11-23-2001 04:43 AM - edited 03-08-2019 09:15 PM
Hi,
I think I understand how clear xlate works i.e. it clears existing (Translations and the port connections that rely on these translations)
So here is the question ?
If you clear xlate <all>(existing), surely it clears the Stateful connections out and into the PIX.
Won't this cause issues, for a user / application that is expecting inbound return traffic. Would the application / IP timeout ? Until they reinitiate the connection from the inside ?
Part two of the question
If I reduce the global IP scope, is it not a good to clear xlate of only the removed global ip's, not the whole Xlate connection database, to ensure I can use that newly freed up IP for something else.
Thanks,
Regan
11-30-2001 09:48 AM
Never change your global pools until you can reboot the PIX. Clear Xlate is not enough as active connections and waiting connection states are not reliably cleared. After youve modified your global pool, clear everything with a reboot (which takes less than 15 seconds if theres no floppy disk in the drive.)
12-02-2001 02:53 AM
Hi Regan,
Yes clear xlate will clear all the active connections.It happened with me. We are running Cisco Secure ACS for NT for authenticating the dialup users.The NAS(Cisco 7206VXR) are using ACS to authenticate the users.The ACS is on a secured segment and NAS is on outside segment.When i changed some access-list and applied clear xlate, alll the authenticated sessions on ACS dropped.
Check out the xlate timer command for some details
Regards,
Zeshan Mansoor Jalali
CCIE(R&S) Written, CCNP,CCDA,Cisco Security Specialist.
12-05-2001 08:49 AM
As for the first you are right. Connections will certainly lost until a reinitiation from the inside or outside (in case you allow incoming connections)takes place. This implies that everything depends on the application itself. For example if a user is making a download at the moment of a "cl xl" command is applied, he/she will have the connection dropped. Nevertheless, certain applications are able to establish a new connection transparently to the user.
Reducing the pool of the global addresses might work for you but, you should always have to be aware (in case on NAT and not PAT) that each global IP maps to a unique local IP thus, a potential problem occurs not being able to serve your users with addresses.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide