Some users can access the internet while some users cannot thru the pix.In the pix we find out that some of these users are having there addresses patted several times,while some users have there connection flagged.For instance we have flag r,flag s flag -.I need some help interpreting these flags and also explain why some users can connect to the internet without any problem.Some users even connect without using the pat address,while some connect using several of the same pat address for every page opened on the internet.We are currently using pix version 4.41.We are also using proxy server and FW-1 for authentication.The pix is behind FW-1
Hmm. Sounds like you have quite a bit going on there with fw-1 and the proxy involved. You need to break it down into simpler components.
What PIX hardware are you running? I would upgrade the PIX code if possible.
I would setup the PIX alone, without any other proxy or firewall devices in front or behind it and then test. You may find that users are able to access the internet without issue at that point. Are you patting on the PIX and then on the checkpoint? I have that exact setup in production. No proxy server is involved however.
We have static translation for some hosts and those we dont have problem with.The only thing that baffles us is that the users are been translated but we are not seing it in the sh xlate local for specific individuals.I also need specific answer to the flags interpretation.Your help will be appreciated
I would not worry about those flags. They have never helped me diagnose a PIX problem.
Do you have smartnet on your PIX? Calling TAC would be my best advice to you.
You said you don't even see the PIX building translations in the sh xlate for certain machines? That's weird! Seems to me that those machines are not hitting the PIX at all. You mention a lot of HTTP used in your tests. That's TCP and you are more likely to see issues with NAT anyway using that protocol. Use ping. It's simpler for the PIX and FW-1 to deal with.
Sounds like you have issues at hand that are not directly related to the PIX. Are you using Proxy Client on your user's machines? Look very hard at the way your machines are interacting with the proxy. I've seen many many similar problems caused by proxy client :-) good luck.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :