Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX NAT problems

I'm using a global NAT pool that spans 5 Class C subnets and I am NAT'ing all internal hosts to that pool. Strange behavior is that I am running out of translations, it stops handing out translations when it reaches somewhere in the area of 650 translations.

Here's my nat config:

global (outside) 1 152.157.168.1-152.157.172.254

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

What's really strange is that certain addresses are skipped as translations are handed out. It seems to be following a pattern of handing out addresses: 1,2,5,9

Any ideas?

2 REPLIES
Gold

Re: PIX NAT problems

Scott -

Have you tried command: clear xlate, and see if you get the same problem. Also which pix ios and pix model, i.e. 501/506/515 etc.

Thanks -

Cisco Employee

Re: PIX NAT problems

HI,

CAn you see how many translations are being built up.

"show xlat count"

What if some inside PC's are infected with virus/worm and sending spoofed IP packets towards/across PIX, Hence PIX is making translation for them.

try "show xlat" and find out if any IP other then your inside network is making the entry there.

Additionaly you can try the following

1- Make access-list on the inside interface to only permit your inside network to go through the PIX

2- change the nat(inside) 1 0.0.0.0 0.0.0.0 to

nat (inside) 1

3- apply "ip verfiy reverspath inside" command

4- make a PAT entry e.g. global(outside) 1 interface

Thanks

Nadeem

102
Views
0
Helpful
2
Replies
CreatePlease to create content