PIX NAT problems

smatting · ‎10-16-2003

I'm using a global NAT pool that spans 5 Class C subnets and I am NAT'ing all internal hosts to that pool. Strange behavior is that I am running out of translations, it stops handing out translations when it reaches somewhere in the area of 650 translations.

Here's my nat config:

global (outside) 1 152.157.168.1-152.157.172.254

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

What's really strange is that certain addresses are skipped as translations are handed out. It seems to be following a pattern of handing out addresses: 1,2,5,9

Any ideas?

jmia · ‎10-16-2003

Scott -

Have you tried command: clear xlate, and see if you get the same problem. Also which pix ios and pix model, i.e. 501/506/515 etc.

Thanks -

nkhawaja · ‎10-16-2003

HI,

CAn you see how many translations are being built up.

"show xlat count"

What if some inside PC's are infected with virus/worm and sending spoofed IP packets towards/across PIX, Hence PIX is making translation for them.

try "show xlat" and find out if any IP other then your inside network is making the entry there.

Additionaly you can try the following

1- Make access-list on the inside interface to only permit your inside network to go through the PIX

2- change the nat(inside) 1 0.0.0.0 0.0.0.0 to

nat (inside) 1

3- apply "ip verfiy reverspath inside" command

4- make a PAT entry e.g. global(outside) 1 interface

Thanks

Nadeem