Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Connectivity problem through the PIX 501. No new translations are permitted.

Core issue

With a 10- or 50-user license, the PIX will not allow new connections to the Internet.

Resolution

The workaround to this is to issue the clear local-host command to clear the licenses and allow new connections.

Possible solutions are discussed below.

  1. Check Network Address Translation (NAT) configurations to be sure you are not running out of global addresses. If you do not have Port Address Translation (PAT) configured, you could try configuring PAT so that the PIX will use the PAT address for further translations when the global addresses in the NAT pool run out.

    A PAT example is shown below.

    global (outside) interface

  2. Check how many users are making connections through the PIX. If the number of connections exceeds your license, then you will need to upgrade to a 50-user license or upgrade to another platform.

    The example below shows how to see how many local-hosts you have.

    show local-host
    local host: <_10.1.1.15>, conn(s)/limit = 2/0, embryonic(s)/limit = 0/0
        Xlate(s):
            PAT Global 192.150.49.1(1024) Local 10.1.1.15(516)
            PAT Global 192.150.49.1(0) Local 10.1.1.15 ICMP id 340
            PAT Global 192.150.49.1(1024) Local 10.1.1.15(1028)
        Conn(s):
            TCP out 192.150.49.10:23 in 10.1.1.15:1026 idle 0:00:25
                      Bytes 1774 flags UIO
            UDP out 192.150.49.10:31649 in 10.1.1.15:1028 idle 0:00:17
                      flags D-
    local host: <_10.1.1.17>, conn(s)/limit = 2/0, embryonic(s)/limit = 0/0
        Xlate(s):
            PAT Global 192.150.49.1(1025) Local 10.1.1.17(516)
            PAT Global 192.150.49.1(0) Local 10.1.1.17 ICMP id 340
            PAT Global 192.150.49.1(1025) Local 10.1.1.17(1028)
        Conn(s):
            TCP out 192.150.49.10:23 in 10.1.1.17:1027 idle 0:00:25
                      Bytes 1774 flags UIO
            UDP out 192.150.49.10:31649 in 10.1.1.17:1029 idle 0:00:17
                      flags D-
  3. If the above solutions do not work, then you may be running into Bug ID CSCdw25026. This bug is fixed in 6.1(4) code.
596
Views
0
Helpful
0
Comments