525 Pix is not roaming global ranges

525 Pix is not roaming global ranges

Post by Toni P » Fri, 12 May 2006 06:16:44



Greetings,

We have a Cisco Pix (525) that requires doing a clear xlate command
about once daily when people randomly do not have access to outside
websites.

If I do a sho xlate after it clears and we are not roaming to a good
portion of the range we have.

Any ideas as to what is causing this?  The config is right and there
are no virus issues.Let me know what you might think is causing this.

Thanks much,

Toni

 
 
 

525 Pix is not roaming global ranges

Post by Walter Robers » Fri, 12 May 2006 07:38:18




>We have a Cisco Pix (525) that requires doing a clear xlate command
>about once daily when people randomly do not have access to outside
>websites.
>If I do a sho xlate after it clears and we are not roaming to a good
>portion of the range we have.

I gather that you imply that you have a global (outside) IP range
but no global (outside) PAT, and that you are finding that even
though your outside IP range is not being fully used, that you
are running out of connection IPs.

If that's the case, it would be interesting to see the syslog
messages. Also, I would cross-check to see whether the global IP
range overlaps with one of the statics -- that's unsupported
except if the static is a PAT.

 
 
 

525 Pix is not roaming global ranges

Post by Toni P » Sat, 13 May 2006 02:48:30


FYI:

523 for the OS
xlate is set at 5 seconds currently.  We have had it 3 hours and 30
minutes as well and have had this problem at both.
Here's more information:
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sho global
global (outside) 1 134.241.46.1-134.241.46.254
global (outside) 1 134.241.84.1-134.241.84.254
global (outside) 1 134.241.171.1-134.241.171.254
global (outside) 1 134.241.159.85-134.241.159.240

Hopefully this helps.

Thanks, Toni P.

 
 
 

1. multiple global pools PIX 525

Hoping someone can check double check my config here.

I have multiple internal ip's and 2 external Class C's. I need to have
all but one internal range use one Class C while the one uses another.
Here's what I am thinking will work

access-list natalltherest_inside deny ip 10.13.0.0 255.255.0.0 any
access-list natalltherest_inside permit ip any any
access-list nat13_inside permit ip 10.13.0.0 255.255.0.0 any
access-list nat13_inside deny ip any any

global (outside) 1 xx.xx.x3.11-xx.xx.x3.253 netmask 255.255.255.0
global (outside) 1 xx.xx.x3.254 netmask 255.255.255.0
global (outside) 2 xx.xx.x2.11-xx.xx.x2.253 netmask 255.255.255.0
global (oustide) 2 xx.xx.x2.254 netmask 255.255.255.0
nat (inside) 1 access-list natallthrest_inside
nat (inside) 2 access-list nat13_inside

If I am making life difficult for me and there is an easier way please
let me know as I am always willing to learn

Thanks in advance.

2. Acorn Bulletin Boards

3. PIX 525 does not authenticate Windows 2000 CA

4. Falon Owners List

5. PIX 525 and two PIX-4FE-66=

6. Basic Netware Server Question

7. CISCO PIX 520 Vs. PIX 525

8. Closable and Hot requirement for SQL DBA

9. PIX 515E....To global or not to global...

10. pix 525 v7 rip problem

11. Pix 525 running 7.1(1) dropping packets

12. PIX 525 and SSL

13. Urgent PIX 525 AAA Failure