10-26-2006 12:12 AM - edited 02-21-2020 01:16 AM
I could ping internet website through the PIX(6.3) with internal IP,but only some IP could do this... I check my pix's configuration and find out there are no limits on inside interface(PIX aloow access from high security level interface to low security level interface by default??)..So strange, could some one help me to find the problem??(cut...)
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit ip host 192.168.21.100 172.16.1.0 255.255.255.0
access-list 102 permit ip host 192.168.1.170 any
access-list 102 permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside *.*.*.* 255.255.255.224
ip address inside 172.18.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool normal 172.16.1.1-172.16.1.255
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
arp timeout 14400
global (outside) 1 61.172.253.99-61.172.253.117
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
route inside 192.168.0.0 255.255.0.0 172.18.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.1.43 cisco123 timeout 10
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set oss1 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
crypto map transam 10 ipsec-isakmp
crypto map peer1 11 ipsec-isakmp
crypto map peer1 11 set peer 194.39.131.167
crypto map peer1 11 set transform-set oss1
isakmp enable outside
isakmp key ******** address 194.39.131.167 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup normal address-pool normal
vpngroup normal dns-server 192.168.1.43 202.96.199.133
vpngroup normal split-tunnel 101
vpngroup normal idle-time 1800
vpngroup normal password ********
console timeout 0
terminal width 80
Cryptochecksum:xxx
: end
10-26-2006 04:38 PM
Hello,
Your config looks fine for outbound access. However, you have a class C on your inside interface, which is 200+ hosts, not even counting anything you may be routing through the pix (the 192.168 class B). However, your nat/global statements say that only 20 hosts can have outside access (and presumably internet access) at the same time:
global (outside) 1 61.172.253.99-61.172.253.117
Once 20 internal IP addresses are mapped to 20 external IP addresses, everyone else has to wait until a translation slot frees up.
try changing it to the following:
global (outside) 1 61.172.253.99-61.172.253.116
global (outside) 1 61.172.253.117
This means after the first 19 addresses are used by hosts needing translation, everyone else will use PAT - giving you 65000+ more translations for internet access. However, there are caveats when using PAT for some type of applications, make sure you look them up.
Check out this URL if you have any more questions. It explains everything you should need to know - assuming nat is your problem. :)
--Jason
Don't forget to rate if it helps
10-26-2006 08:00 PM
jgervia,
Thanks a lot. Could you tell me how to free up the translation slot list when the address rangle was exhausted ??
10-27-2006 12:29 PM
Hello,
the command
show xlate
will show you the translation slots.
the command
clear xlate
will clear them, but this is usually disruptive and any connections associated with those translations will go away.
--Jason
Please rate if it's helpful.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: