Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Servers behind PIX 501 lose access to internet periodically

I have a PIX501 firewall and periodically my servers behind the PIX will lose connection to internet. When this happens I'm able to ping external addresses from outside interface but not from inside. When I reboot the firewall I can access internet again for few seconds and then I lose connection again. Most of the time a "clear xlate" will fix the issue

Please find my config attached

4 REPLIES
Cisco Employee

Re: Servers behind PIX 501 lose access to internet periodically

It sounds like you're running out of available translation slots. You're PAT'ing all internal traffic to the outside interface's IP address, which theoretically should give you 1000's of available outbound connections. When traffic stops flowing do a "sho xlate count" and see how many translations are being used. If it's up in the 1000's then do a "sho xlate det" and try and see which internal host is using up all those translations. You might find one of your internal hosts is infected with a worm and is trying to connect to 1000's of random external IP addresses.

New Member

Re: Servers behind PIX 501 lose access to internet periodically

It just happened again and I looked at Xlate and it showed

2 in use, 34 most used

"Clear xlate" let me access the internet again

Anything to do with only having a "10 user inside"

license???

I ran scans on all my servers and none of them have any infections

Cisco Employee

Re: Servers behind PIX 501 lose access to internet periodically

Do a "show local-host", that tells you how many "users" the PIX thinks there is on your system. Could be you have a large number of VPN users coming in, I think they take up a "local-host" if I'm not mistaken (without using any xlate).

New Member

Re: Servers behind PIX 501 lose access to internet periodically

No just 1 user uses VPN although no users were connected when I experienced the problem. Usually just when I start accessing the internet it will happen but I keep all my current sessions active but can't start anymore. Here is the results of "sh local-hosts"

Interface inside: 3 active, 3 maximum active, 0 denied

local host: <192.168.1.102>,

TCP connection count/limit = 0/unlimited

TCP embryonic count = 0

TCP intercept watermark = unlimited

UDP connection count/limit = 0/unlimited

AAA:

Xlate(s):

Conn(s):

local host: <192.168.1.101>,

TCP connection count/limit = 0/unlimited

TCP embryonic count = 0

TCP intercept watermark = unlimited

UDP connection count/limit = 0/unlimited

AAA:

Xlate(s):

PAT Global xx.xxx.xx.xxx(1090) Local 192.168.1.101(29852)

Conn(s):

local host: <192.168.1.100>,

TCP connection count/limit = 0/unlimited

TCP embryonic count = 0

TCP intercept watermark = unlimited

UDP connection count/limit = 15/unlimited

AAA:

Xlate(s):

PAT Global xx.xxx.xx.xxx(1028) Local 192.168.1.100(1042)

Conn(s):

UDP out 209.55.0.110:53 in 192.168.1.100:1042 idle 0:01:14 flags -

UDP out 209.55.1.220:53 in 192.168.1.100:1042 idle 0:01:09 flags -

UDP out 65.83.241.181:53 in 192.168.1.100:1042 idle 0:01:03 flags -

UDP out 209.55.0.110:53 in 192.168.1.100:1042 idle 0:01:00 flags -

UDP out 209.55.0.110:53 in 192.168.1.100:1042 idle 0:00:58 flags -

UDP out 209.55.1.220:53 in 192.168.1.100:1042 idle 0:00:54 flags -

UDP out 209.55.1.220:53 in 192.168.1.100:1042 idle 0:00:53 flags -

UDP out 65.83.241.181:53 in 192.168.1.100:1042 idle 0:00:48 flags -

UDP out 65.83.241.181:53 in 192.168.1.100:1042 idle 0:00:47 flags -

UDP out 209.55.0.110:53 in 192.168.1.100:1042 idle 0:00:25 flags -

UDP out 209.55.1.220:53 in 192.168.1.100:1042 idle 0:00:19 flags -

UDP out 209.55.0.110:53 in 192.168.1.100:1042 idle 0:00:18 flags -

UDP out 65.83.241.181:53 in 192.168.1.100:1042 idle 0:00:13 flags -

UDP out 209.55.1.220:53 in 192.168.1.100:1042 idle 0:00:13 flags -

UDP out 65.83.241.181:53 in 192.168.1.100:1042 idle 0:00:07 flags -

124
Views
0
Helpful
4
Replies
CreatePlease to create content