Solved

PIX Firewall / Network Address Translation

Posted on 2004-04-01
11
1,168 Views
Last Modified: 2010-04-11
Got a problem, and I've no clue where to start. (Unfortunately, I'm not the one who gets to make decisions here, they just want me to fix what they break.)

We've got a new Cisco PIX Firewall installed, and it's supposed to be handling our Network Address Translation. (NAT.)  However, it was configured to do Port Address Translation (PAT) on the IP of the PIX's interface.  After awhile, my users would complain to me that they would often try to go to  a website and have to hit "refresh" a number of times before their sites would come up.  I was under the ASSUMPTION that this was because the PAT was running out of ports for all of the users.  We have an address pool ranging from x.x.x.146 (the PIX) to x.x.x.155, with .147 being our mail server.  So I switched the settings on the PIX to do a "Range" from .148 to .155.  This seems to have only caused MORE trouble.  

Anyone have any suggestions?

-Javin
0
Comment
Question by:Javin007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 10733488
How many user do you have behind the PIX?  It should take quite a few to exhaust the overloaded PAT address.
0
 
LVL 11

Accepted Solution

by:
billwharton earned 500 total points
ID: 10734331
You are not exactly using PAT very well. What you are doing is using a scope of 7 IP addresses or 7 connections to access the Internet. When these 7 connections are exhausted, that's when you have to press the 'reload' button. Use this statement instead. It will allow you thousands of connections.

Your global command should currently look like this:
global (outside) __ x.x.x.148-x.x.x.155 -> The blank is simply an ID no.

Simply negate this command out and put a new one:
global (outside) __ x.x.x.150 -> Use the same ID no. as you did before.

That's it. Reboot the PIX and ask all your users to try accessing the internet and see if they face any problems.

Do let me know how it goes.
0
 
LVL 4

Author Comment

by:Javin007
ID: 10735534
billwharton:

I think I understand what you're saying, and I think it's the same conclusion I came to before.  Doing a "Range" setup actually maps the users to the outside IPs, giving them all ports on an IP mapped to their own.  Thus, 7 IPs = 7 Users online.  

I've switched it back over to "interface PAT" in the meantime, where the ports of the PIX's IP were being utilized for the port address translation.  This brings us back to our original problem.  

Based on what you said, I tried adding each additional IP to the same "pool" (by default, 10) as a PAT IP, and removed the "interface PAT" (which is the PIX's IP).  This gives me the 7 IPs (in theory) running port address translation.  If this IS what you were talking about, and is what I should do, let me know.

The thing that bothers me about this whole thing, is that I understand that each hit to a webpage can make up to half a dozen connections, and those connections can hang on for 2-15 minutes.  But would you REALLY be likely to run out of ports for translation, even with one IP, with only 40 users on the network?

-Javin
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Expert Comment

by:tpacc
ID: 10736239
Well, I don't exactly understand your last post completely.

Are you comfortable using interface PAT for the long term? There is no reason why you should. Hence, you can simply forget about ip to ip nat since that isin't needed in this place.

Interface PAT should not give you any problems. I've had environments running more than 10,000 connections on a PIX 515 using just one IP.
0
 

Expert Comment

by:tpacc
ID: 10736445
Javin

The posting by tpacc was actually authored by me. You can reply to it.
0
 
LVL 4

Author Comment

by:Javin007
ID: 10737436
Well, thus far, interface PAT has given us issues that we didn't have before (on the old network) when doing network address translation (NAT) through software.  

It didn't make sense to me that 40 users would crowd out all the connections on Interface PAT to start with, but either way, we're running into this issue.  And the issue has ONLY come about since installing the PIX, and ONLY happens when there are a "lot" of users online at once.  The question here is how to fix the problem, whatever it may be.  Do you have any suggestion for troubleshooting that I can use to chase down the issue?

-Javin
0
 
LVL 11

Expert Comment

by:billwharton
ID: 10737445
try the 'show xlate' command when users complain and see how many connections do you see in there.

Also try 'show cpu usage'
0
 
LVL 4

Author Comment

by:Javin007
ID: 10737718
Remember that I'm not using the terminal connection, but I'm using the PIX GUI.

-Javin
0
 
LVL 11

Expert Comment

by:billwharton
ID: 10738034
No problem
in PDM, you have a section called 'monitoring'
Click on that and you would find multiple options on left including System graphs -> CPU and Connection graphs -> xlates

Check all of those to see the PIX is running fine.
0
 
LVL 4

Author Comment

by:Javin007
ID: 10744275
Will have to get back to you next week.  Work's done for the weekend.  ;)

-Javin
0
 
LVL 4

Author Comment

by:Javin007
ID: 10766670
Well, things seem to be straightened out, now.  I don't know how, but the users DID seem to be using up all the ports.  Having added the additional IPs appears to have fixed the problem.  Thanks for the help!

-Javin
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question