Hi mike,

I'm using PIX Firewall Version 5.1(2)......

Hi Mike,

If you are using PAT, is it necessary to specify a global range of IP's.

Currently i have specified only 5 in the global range, and a PAT address.

As far as i aware PAT supports upto 64000 connections using sockets.

It is your choice whether you want to use a global range or a PAT. It really depends upon whether you have the available IP addresses that you can use. You can use global addresses and a PAT as a backup.

PAT's logical limit is 4000 connections, but it's theortical limit is 64,000.

If you have a CCO ID you should download the latest version of PIX software and see if that corrects your problem. It fixed my problem with the PIX randomly dropping or being unable to establish new connections.

Hi Mike,

Just one more question on this issue, how easy is it to upgrade the pix software, I have never upgraded the ios . and what is the downtime for the pix whilst being upgraded.

Depending on your version there are 2 methods of upgrading the software.

1. If your version supports it you can use

"copy tftp://server/pix.bin flash" then once it is copied over you have to reboot. Downtime is the time the reboot takes.

2. The other method is to boot into monitor mode and install the new image. The downtime for this method is longer because when you enter monitor mode your firewall is no longer active. Once the file load is complete it will reboot automatically

Option 1 is the best method in my opinion.

it depends, if you are using encryption, you need to use the monitor mode.

Hi Mike,

I have updated the Pix from software version 5.1.2 to 6.1.1, unfortunately I can not connect to the Internet using the NAT. I have not changed the configuration.

I am getting the following message when looking at the logs for the specific host ip being used for testing:

Mar 5 10:00:04 firewall.mh.total.net.uk Mar 05 2002 09:41:02: %PIX-3-305006: portmap translation creation failed for udp src inside:10.10.6.2/1038 dst outside:XX.XX.XX.X/53.

any suggestions

Thanxs

It appears the translation failed when trying to send a udp request to the DNS server on the Internet.

Did you try clearing your xlate?

Hi Mike,

I tried xlate it does not make any difference, i seem to get the same udp failure message from the logs.

I also got the following message which was not every so often.

106011: Deny inbound (No xlate) icmp src inside:10.50.6.4 dst inside:10.0.2.34 (

type 8, code 0)

I have double checked the routing configs, All I have changed is the conduits to ACL-outs.

Any help please

If you have changed your conduits to ALCs then that could be causing your problems. When you apply a ACL to a interface it kills the ASA feature in the router that allows all outbound connections from a higher to lower security level as long as they have a nat/global. When you apply a ACL you have to open each and every port for outbound traffic.

For example, if you have a ACL on your inside interface you will have to open port 53 for udp traffic so that DNS request can go out.

if along with the upgrade, you have also changed from conduits to ACLs, just go back to conduits with the new OS in place and see whether your original problem is getting resolved - once that is stable, think of switching over th ACL.

As always, remember the golden rule: Never change two things at the same time!