Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

cl xlate 1

Status
Not open for further replies.
shazzzzam

shazzzzam

MIS
Aug 19, 2005
27
0
0
US
I get this everyday. A user tells me they can not browse the internet, after I clear the xlate in the pix they can. Any idea what I need to do to resolve this issue?

Thanks,
Tony
 
Sort by date Sort by votes
What's you licensing?
The PIX will not allow more device connections than the license.

What's ADD again?
 
Upvote 0 Downvote
We have 90 nodes the license is for 128

sh ver
Cisco Secure PIX Firewall Version 5.1(5)
Compiled on Fri 22-Jun-01 20:15 by morlee
Finesse Bios V3.3
PIX520UR up 15 days 5 hours
Hardware: AL440LX, 128 MB RAM, CPU Pentium II 233 MHz
Flash AT29C040A @ 0x300, 2MB
BIOS Flash AM28F256 @ 0xfffd8000, 32KB
0: ethernet0: address is 0002.b363.d76c, irq 9
1: ethernet1: address is 0002.b363.c876, irq 10
2: ethernet2: address is 0002.b363.c427, irq 7
3: ethernet3: address is 0002.b363.d768, irq 11
Licensed connections: 128
 
Upvote 0 Downvote
That's weird...

Have you tried reducing the timeout on the xlate?
That's only a work around though.

Anyone else have any ideas?

What's ADD again?
 
Upvote 0 Downvote
Here is our conf:



PIX Version 5.1(5)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
nameif ethernet3 pix/intf3 security15
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sqlnet 1433
no names
pager lines 999
no logging on
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu pix/intf3 1500
ip address outside
ip address inside
ip address dmz
ip address pix/intf3
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
failover ip address pix/intf3 0.0.0.0
arp timeout 14400
global (outside) 2
global (outside) 1
global (outside) 1
global (dmz) 1
nat (inside) 1
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (inside,outside)
static (inside,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (dmz,outside)
static (inside,dmz)
static (inside,dmz)
static (inside,outside)
static (inside,outside)
static (inside,dmz)
static (inside,outside)
conduit permit tcp host eq domain any
conduit permit udp host eq domain any
conduit permit tcp host eq smtp any
conduit permit tcp host eq smtp any
conduit permit tcp host eq pop3 any
conduit permit tcp host eq 1723 any
conduit permit gre host any
conduit permit gre host any
conduit permit tcp host 1723 any
conduit permit tcp host 1433 any
conduit permit tcp host eq 1433 any
conduit permit tcp host eq conduit permit tcp host eq conduit permit tcp host eq 1434 any
conduit permit tcp host eq ftp any
conduit permit tcp host eq ftp any
conduit permit tcp host eq conduit permit tcp host eq 139 any
conduit permit tcp host eq 1024 any
conduit permit tcp host eq 65535 any
conduit permit tcp host eq conduit permit tcp host eq 443 any
conduit permit tcp host eq 9443 any
conduit permit tcp host eq 9080 any
conduit permit tcp host eq conduit permit tcp host eq 443 any
conduit permit tcp host eq conduit permit tcp host eq conduit permit tcp host eq 443 any
conduit permit tcp host eq conduit permit tcp host eq 443 any
conduit permit tcp host eq conduit permit tcp host eq 443 any
conduit permit tcp host eq conduit permit tcp host eq ftp any
conduit permit tcp host eq 443 any
conduit permit tcp host eq conduit permit tcp host eq ftp any
conduit permit tcp host eq 443 any
conduit permit tcp host eq conduit permit tcp host eq conduit permit tcp host eq 443 any
conduit permit tcp host eq conduit permit tcp host eq conduit permit tcp host eq ftp any
conduit permit tcp host eq conduit permit tcp host eq ftp any
conduit permit tcp host eq conduit permit tcp host eq 143 any
conduit permit tcp host eq domain any
conduit permit tcp host eq domain any
conduit permit udp host eq domain any
conduit permit udp host eq domain any
conduit permit tcp host any
conduit permit tcp host any
conduit permit tcp host eq conduit permit tcp host eq conduit permit tcp host eq conduit permit tcp host eq conduit permit tcp host eq 443 any
conduit permit tcp host eq conduit permit tcp host eq 443 any
conduit permit tcp host eq conduit permit tcp host eq ftp any
conduit permit tcp host eq domain any
conduit permit udp host eq domain any
conduit permit tcp host
route outside
route inside
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet timeout 5
terminal width 80



Thanks
 
Upvote 0 Downvote
First off, your configuration looks bizzar. Secondly, about the need to clear xlate, have you issued the "show conn" when you're unable to access the internet (post the content of show conn when you do).
 
Upvote 0 Downvote
I think I see the problem...

Unless you doing 1 to 1 natting, I think you are running out of IP addresses when your machine are trying to get out on the internet.

Try this...

take out your old global and nat commands..

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
clear xlate

see if that helps
 
Upvote 0 Downvote
global (outside) 2 12.145.141.4-12.145.141.64

global (outside) 1 12.145.141.65-12.145.141.125

global (outside) 1 12.145.141.126

global (dmz) 1 192.168.1.240-192.168.1.250

nat (inside) 1 192.168.0.0 255.255.255.0 0 0


This is how it is setup right now so if I change it to this conf think it should work


global (outside) 1 12.145.141.4-12.145.141.125 netmask 255.255.255.128

global (outside) 1 12.145.141.126

global (dmz) 1 192.168.1.240-192.168.1.250

nat (inside) 1 192.168.0.0 255.255.255.0 0 0
 
Upvote 0 Downvote
This is our existing config

global (outside) 2 12.145.141.4-12.145.141.64

global (outside) 1 12.145.141.65-12.145.141.125

global (outside) 1 12.145.141.126

global (dmz) 1 192.168.1.240-192.168.1.250

nat (inside) 1 192.168.0.0 255.255.255.0 0 0


Now if I change it to this conf think it should work?


global (outside) 1 12.145.141.4-12.145.141.125 netmask 255.255.255.128

global (outside) 1 12.145.141.126

global (dmz) 1 192.168.1.240-192.168.1.250

nat (inside) 1 192.168.0.0 255.255.255.0 0 0

Or should I try

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
clear xlate

 
Upvote 0 Downvote
Shazaam-

If you change your config to the second config, that should work. Because it is saying, use your pool of 121 addresses, then when you run out, the port map the remaining connections.

Of course if that doesn't work, then you can use what I suggested.

Frank
 
Upvote 0 Downvote
Thanks Frank you have been a great help.

I know a little bit about these pixes however as you can tell not an expert yet.

Thanks again
 
Upvote 0 Downvote
Frank,

Is there anyway I an send you our config. Really don't want to post it all over the internet.

We resently purchased a PIX 515E with the latest IOS and I have finished the config. would it be too much to ask if you can have a look at both configs the old and the new.

Thanks,
Tony
 
Upvote 0 Downvote
Tony-

Yeah send it to my gmail account.

larcen22@gmail.com.

I can look over it.

Frank-
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
47
Russtoleum
Russtoleum
pbxnkey
  • Locked
  • Question
Cisco ASA VPN using Windows Client-Error 691
Replies
1
Views
53
pbxnkey
pbxnkey
plim81
  • Locked
  • Question
Win 7 - Sonicwall Client - Received invalid ID information notify
Replies
1
Views
69
joepc
joepc
ProXXio
  • Locked
  • Question
Deny inbound (No xlate) icmp src
Replies
3
Views
31
unclerico
unclerico
lovedeep
  • Locked
  • Question
WatchGuard X750e Active/Active cluster
Replies
0
Views
32
lovedeep
lovedeep

Part and Inventory Search

Sponsor

Back
Top