tpennacchia
asked on
525 Pix is not roaming global ranges
Greetings,
We have a Cisco Pix (525) that requires doing a clear xlate command
about once daily when people randomly do not have access to outside
websites.
If I do a sho xlate after it clears and we are not roaming to a good
portion of the range we have.
Any ideas as to what is causing this? The config is right and there
are no virus issues.Let me know what you might think is causing this.
Thanks much,
Toni P.
We have a Cisco Pix (525) that requires doing a clear xlate command
about once daily when people randomly do not have access to outside
websites.
If I do a sho xlate after it clears and we are not roaming to a good
portion of the range we have.
Any ideas as to what is causing this? The config is right and there
are no virus issues.Let me know what you might think is causing this.
Thanks much,
Toni P.
ASKER
Thanks for your response.
523 for the OS
xlate is set at 5 seconds currently. We have had it 3 hours and 30 minutes as well and have had this problem at both.
Yes, we are running these.
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sho global
global (outside) 1 134.241.46.1-134.241.46.25 4
global (outside) 1 134.241.84.1-134.241.84.25 4
global (outside) 1 134.241.171.1-134.241.171. 254
global (outside) 1 134.241.159.85-134.241.159 .240
Hopefully this helps.
Thanks, Toni P.
523 for the OS
xlate is set at 5 seconds currently. We have had it 3 hours and 30 minutes as well and have had this problem at both.
Yes, we are running these.
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sho global
global (outside) 1 134.241.46.1-134.241.46.25
global (outside) 1 134.241.84.1-134.241.84.25
global (outside) 1 134.241.171.1-134.241.171.
global (outside) 1 134.241.159.85-134.241.159
Hopefully this helps.
Thanks, Toni P.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are all of these external global subnets being routed to your PIX?
global (outside) 1 134.241.46.1-134.241.46.25 4
global (outside) 1 134.241.84.1-134.241.84.25 4
global (outside) 1 134.241.171.1-134.241.171. 254
global (outside) 1 134.241.159.85-134.241.159 .240
Do you have any conflicting route statements/masks that would interfere?
>523 for the OS
Are you sure it's not 6.2(3) ?
I don't think that nat 0 was supported pre-6.0
global (outside) 1 134.241.46.1-134.241.46.25
global (outside) 1 134.241.84.1-134.241.84.25
global (outside) 1 134.241.171.1-134.241.171.
global (outside) 1 134.241.159.85-134.241.159
Do you have any conflicting route statements/masks that would interfere?
>523 for the OS
Are you sure it's not 6.2(3) ?
I don't think that nat 0 was supported pre-6.0
ASKER
Yes, it is was even worse at the default of 3 hours so we put it back to 5 seconds.
Thanks for your advice!
Toni P.
Thanks for your advice!
Toni P.
ASKER
I did a sho version to verify (we are definitely on 5.2.3):
Cisco Secure PIX Firewall Version 5.2(3)
Compiled on Sat 30-Sep-00 09:16 by morlee
pixfirewall up 3 hours 59 mins
Hardware: PIX-525, 128 MB RAM, CPU Pentium III 598 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash E28F400B5T @ 0xfffd8000, 32KB
As for this question,
Are all of these external global subnets being routed to your PIX?
global (outside) 1 134.241.46.1-134.241.46.25 4
global (outside) 1 134.241.84.1-134.241.84.25 4
global (outside) 1 134.241.171.1-134.241.171. 254
global (outside) 1 134.241.159.85-134.241.159 .240
Yes.
Do you have any conflicting route statements/masks that would interfere?
Not that I know of.
Thanks much, Toni
Cisco Secure PIX Firewall Version 5.2(3)
Compiled on Sat 30-Sep-00 09:16 by morlee
pixfirewall up 3 hours 59 mins
Hardware: PIX-525, 128 MB RAM, CPU Pentium III 598 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash E28F400B5T @ 0xfffd8000, 32KB
As for this question,
Are all of these external global subnets being routed to your PIX?
global (outside) 1 134.241.46.1-134.241.46.25
global (outside) 1 134.241.84.1-134.241.84.25
global (outside) 1 134.241.171.1-134.241.171.
global (outside) 1 134.241.159.85-134.241.159
Yes.
Do you have any conflicting route statements/masks that would interfere?
Not that I know of.
Thanks much, Toni
I would definetly upgrade first, before trying any other troubleshooting methods. PIX 7 software is out now but it has a few changes in it - 6.3(5) is much the same as what you are using and won't present any issues. If you still have issues after that - please post your config and I'm sure we can help.
Hi tpennacchia,
The PIX is hanging and most probably it is not just the NAT. You notice it because it immediately affects you. As nodisco suggested, upgrade it to 6.3(5) as soon as possible or your life is going to be a lot more involved in troubleshooting this box. Don't even think about any other version but go straight to 6.3(5)
Cheers!
Rajesh
The PIX is hanging and most probably it is not just the NAT. You notice it because it immediately affects you. As nodisco suggested, upgrade it to 6.3(5) as soon as possible or your life is going to be a lot more involved in troubleshooting this box. Don't even think about any other version but go straight to 6.3(5)
Cheers!
Rajesh
What PIX OS is your 525 running?
What is your xlate timeout set to?
Are you running any policy nat with acls?
Can you post your nat, global and any related policy nat acl commands you have in place at present.