07-18-2006 06:04 AM - edited 02-21-2020 01:03 AM
Every morning I have to issue a clear xlate on our firewall to browse the Internet. Our inbound web servers are not affected. Any ideas on getting a handle on this problem This issue has been a tough nut to crack.
07-18-2006 10:42 AM
Are you using NAT or PAT? If you run out of address in the NAT pool you would have to clear the xlate to allow new traffic to get an IP.
07-18-2006 12:07 PM
I have the same problem...
I don't think that run a "clear xlate" command all the days is the ideal solution
07-18-2006 07:22 PM
I have checked every thing I can think of. I made sure my ethernet ports were set to 100 full. I have also replaced the actual pix hardware (same config). Still no luck. I am replacing my ethernet cables tonight. I am waiting on a smartnet contract number, then I'm calling Cisco.
I also have downgraded from 7.X back to 6.3 same problem? I'm I missing something.
I'll post a sanatized config if anybody is interested.
07-18-2006 07:24 PM
I am using PAT. I am using only 1 address for outbound traffic. I also have a restricted license. What is the limitation of this license. Maybe a license upgrade is needed.
07-18-2006 07:56 PM
Hi,
How many internal hosts do you have using the PAT? Also, do you have many static's?
Glen.
07-18-2006 09:09 PM
You should enable logging to get a better idea of what is happening. Also, the next time the issue happens, do a "show xlate" and "show conn". A sanitized config would help too.
Hope that helps! If so, please rate.
Thanks
07-19-2006 07:01 AM
I have posted a sanatized config. Hopefully its readable. Just an update, we don't have trouble during the day. It seems to happen at night. I have to clear the translation table(clear xlate) every morning. And it just started about 2 months ago. This firewall has been in use for almost 2 years.
07-18-2006 09:45 PM
License definetely applies limitations as to thenumber of concurrent connections you can have ... for example for a 501
License Function
10 User License Support for up to ten concurrent connections from different
source IP addresses on the internal network to traverse the
firewall. Also provides DHCP server support for up to 32 leases.
50 User License Support for up to 50 concurrent connections from different
source IP addresses on the internal network to traverse the
firewall. Also provides DHCP server support for up to 128
leases.
Unlimited User License Support for an unlimited number of concurrent connections from
different source IP addresses on the internal network to traverse
the firewall. Also provides DHCP server support for up to 256
leases.
DES Encryption License Support for 56-bit DES encryption.
3DES/AES Encryption License Support for 168-bit 3DES and up to 256-bit AES encryption.
I hope it helps .. please rate if it does !!!
07-19-2006 06:31 AM
If you had 7.0 you have at least the 515 and even with a restricted license you should be fine. When you PAT an ip address it can handle 4024(not sure if this is the exact number) xlates. If you have to many outbound xlates at some point it will reach the limit. Best way to fix this is add more then 1 pat entry or us a nat pool backed up with PAT. If you don't have any more IP's you could lower the xlate timeout value. The default is 3 hours so by setting it lower it may help your issue.
Hope this helps.
Chad
07-19-2006 06:59 AM
07-19-2006 07:15 AM
Your config is fine. But your trying to PAT 300 hosts to 1 ip.
This link should help.
PAT
Global (outside) 1 192.168.1.1
Multiple PAT
Global (outside) 1 192.168.1.1
Global (outside) 1 192.168.1.1
NAT pool with PAT backup
Global (outside) 1 192.168.1.1-192.168.1.100
Global (outside) 1 192.168.1.101
07-19-2006 07:45 AM
I'm assuming for multiple PAT I can place another outside IP address as the second entry. Your example show the same IP twice. I am going to read through the link you provided. If I can clarify what I need, I'll make the change tonight and see what happens
07-19-2006 08:31 AM
Yes you would use another usable IP.
Sorry for the typo.
07-20-2006 05:54 AM
We'll, I made the changes and added a second global PAT. When I came to work this AM is was still slow on http connections. I had to do a clear xlate to restore the speed.
Any other suggestions.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: