Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco PIX 501Firewall won't forget users

Status
Not open for further replies.
wgcs

wgcs

Programmer
Mar 31, 2002
2,056
EC
I have a Cisco PIX 501 Firewall with 10-user license... on our network, there are 25 machines, and about 5 users who move among the machines. It seems that the 501 "memorized" the first 10 IP addresses that used it.

Since we use DHCP on the network, (but the PDC is the DHCP server, not the PIX), it seems that only about 3 of the computers on the network are still using the same IP... anyway only those 3 can still get through the Firewall. All other users just don't get their packets forwarded through it.

So, Any Suggestions?

How would I clear it so that I can specify which 10 computers can use it?

How do I specify which 10 computers can use it?
 
Sort by date Sort by votes
HI.

What is the pix OS version?
Version 6.21 and above fixes some problems like you describe, so if you have version 6.1x its good idea to open a TAC case or contact your Cisco dealer asking for upgrade to fix the problem.

You can issue these commands at the pix to get more info about current "active" ip addresses:

show xlate
sohw conn

You can clear the table using the command:

clear xlate

Or by simply rebooting the pix.

Search this forum - similar issues were discussed before and you may find more info from other.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Thanks Yizhar,

I'm not on-site right now, so I can't check if there was a minor revision number, but the PIX OS is 6.1-something. We will see if upgrading the OS helps things any...

We did find that some of our machines were having problems because we included our internal DNS server as the primary DNS. We're not sure yet why that DNS server isn't working, but taking it out enables DNS resolution on most of the machines.

Changing the NAT commands to "NAT 1 0 0" from being more address specific, ie: (this is from memory... probably not exactly what we had)
NAT (inside,outside) 172.xxx.xxx.0 255.255.255.255 0 0
NAT (inside,outside) 172.xxx.xxx.0 255.255.248.0 0 0

This seemed to get the remaining computers working that before were not even able to PING the external DNS servers.

Still, the OS upgrade seems like a good idea!

Thanks for the SHOW XLAT command... I'm sure that will help with our diagnoses, too!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
505
MottoK
MottoK
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
601
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
657
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
314
AllenH12
AllenH12
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
737
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top