Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 515 problem

Status
Not open for further replies.
jrl237

jrl237

IS-IT--Management
Jan 29, 2002
61
US
I have recently inherited responsibility for a PIX 515 firewall, and I know very little about it, so any help will be greatly appreciated.

Here's the problem: the PIX is configured as our default gateway on our LAN. We have about 100 stations. Traffic is fairly light, especially outside (to the internet.)

Occassionally, stations will lose the ability to access the internet. It is not always the same stations, but seems to be random, or possibly related to the order which they logged in (later stations having more problems.) Resetting the PIX (telnetting to it and doing a reload) fixes the problem, or at least moves it to other stations.

It appears to me that we are reaching some limit, after which new stations are refused passage out through the PIX. Problem is, I don't know where to even start looking.

If someone could tell me what is going on, or point me in the right direction, I would really appreciate it.

Thanks,

JRL
 
Sort by date Sort by votes
It sounds like you are reaching a limit on your global pool of outside addresses i.e. if this is the case you probably haven't got an address specified for PAT.

You should have something in your config like this:

global (outside) 1 XXX.XXX.XXX.10-XXX.XXX.XXX.20 netmask XXX.XXX.XXX.XXX
global (outside) 1 XXX.XXX.XXX.21 netmask XXX.XXX.XXX.XXX

Basically what the above means is that the first 10 clients that use the outside of the pix will pick up IP address's of XXX.XXX.XXX.10 to .20 then after they have all gone every client that goes outside picks up .21 and the PIX uses PAT.

When you specify a PAT make sure it's in the range your ISP assigned to you.

Hope this helps solve your problem.

 
Upvote 0 Downvote
Thank you so much for your quick reply. I have modified the PIX configuration, and added an address for PAT. Hopefully this will solve the problem.

Thanks again,

JRL
 
Upvote 0 Downvote
HI.

Here are some additions:

* If you are using NAT and PAT, the PAT address should be the lowest. for example:

global 1 x.x.x.102-x.x.x.150
global 1 x.x.x.101

If you do it the other way, only the PAT address will be used - while it is not a big problem, it is not what your expecting.


* use the following commands at the pix for info:

show xlate
show conn


* Use syslog messages. You can use a syslog server, but here I will show you the very basic use of internal buffer:

logging on
logging buffer 4
show log

When you have a problem or just as a regular procedure, you should issue the "show log" and "show conn" commands to see what's up.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Thanks, Yizhar, I'll give that a try.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
61
xwray
xwray
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
77
ITSUPPORTIT
ITSUPPORTIT
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
71
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
137
quazimotto
quazimotto
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
56
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top