cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1095
Views
17
Helpful
15
Replies

Pix 7.2(1) clear xlate issue

happystate_2
Level 1
Level 1

Every morning I have to issue a clear xlate on our firewall to browse the Internet. Our inbound web servers are not affected. Any ideas on getting a handle on this problem This issue has been a tough nut to crack.

15 Replies 15

cpembleton
Level 4
Level 4

Are you using NAT or PAT? If you run out of address in the NAT pool you would have to clear the xlate to allow new traffic to get an IP.

I have the same problem...

I don't think that run a "clear xlate" command all the days is the ideal solution

I have checked every thing I can think of. I made sure my ethernet ports were set to 100 full. I have also replaced the actual pix hardware (same config). Still no luck. I am replacing my ethernet cables tonight. I am waiting on a smartnet contract number, then I'm calling Cisco.

I also have downgraded from 7.X back to 6.3 same problem? I'm I missing something.

I'll post a sanatized config if anybody is interested.

I am using PAT. I am using only 1 address for outbound traffic. I also have a restricted license. What is the limitation of this license. Maybe a license upgrade is needed.

Hi,

How many internal hosts do you have using the PAT? Also, do you have many static's?

Glen.

You should enable logging to get a better idea of what is happening. Also, the next time the issue happens, do a "show xlate" and "show conn". A sanitized config would help too.

Hope that helps! If so, please rate.

Thanks

I have posted a sanatized config. Hopefully its readable. Just an update, we don't have trouble during the day. It seems to happen at night. I have to clear the translation table(clear xlate) every morning. And it just started about 2 months ago. This firewall has been in use for almost 2 years.

License definetely applies limitations as to thenumber of concurrent connections you can have ... for example for a 501

License Function

10 User License Support for up to ten concurrent connections from different

source IP addresses on the internal network to traverse the

firewall. Also provides DHCP server support for up to 32 leases.

50 User License Support for up to 50 concurrent connections from different

source IP addresses on the internal network to traverse the

firewall. Also provides DHCP server support for up to 128

leases.

Unlimited User License Support for an unlimited number of concurrent connections from

different source IP addresses on the internal network to traverse

the firewall. Also provides DHCP server support for up to 256

leases.

DES Encryption License Support for 56-bit DES encryption.

3DES/AES Encryption License Support for 168-bit 3DES and up to 256-bit AES encryption.

I hope it helps .. please rate if it does !!!

If you had 7.0 you have at least the 515 and even with a restricted license you should be fine. When you PAT an ip address it can handle 4024(not sure if this is the exact number) xlates. If you have to many outbound xlates at some point it will reach the limit. Best way to fix this is add more then 1 pat entry or us a nat pool backed up with PAT. If you don't have any more IP's you could lower the xlate timeout value. The default is 3 hours so by setting it lower it may help your issue.

Hope this helps.

Chad

I am running 7.2(1) I am unsure on how to do what your are describing. I am attaching a sanatized config. My timeout values are set to default. We have about 300 internal hosts. Also something in the config may be wrong

Your config is fine. But your trying to PAT 300 hosts to 1 ip.

This link should help.

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a008063b1fa.html

PAT

Global (outside) 1 192.168.1.1

Multiple PAT

Global (outside) 1 192.168.1.1

Global (outside) 1 192.168.1.1

NAT pool with PAT backup

Global (outside) 1 192.168.1.1-192.168.1.100

Global (outside) 1 192.168.1.101

I'm assuming for multiple PAT I can place another outside IP address as the second entry. Your example show the same IP twice. I am going to read through the link you provided. If I can clarify what I need, I'll make the change tonight and see what happens

Yes you would use another usable IP.

Sorry for the typo.

We'll, I made the changes and added a second global PAT. When I came to work this AM is was still slow on http connections. I had to do a clear xlate to restore the speed.

Any other suggestions.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: