to 203.105.151.11/2543 flags FIN ACK on interface outside
Feb 17 16:45:09 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 63.218.7.135:/country/us/eng/img/top/hpc60_topnav_prodserv.gif
Feb 17 16:45:16 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12299 for faddr 65.54.195.190/80 gaddr 203.105.151.11/2546 laddr 10.10.21.87/2546
Feb 17 16:45:17 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 65.54.195.190:/3GRENUS/3_8100_11?id=categories/romance
Feb 17 16:45:19 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12299 faddr 65.54.195.190/80 gaddr 203.105.151.11/2546 laddr 10.10.21.87/2546 duration 0:00:03 bytes 1130 (TCP FINs)
Feb 17 16:45:23 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12300 for faddr 65.54.195.190/80 gaddr 203.105.151.11/2547 laddr 10.10.21.87/2547
Feb 17 16:45:24 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 65.54.195.190:/3GRENUS/3_8100_11?id=categories/romance
Feb 17 16:45:26 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12294 faddr 63.218.7.135/80 gaddr 203.105.151.11/2541 laddr 10.10.21.87/2541 duration 0:00:22 bytes 36734 (TCP Reset-I)
Feb 17 16:45:26 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12300 faddr 65.54.195.190/80 gaddr 203.105.151.11/2547 laddr 10.10.21.87/2547 duration 0:00:03 bytes 1130 (TCP FINs)
Feb 17 16:45:31 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12297 faddr 63.218.7.135/80 gaddr 203.105.151.11/2544 laddr 10.10.21.87/2544 duration 0:00:24 bytes 10455 (TCP Reset-I)
Feb 17 16:45:32 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12301 for faddr 65.54.195.190/80 gaddr 203.105.151.11/2548 laddr 10.10.21.87/2548
Feb 17 16:45:33 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 65.54.195.190:/3GRENUS/3_8100_11?id=categories/romance
Feb 17 16:45:36 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12301 faddr 65.54.195.190/80 gaddr 203.105.151.11/2548 laddr 10.10.21.87/2548 duration 0:00:03 bytes 1130 (TCP FINs)
Feb 17 16:45:36 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12298 faddr 63.218.7.135/80 gaddr 203.105.151.11/2545 laddr 10.10.21.87/2545 duration 0:00:27 bytes 13681 (TCP Reset-I)
Feb 17 16:46:04 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12302 for faddr 192.6.165.40/80 gaddr 203.105.151.11/2550 laddr 10.10.21.87/2550
Feb 17 16:46:04 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 192.6.165.40:/search/?ctry=us〈=eng&qt=DLT+JukeBox&submit.x=7&submit.y=4
Feb 17 16:46:06 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12302 faddr 192.6.165.40/80 gaddr 203.105.151.11/2550 laddr 10.10.21.87/2550 duration 0:00:02 bytes 1005 (TCP FINs)
Feb 17 16:46:14 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12303 for faddr 204.69.199.39/80 gaddr 203.105.151.11/2552 laddr 10.10.21.87/2552
Feb 17 16:46:20 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12304 for faddr 204.69.199.39/80 gaddr 203.105.151.11/2553 laddr 10.10.21.87/2553
Feb 17 16:46:21 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 204.69.199.39:/css/npx_style.css
Feb 17 16:46:26 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12303 faddr 204.69.199.39/80 gaddr 203.105.151.11/2552 laddr 10.10.21.87/2552 duration 0:00:12 bytes 48729 (TCP FINs)
Feb 17 16:46:45 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12304 faddr 204.69.199.39/80 gaddr 203.105.151.11/2553 laddr 10.10.21.87/2553 duration 0:00:25 bytes 2284 (TCP Reset-I)
Feb 17 16:47:00 10.10.20.14 %PIX-6-302001: Built outbound TCP connection 12305 for faddr 192.6.165.40/80 gaddr 203.105.151.11/2554 laddr 10.10.21.87/2554
Feb 17 16:47:01 10.10.20.14 %PIX-5-304001: 10.10.21.87 Accessed URL 192.6.165.40:/search/?ctry=us〈=eng&qt=DLT+JukeBox&submit.x=7&submit.y=8
Feb 17 16:47:03 10.10.20.14 %PIX-6-302002: Teardown TCP connection 12305 faddr 192.6.165.40/80 gaddr 203.105.151.11/2554 laddr 10.10.21.87/2554 duration 0:00:02 bytes 1005 (TCP FINs)
Maybe you will find something. There are some deny messages, but I don;t why.
Should we enter each global addresses( 4 IP's: 203.105.151.8-203.105.151.11) in the DNS server's pointer record file?
Thanks and regards
Richard
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: