I'm sorry that I don't know where the problem is, but I can say that
I don't believe this is a PIX specific issue. We have a 2610 running
12.0(5) IP/FW that has the exact same problem. We only have one IP
address to translate with and the command "sh ip nat trans" shows some
interesting results. Normally you would expect to see the Inside global,
Inside local,Outside local & Outside global addresses being translated
with port numbers. However, we see on a large number of them (400+),
it simply has the Inside global and Inside local address with no port
numbers and the outside local and outside global with dashes under them.
Is this normal and what does it mean? Since I know bandwidth is an issue
at this site, my thought was that this was connections being attempted
but couldn't be completed, but now I'm not so sure. Has anyone seen this
type
of behavior on the PIX? Does anyone else have bandwidth issues and these
devices are just choking (for lack of a better word)? My instinct says
that this really a NAT/PAT issue more than anything else, but I'm not
sure what to do or how to prove it. I can get things working again
by using "clear ip nat trans *" but it's a pain and shouldn't be needed.
On a side note, when I do the "clear ip nat trans *" Our users on the
inside
network telneting to a server on the inside network get disconnected. The
clients do have the default gateway set as the router, but I don't
understand
why, if no translation is taking place, that a client telneting to a server
on the inside network would get disconnected after I issue that command.
Any
thoughts?
Thanks,
Brent
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Bishara, Anan
Sent: Tuesday, June 06, 2000 5:06 AM
To: 'Astbury, Phil'; '[EMAIL PROTECTED]'
Subject: RE: PIX Firewall show connection counters
I am facing the same problem. My exchange server stop receiving mail from
outside. When I do an nslookup for my domain from and outside DNS, it gives
request time out. When I do clear xlate, it works for sometimes and then
stops. I tried upgrading the version to 5.1 but still the same problem. If
anybody have a suggestions, it will really help to get rid this headache.
Regards,
Anan
-----Original Message-----
From: Astbury, Phil [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 06, 2000 11:21 AM
To: '[EMAIL PROTECTED]'
Subject: RE: PIX Firewall show connection counters
We have a similar problem at our site - it seems as if the PIX just stops
resolving DNS.
Our exchange server is no longer able to send mail externally due to DNS
lookup failures.
We've looked at all the possibilities, but normally a reboot will fix the
problem.
We have added extra memory to the PIX, and also upgraded the Firmware - but
we can't seem to get to the bottom of this !!
If anyone out there has seen this or knows of a potential fix, I would be
most grateful of some feedback.
regards,
Phil
-----Original Message-----
From: Apoorva S.Malavia [SMTP:[EMAIL PROTECTED]]
Sent: 06 June 2000 05:25
To: [EMAIL PROTECTED]
Subject: Re: PIX Firewall show connection counters
I need to see the config on the fw.
"Bishara, Anan" wrote:
Hello everybody, This maybe of topic of this message but it
is related to it
somehow. I have a DNS in my DMZ zone, I am facing problem is
that DNS stop
resolving names after a while and I have to clear Xlate,
where it will work
for a while and then stops again. Anybody have any
suggestion or face this
problem?
Regards,
Anan
-----Original Message-----
From: Apoorva S.Malavia [ <mailto:[EMAIL PROTECTED]>]
Sent: Monday, June 05, 2000 9:36 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX Firewall show connection counters
more precisely
clear xlate *
Mark Holloway wrote:
> Yes, "clear xlate" is what you want. Clear xlate will
knock people off
but
> more than likely they will "refresh" their browser if it's
web base. FTP
> connection may timeout and telnet session will drop. You
said "you might
as
> well reboot if you're gonna clear xlate" - but the PIX
takes about a
minute
> to reboot as opposed to clear xlate being an instant
function. In an
> environment where I work we have 5000+ users on the inside
interface using
> the outside (internet) and dmz interfaces. A reboot would
get me fired!
>
> Regards,
> Mark
>
> ----- Original Message -----
> From: Chuck Larrieu <[EMAIL PROTECTED]>
> To: Jorge Rodriguez <[EMAIL PROTECTED]>; Pete Ruttman
(adminpr)
> <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Sent: Wednesday, May 31, 2000 9:32 PM
> Subject: RE: PIX Firewall show connection counters
>
> > I don't have a pix manual handy, but if memory serves,
the command is
> clear
> > xlate
> >
> > I'm sure you all will let me know if I'm wrong :->
> >
> > Chuck
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [
<mailto:[EMAIL PROTECTED]>] On Behalf Of
> > Jorge Rodriguez
> > Sent: Wednesday, May 31, 2000 7:21 PM
> > To: Pete Ruttman (adminpr); [EMAIL PROTECTED]
> > Subject: Re: PIX Firewall show connection counters
> >
> > Did you try " Clear Counters" ?
> >
> >
> > ----- Original Message -----
> > From: "Pete Ruttman (adminpr)" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Tuesday, May 30, 2000 2:50 PM
> > Subject: Re: PIX Firewall show connection counters
> >
> >
> > > >Is there any commands to clear the counters on a PIX
?
> > > >I amtrying to reset to 0 the numbers displayed by
> > > >"show connections".
> > > >
> > > >It seems, the only way is a F/W reboot, to clear the
> > > >`show connections` counters in order to monitor max
> > > >number of TCP/IP connection through the PIX
> > > >
> > > My gut reaction is that isn't possible since the show
connections is
> > totaling the current xlate connections the PIX is doing.
You can use
> clear
> > xlate to clear out the xlate connections but then of
course you are
> knocking
> > people off so you might as well reboot.
> > >
> > > pete
> > >
> > > ___________________________________
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
