Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
424
Views
0
Helpful
1
Replies

need help understanding pix

vikrantarora
Level 1
Level 1

‎02-26-2003 03:58 PM - edited ‎02-20-2020 10:35 PM

i need to undersatnd the logic for the following:

PART 1

i have a total of 6 interfaces on my pix. 3 are configures (in, out n dmz) with valid ip addresses, the other 3 are configured as follows:

ip address statefailover:5 1.1.1.1 255.255.255.0

ip address none2 2.2.2.2 255.255.255.0

ip address statefailover 3.3.3.1 255.255.255.0

Why do we have these 3 and 2 statefailover interfaces?

PART 2

What exactly is a xlate slot and why do we need to free it using timeout command?

PART 3

Duration before authentication and authorization cache times out and user has to re authenticate next connection. This duration must be shorter than the xlate values. Set to 0 to disable caching. Do not set to zero if passive FTP is used on the connections.Why?

PART4

I have vpn configured , but I want to know if I need a VPN concentrator to terminate IP sec lines from clients, how do I find out if I already have one?

and what address should the vpn clients dial?

0 Helpful
1 Reply 1

smalkeric
Level 6
Level 6

‎03-04-2003 01:41 PM

1.A crossover cable is used to connect the statefailover interfaces .

ip address statefailover

failover ip address statefailover

failover link statefailover

are the commands used.

You could refer to http://www.cisco.com/warp/public/110/failover.html

2.Translation slots can persist after key changes have been made. The slot contains the translations that have been made , and inorder to release the Global IPs back to the pool, the clear xlate command has to be used.

clear xlate command can be used to clear single IP address or interface also. Another option would be to save the configuration and reboot the PIX.

Always use clear xlate or reload after adding, changing, or removing alias, conduit, global, nat, route, or static commands in your configuration.

3.The absolute timer must be shorter than the xlate timer; otherwise, a user could be reprompted after their session already ended.

The timeout command sets the idle time for connection, translation UDP, RPC, and H.323 slots. If the slot has not been used for the idle time specified, the resource is returned to the free pool. TCP connection slots are freed approximately 60 seconds after a normal connection close sequence. Do not use timeout uauth 0:0:0 if passive FTP for the connection, or if the virtual command is used for Web authentication.

4. The VPN clients need not necessarily terminate the IPsec lines on the Concentrator. A PIX firewall would suffice. The following is a configuration example.Check it.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card