08-11-2008 12:51 AM
I hv a PIX 515E(6.3).we have proxy in LAN which is behind PIX.For users to access internet should be only via proxy.So we have done NAT'ing on PIX for Proxy & only proxy IP address is allowed to access internet. Config is as follows
access-list FOR_PROXY permit tcp host 172.18.1.38 any eq https
access-list FOR_PROXY permit tcp host 172.18.1.38 any eq www
access-list FOR_PROXY permit tcp host 172.18.1.38 any eq domain
access-list FOR_PROXY permit udp host 172.18.1.38 any eq domain
access-list FOR_PROXY permit tcp host 172.18.1.38 any eq ftp-data
access-list FOR_PROXY permit tcp host 172.18.1.38 any eq ftp
nat (inside) 1 access-list FOR_PROXY 0 0
Th issue is that sometimes users are not able to access internet via URL.I mean internet sites would be open but with IP address not with DNS name.
If i do 'clear xlate' for few minutues then it seems to be fine but this issue happens continuously randomely 3-4 times in a week & sometimes even clear nat entries won't help & i had no choice but to reboot PIX.
Interestingly when issue occurs only DNS is not working.Can anybody guide me how to fix this or is it a bug for 6.3 PIX OS ? Is it related with embroyonic connections value ?? Please help me..
08-11-2008 01:23 AM
When the problem is experienced on users, does the DNS work on Proxy?
Check this to isolate if this is a PIX or a proxy issue.
I presume the hosts get the DNS from the proxy.
Regards,
Daniel
08-11-2008 03:54 AM
User PC's are not using any DNS but proxy is having DNS entry that is external DNS (ISP provided DNS).
When users are experiencing this problem at the same time DNS also doesn't work on proxy as proxy IP is NAT'd on PIX but in any cases after clearing xlate or rebooting PIX only its working..
08-11-2008 02:04 AM
Have you changed the embryonic value from default (as you suspect this as a problem)? Also what version are you running spefically? 6.3.5?
Regards
Farrukh
08-11-2008 03:57 AM
Hi,
I hv PIX Version 6.3(3).
Can you please guide me how to change default value for embryonic connections ?What;s default value & whether value should be increased or decreased ? What is the command to do this task ?
Thanks in Advance..
08-11-2008 05:08 AM
In PIX 6.x you can do this at the end of static or nat commands. But there is very little chance that this is causing any issues, the default is good enough!
I would recommend uprgading your PIX to the latest version in your train 6.3(X)
Regards
Farrukh
08-18-2008 03:59 AM
Hi,
Thank you so much for your suggestion.But is this causing due to PIX OS version & will upgrade to new IOS fix this issue.
Is there another way to overcome this issue without upgarding PIX IOS ?
Once again thnx for ur suggestions
08-18-2008 10:38 AM
Since what you are trying to do is something pretty basic, I suggested the OS upgrade. These kind of things should work on the firewall straight away, if they don't its usually a bug. (Specially since the DNS's server belongs to the ISP, so not much help there).
What stops you from the software upgrade?
Regards
Farrukh
08-18-2008 11:33 AM
How can you determine that upgrade will fix the
issue?
There are policies in an enterprise environment
that will not allow upgrade unless the code is
tested for that particular environment and that
it is stable.
What happened if the issue still persists after
the upgrade? Another upgrade?
08-18-2008 11:37 AM
Nobody 'determined' anything :) Lookup the word in a dictionary mate.
http://www.merriam-webster.com/dictionary/determine
Also have faced the exact similar issue on an ED 7.x release in a real life customer, not a video game.
Regards
Farrukh
08-18-2008 12:36 PM
Be careful when you upgrade with 7.x code.
These are E.D. code so use them at your own
risk.
One time I upgrade from version 7.2 to 7.2.2(22)
and after the upgrade "show run + q" rebooted
a production box.
I am very skeptical everytime mentioned upgrade.
Only you know your environment better than
everyone else.
08-18-2008 08:30 PM
I agree with that David, I just meant an upgrade to the latest release in that major train e.g 6.3(5).
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide