I hv a PIX 515E(6.3).we have proxy in LAN which is behind PIX.For users to access internet should be only via proxy.So we have done NAT'ing on PIX for Proxy & only proxy IP address is allowed to access internet. Config is as follows
access-list FOR_PROXY permit tcp host 172.18.1.38 any eq https
access-list FOR_PROXY permit tcp host 172.18.1.38 any eq www
access-list FOR_PROXY permit tcp host 172.18.1.38 any eq domain
access-list FOR_PROXY permit udp host 172.18.1.38 any eq domain
access-list FOR_PROXY permit tcp host 172.18.1.38 any eq ftp-data
access-list FOR_PROXY permit tcp host 172.18.1.38 any eq ftp
nat (inside) 1 access-list FOR_PROXY 0 0
Th issue is that sometimes users are not able to access internet via URL.I mean internet sites would be open but with IP address not with DNS name.
If i do 'clear xlate' for few minutues then it seems to be fine but this issue happens continuously randomely 3-4 times in a week & sometimes even clear nat entries won't help & i had no choice but to reboot PIX.
Interestingly when issue occurs only DNS is not working.Can anybody guide me how to fix this or is it a bug for 6.3 PIX OS ? Is it related with embroyonic connections value ?? Please help me..
When the problem is experienced on users, does the DNS work on Proxy?
Check this to isolate if this is a PIX or a proxy issue.
I presume the hosts get the DNS from the proxy.
User PC's are not using any DNS but proxy is having DNS entry that is external DNS (ISP provided DNS).
When users are experiencing this problem at the same time DNS also doesn't work on proxy as proxy IP is NAT'd on PIX but in any cases after clearing xlate or rebooting PIX only its working..
Have you changed the embryonic value from default (as you suspect this as a problem)? Also what version are you running spefically? 6.3.5?
I hv PIX Version 6.3(3).
Can you please guide me how to change default value for embryonic connections ?What;s default value & whether value should be increased or decreased ? What is the command to do this task ?
Thanks in Advance..
In PIX 6.x you can do this at the end of static or nat commands. But there is very little chance that this is causing any issues, the default is good enough!
I would recommend uprgading your PIX to the latest version in your train 6.3(X)
Thank you so much for your suggestion.But is this causing due to PIX OS version & will upgrade to new IOS fix this issue.
Is there another way to overcome this issue without upgarding PIX IOS ?
Once again thnx for ur suggestions
Since what you are trying to do is something pretty basic, I suggested the OS upgrade. These kind of things should work on the firewall straight away, if they don't its usually a bug. (Specially since the DNS's server belongs to the ISP, so not much help there).
What stops you from the software upgrade?
How can you determine that upgrade will fix the
There are policies in an enterprise environment
that will not allow upgrade unless the code is
tested for that particular environment and that
it is stable.
What happened if the issue still persists after
the upgrade? Another upgrade?
Nobody 'determined' anything :) Lookup the word in a dictionary mate.
Also have faced the exact similar issue on an ED 7.x release in a real life customer, not a video game.
Be careful when you upgrade with 7.x code.
These are E.D. code so use them at your own
One time I upgrade from version 7.2 to 7.2.2(22)
and after the upgrade "show run + q" rebooted
a production box.
I am very skeptical everytime mentioned upgrade.
Only you know your environment better than