Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member


Some users can access the internet while some users cannot thru the pix.In the pix we find out that some of these users are having there addresses patted several times,while some users have there connection flagged.For instance we have flag r,flag s flag -.I need some help interpreting these flags and also explain why some users can connect to the internet without any problem.Some users even connect without using the pat address,while some connect using several of the same pat address for every page opened on the internet.We are currently using pix version 4.41.We are also using proxy server and FW-1 for authentication.The pix is behind FW-1

New Member

Re: Pix

Hmm. Sounds like you have quite a bit going on there with fw-1 and the proxy involved. You need to break it down into simpler components.

What PIX hardware are you running? I would upgrade the PIX code if possible.

I would setup the PIX alone, without any other proxy or firewall devices in front or behind it and then test. You may find that users are able to access the internet without issue at that point. Are you patting on the PIX and then on the checkpoint? I have that exact setup in production. No proxy server is involved however.

good luck!

-mike kantowski

New Member

Re: Pix

I agree with Mike and would recommend at the least upgrading to 4.4.8 if not higher.

The main point that concrns me is hosts connecting without using the PAT.

What are they connecting with? Do you have statics for these or only NAT and Global?

New Member

Re: Pix

We have static translation for some hosts and those we dont have problem with.The only thing that baffles us is that the users are been translated but we are not seing it in the sh xlate local for specific individuals.I also need specific answer to the flags interpretation.Your help will be appreciated

New Member

Re: Pix

I would not worry about those flags. They have never helped me diagnose a PIX problem.

Do you have smartnet on your PIX? Calling TAC would be my best advice to you.

You said you don't even see the PIX building translations in the sh xlate for certain machines? That's weird! Seems to me that those machines are not hitting the PIX at all. You mention a lot of HTTP used in your tests. That's TCP and you are more likely to see issues with NAT anyway using that protocol. Use ping. It's simpler for the PIX and FW-1 to deal with.

Sounds like you have issues at hand that are not directly related to the PIX. Are you using Proxy Client on your user's machines? Look very hard at the way your machines are interacting with the proxy. I've seen many many similar problems caused by proxy client :-) good luck.

mike kantowski


CreatePlease to create content