• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 172
  • Last Modified:

525 Pix is not roaming global ranges

Greetings,

We have a Cisco Pix (525) that requires doing a clear xlate command
about once daily when people randomly do not have access to outside
websites.

If I do a sho xlate after it clears and we are not roaming to a good
portion of the range we have.

Any ideas as to what is causing this?  The config is right and there
are no virus issues.Let me know what you might think is causing this.

Thanks much,

Toni P.
0
tpennacchia
Asked:
tpennacchia
1 Solution
 
nodiscoCommented:
hi Toni

What PIX OS is your 525 running?  
What is your xlate timeout set to?
Are you running any policy nat with acls?
Can you post your nat, global and any related policy nat acl commands you have in place at present.

0
 
tpennacchiaAuthor Commented:
Thanks for your response.

523 for the OS
xlate is set at 5 seconds currently.  We have had it 3 hours and 30 minutes as well and have had this problem at both.
Yes, we are running these.
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sho global
global (outside) 1 134.241.46.1-134.241.46.254
global (outside) 1 134.241.84.1-134.241.84.254
global (outside) 1 134.241.171.1-134.241.171.254
global (outside) 1 134.241.159.85-134.241.159.240

Hopefully this helps.

Thanks, Toni P.


0
 
nodiscoCommented:
Whoa - 523? !  I would strongly recommend upgrading to 6.3(5) - many,  many bug releases have been fixed!
I would leave the xlate at 3 hours unless it is causing an issue at that setting.  I take it all of the people who are having issues with the global xlate are on the inside of the PIX?
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
lrmooreCommented:
Are all of these external global subnets being routed to your PIX?
global (outside) 1 134.241.46.1-134.241.46.254
global (outside) 1 134.241.84.1-134.241.84.254
global (outside) 1 134.241.171.1-134.241.171.254
global (outside) 1 134.241.159.85-134.241.159.240

Do you have any conflicting route statements/masks that would interfere?

>523 for the OS
Are you sure it's not 6.2(3) ?
I don't think that nat 0 was supported pre-6.0
0
 
tpennacchiaAuthor Commented:
Yes, it is was even worse at the default of 3 hours so we put it back to 5 seconds.

Thanks for your advice!

Toni P.
0
 
tpennacchiaAuthor Commented:
I did a sho version to verify (we are definitely on 5.2.3):

Cisco Secure PIX Firewall Version 5.2(3)

Compiled on Sat 30-Sep-00 09:16 by morlee

pixfirewall up 3 hours 59 mins

Hardware:   PIX-525, 128 MB RAM, CPU Pentium III 598 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash E28F400B5T @ 0xfffd8000, 32KB

As for this question,

Are all of these external global subnets being routed to your PIX?
global (outside) 1 134.241.46.1-134.241.46.254
global (outside) 1 134.241.84.1-134.241.84.254
global (outside) 1 134.241.171.1-134.241.171.254
global (outside) 1 134.241.159.85-134.241.159.240

Yes.

Do you have any conflicting route statements/masks that would interfere?

Not that I know of.

Thanks much, Toni
0
 
nodiscoCommented:
I would definetly upgrade first, before trying any other troubleshooting methods.  PIX 7 software is out now but it has a few changes in it - 6.3(5) is much the same as what you are using and won't present any issues.  If you still have issues after that - please post your config and I'm sure we can help.
0
 
rsivanandanCommented:
Hi tpennacchia,

  The PIX is hanging and most probably it is not just the NAT. You notice it because it immediately affects you. As nodisco suggested, upgrade it to 6.3(5) as soon as possible or your life is going to be a lot more involved in troubleshooting this box. Don't even think about any other version but go straight to 6.3(5)

Cheers!
Rajesh
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now