12-14-2005 08:33 AM - edited 02-21-2020 12:35 AM
Have a 501 setup for a client. All works well for a few minutes and they PC's cannot get out of the firewall. Looks like the NAT works fine but the PAT does not kick in.
That part of the config I got from a cisco example.
Can somebody help me out?
Thanks,
Fred
Solved! Go to Solution.
12-14-2005 01:28 PM
With less than 25 PCs behind the PIX you will not have to worry about memory issues. You might need to watch for licensing issues though. The default 501 license supoprts 10 users and can be upgraded to support 50 users - still no need to worry about memory.
As far as timers on the PIX, I usually recommend to leave all timers at the default settings unless you are experiencing problems and TAC helps you change them.
-Mark
12-14-2005 12:22 PM
The config you have posted is from a very old configuration example. When NAT and PAT are configured NAT has priority over PAT, meaning that PAT won't get used unitl the address pool for NAT is fully utilized. For regular users (non-server traffic) I usually configure just PAT.
I usually configure it this way:
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
This does PAT for all of your inside users to the PIX's outside IP address - saves address space.
To convert, do the following:
no global (outside) 1 xxx.xxx.231.115-xxx.xxx.231.125 netmask 255.255.255.240
no global (outside) 1 xxx.xxx.231.126 netmask 255.255.255.240
global (outside) 1 interface
clear xlate.
-Mark
12-14-2005 01:05 PM
Thanks for your reply Mark.
I did read online that just having PAT running might cause problems with memory problems when there are a lot of PAT sessions created. (running out of memory)
Granted this is only an office with <25 PC's do you think I have to worry about this?
Also do I want to change the xlate timeout or leave everything else as default.
Again thanks,
Fred
12-14-2005 01:28 PM
With less than 25 PCs behind the PIX you will not have to worry about memory issues. You might need to watch for licensing issues though. The default 501 license supoprts 10 users and can be upgraded to support 50 users - still no need to worry about memory.
As far as timers on the PIX, I usually recommend to leave all timers at the default settings unless you are experiencing problems and TAC helps you change them.
-Mark
12-14-2005 01:52 PM
Mark,
I thought the 10 user limit was on the remote vpn connections, is this not correct? Is is concurrent users instead? So I'm not running into a NAT/PAT issue but into a user count issue? If so will lowering the timer give me a little more breathing room?
12-15-2005 01:34 PM
There are two connection limitation on the PIX 501: 10 users and 4 (I think) VPN connections. Lowering the timer probably will not help unless you make it real low - but even then. You will have users that leave the browser open or whatever eating up a connection. To upgrade the 501 to 50 users its only a couple hundred dollars and it removes the frustration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide