?
Solved

525 Pix is not roaming global ranges

Posted on 2006-05-11
8
Medium Priority
?
170 Views
Last Modified: 2013-11-16
Greetings,

We have a Cisco Pix (525) that requires doing a clear xlate command
about once daily when people randomly do not have access to outside
websites.

If I do a sho xlate after it clears and we are not roaming to a good
portion of the range we have.

Any ideas as to what is causing this?  The config is right and there
are no virus issues.Let me know what you might think is causing this.

Thanks much,

Toni P.
0
Comment
Question by:tpennacchia
8 Comments
 
LVL 19

Expert Comment

by:nodisco
ID: 16659483
hi Toni

What PIX OS is your 525 running?  
What is your xlate timeout set to?
Are you running any policy nat with acls?
Can you post your nat, global and any related policy nat acl commands you have in place at present.

0
 

Author Comment

by:tpennacchia
ID: 16660349
Thanks for your response.

523 for the OS
xlate is set at 5 seconds currently.  We have had it 3 hours and 30 minutes as well and have had this problem at both.
Yes, we are running these.
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sho global
global (outside) 1 134.241.46.1-134.241.46.254
global (outside) 1 134.241.84.1-134.241.84.254
global (outside) 1 134.241.171.1-134.241.171.254
global (outside) 1 134.241.159.85-134.241.159.240

Hopefully this helps.

Thanks, Toni P.


0
 
LVL 19

Accepted Solution

by:
nodisco earned 750 total points
ID: 16660377
Whoa - 523? !  I would strongly recommend upgrading to 6.3(5) - many,  many bug releases have been fixed!
I would leave the xlate at 3 hours unless it is causing an issue at that setting.  I take it all of the people who are having issues with the global xlate are on the inside of the PIX?
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
LVL 79

Expert Comment

by:lrmoore
ID: 16660932
Are all of these external global subnets being routed to your PIX?
global (outside) 1 134.241.46.1-134.241.46.254
global (outside) 1 134.241.84.1-134.241.84.254
global (outside) 1 134.241.171.1-134.241.171.254
global (outside) 1 134.241.159.85-134.241.159.240

Do you have any conflicting route statements/masks that would interfere?

>523 for the OS
Are you sure it's not 6.2(3) ?
I don't think that nat 0 was supported pre-6.0
0
 

Author Comment

by:tpennacchia
ID: 16660937
Yes, it is was even worse at the default of 3 hours so we put it back to 5 seconds.

Thanks for your advice!

Toni P.
0
 

Author Comment

by:tpennacchia
ID: 16661105
I did a sho version to verify (we are definitely on 5.2.3):

Cisco Secure PIX Firewall Version 5.2(3)

Compiled on Sat 30-Sep-00 09:16 by morlee

pixfirewall up 3 hours 59 mins

Hardware:   PIX-525, 128 MB RAM, CPU Pentium III 598 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash E28F400B5T @ 0xfffd8000, 32KB

As for this question,

Are all of these external global subnets being routed to your PIX?
global (outside) 1 134.241.46.1-134.241.46.254
global (outside) 1 134.241.84.1-134.241.84.254
global (outside) 1 134.241.171.1-134.241.171.254
global (outside) 1 134.241.159.85-134.241.159.240

Yes.

Do you have any conflicting route statements/masks that would interfere?

Not that I know of.

Thanks much, Toni
0
 
LVL 19

Expert Comment

by:nodisco
ID: 16661700
I would definetly upgrade first, before trying any other troubleshooting methods.  PIX 7 software is out now but it has a few changes in it - 6.3(5) is much the same as what you are using and won't present any issues.  If you still have issues after that - please post your config and I'm sure we can help.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16676456
Hi tpennacchia,

  The PIX is hanging and most probably it is not just the NAT. You notice it because it immediately affects you. As nodisco suggested, upgrade it to 6.3(5) as soon as possible or your life is going to be a lot more involved in troubleshooting this box. Don't even think about any other version but go straight to 6.3(5)

Cheers!
Rajesh
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month15 days, 20 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question