Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1571
Views
0
Helpful
4
Replies

Pix

rtaiwo
Level 1
Level 1

‎11-13-2001 11:58 AM - edited ‎02-20-2020 09:54 PM

Some users can access the internet while some users cannot thru the pix.In the pix we find out that some of these users are having there addresses patted several times,while some users have there connection flagged.For instance we have flag r,flag s flag -.I need some help interpreting these flags and also explain why some users can connect to the internet without any problem.Some users even connect without using the pat address,while some connect using several of the same pat address for every page opened on the internet.We are currently using pix version 4.41.We are also using proxy server and FW-1 for authentication.The pix is behind FW-1

0 Helpful
4 Replies 4

mike
Level 1
Level 1

‎11-13-2001 12:10 PM

Hmm. Sounds like you have quite a bit going on there with fw-1 and the proxy involved. You need to break it down into simpler components.

What PIX hardware are you running? I would upgrade the PIX code if possible.

I would setup the PIX alone, without any other proxy or firewall devices in front or behind it and then test. You may find that users are able to access the internet without issue at that point. Are you patting on the PIX and then on the checkpoint? I have that exact setup in production. No proxy server is involved however.

good luck!

-mike kantowski

0 Helpful

turnbull
Level 1
Level 1

‎11-14-2001 05:48 AM

I agree with Mike and would recommend at the least upgrading to 4.4.8 if not higher.

The main point that concrns me is hosts connecting without using the PAT.

What are they connecting with? Do you have statics for these or only NAT and Global?

0 Helpful

rtaiwo
Level 1
Level 1
In response to turnbull

‎11-14-2001 06:03 AM

We have static translation for some hosts and those we dont have problem with.The only thing that baffles us is that the users are been translated but we are not seing it in the sh xlate local for specific individuals.I also need specific answer to the flags interpretation.Your help will be appreciated

0 Helpful

mike
Level 1
Level 1
In response to rtaiwo

‎11-14-2001 11:48 AM

I would not worry about those flags. They have never helped me diagnose a PIX problem.

Do you have smartnet on your PIX? Calling TAC would be my best advice to you.

You said you don't even see the PIX building translations in the sh xlate for certain machines? That's weird! Seems to me that those machines are not hitting the PIX at all. You mention a lot of HTTP used in your tests. That's TCP and you are more likely to see issues with NAT anyway using that protocol. Use ping. It's simpler for the PIX and FW-1 to deal with.

Sounds like you have issues at hand that are not directly related to the PIX. Are you using Proxy Client on your user's machines? Look very hard at the way your machines are interacting with the proxy. I've seen many many similar problems caused by proxy client :-) good luck.

mike kantowski

ccnp

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card