PIX520 static NAT maximum connection problem

frank.chen · ‎12-22-2003

I am experimencing a problem relating to static NAT maximum connection in PIX520. For the following example configuration:

static (inside,outside) 202.96.128.10 196.16.20.9 netmask 255.255.255.255 50 50

The maximum tcp and udp connection should be limited to 50. But it doesn't seem to be the case. 196.16.20.9 is a W2K DNS server, the normal DNS queries are about 10 udp connections so maximum 50 is more than enough. But if the outside Internet connection is down, DNS queries will increase to 200,000 udp connections in a single second (large enterprise enviroment) as it doesn't get a single reply and just keep trying, refreshing cache, etc. In such a senario, no more Internet traffic can pass through.

I am wondering why the connection is not limited by the static nat maximum connection.

Thanks a lot

Frank

scoclayton · ‎12-23-2003

Frank,

Out of curiosity, which version of code do you currently have on your PIX? The symptoms you describe with the DNS conns sounds a lot like a known issue and I just want to make sure of your current code level before making a recommendation. Let me know when you have a second.

Scott

frank.chen · ‎12-23-2003

Thanks scott. The version is 6.3(3).

Cheers.

Frank.

scoclayton · ‎12-23-2003

Thanks Frank. Kinda what I was expecting. I think this smells like CSCec45748. My recommendation would be to open a TAC case and request the latest 6.3(3) interim image to test with. I have had a few other customer run into this problem. Let me know if this helps.

Scott