Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
309
Views
0
Helpful
3
Replies

NAT question...

befwguy80
Level 1
Level 1

‎08-17-2004 08:44 AM - edited ‎03-09-2019 08:28 AM

I have a question regarding NAT. We have a PIX 516e with two interfaces. We have the PIX setup and we are getting complaints that users are having their INTERNET connection dropped for no apparent reason.

We have a range of 18 ip addresses assigned for NAT with an additional address assigned if all 18 are used.

Doing a show xlate it shows the maximum used at 14, so it shouldn't be a problem with a lack of addresses. The IOS is 6.3(1). If I clear the users xlate from the table that will usually (but not always) get them working again.

Does anyone have any ideas as to why we am getting errors like this? If you need to see my config I will post it.

Thanks for any assistance.

Labels:
0 Helpful
3 Replies 3

piseli
Level 1
Level 1

‎08-17-2004 10:24 AM

befwguy80,

Have you restricted license for 10 users ?

Do a show version:

----------------------------------------

pix# sh ver

Cisco PIX Firewall Version 6.3(4)

Cisco PIX Device Manager Version 3.0(2)

....

Licensed Features:

....

Inside Hosts: 10

....

This PIX has a Restricted (R) license.

----------------------------------------

Of course you do not have the latest version but It

is not shure if that is the problem.

Enable maybe logging and see if you get error messages.

logg on

logg buff wa

0 Helpful

befwguy80
Level 1
Level 1
In response to piseli

‎08-18-2004 04:01 AM

I am attaching the output. It shows that I am unlimited license. I am also attaching the relevant NAT/PAT configuration.

Cisco PIX Firewall Version 6.3(1)

Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 19-Mar-03 11:49 by morlee

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Interfaces: 2

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has a Restricted (R) license.

Logging is currently disabled.

***** Config excerpts ******

global (outside) 1 xx.yy.zz.3-xx.yy.zz.20 netmask 255.255.255.192

global (outside) 1 interface

global (outside) 1 xx.yy.zz.21 netmask 255.255.255.192

nat (inside) 1 192.100.100.0 255.255.255.0 0 0

*******************

Thanks for any help.

0 Helpful

piseli
Level 1
Level 1
In response to befwguy80

‎08-18-2004 06:58 AM

It looks like you have two PAT statements:

global (outside) 1 interface

global (outside) 1 xx.yy.zz.21 netmask 255.255.255.192

This might be the reason why you have troubles.

The first 18 users use NAT:

=> global (outside) 1 xx.yy.zz.3-xx.yy.zz.20 netmask 255.255.255.192

And after that the PIX might have troubles to know if ot should use the "interfaces" or "xx.yy.zz.21" for PAT. Try removing one of them.

command:

no global (outside) 1 xx.yy.zz.21 netmask 255.255.255.192

Have you considered to upgarde to the latest FOS version, there were some fixes in the latest versions. You might have a bug in the 6.3.1 with NAT and PAT.

See the release notes of version 6.3.4:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a0080267ccd.html#wp101529

How to upgrde:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml

0 Helpful
Customers Also Viewed These Support Documents