RE: PIX 520 Xlate Problem [7:63087]

[Greg Owens Jr]

U may want to change your xlate timeout 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Danial Morison
Sent: Saturday, February 15, 2003 2:58 AM
To: [EMAIL PROTECTED]
Subject: PIX 520 Xlate Problem [7:63087]

Hi group ,

Any idea where the problem is..thanks..


   We have implemented PIX with the following configuration.We have a 3 
inside networks mapped with 2 different public IP pools 203.125.152.0/26 and

203.125.150.0/24.Problem is the inside network 10.0.0.0/17(10.0.0.0 subnet 
mask 255.255.128.0) is not able to go to internet after a certain period of 
time ( 2 or 3 days).

Any idea where the problem is..thanks..

172.0.0.0/8

10.0.0.0/8

10.0.0.0/17

Here are the details.

pixfirewall# sh global

global (outside) 1 203.125.152.194-203.125.152.236 netmask 255.255.255.192

global (outside) 4 203.125.150.1-203.125.150.126 netmask 255.255.255.128

global (outside) 2 203.125.152.244 netmask 255.255.255.192

global (outside) 3 203.125.152.248 netmask 255.255.255.192

global (outside) 1 203.125.152.193 netmask 255.255.255.192

global (outside) 4 203.125.150.249 netmask 255.255.255.128

global (dmz) 1 172.16.13.11-172.16.13.20 netmask 255.255.255.0

global (dmz) 2 172.16.13.51-172.16.13.60 netmask 255.255.255.0

global (dmz) 3 172.16.13.61-172.16.13.70 netmask 255.255.255.0

global (dmz) 4 172.16.13.71-172.16.13.80 netmask 255.255.255.0

global (dmz) 1 172.16.13.10 netmask 255.255.255.0

global (dmz) 2 172.16.13.9 netmask 255.255.255.0

global (dmz) 3 172.16.13.8 netmask 255.255.255.0

global (dmz) 4 172.16.13.6 netmask 255.255.255.0

pixfirewall# sh nat

nat (inside) 2 172.16.1.115 255.255.255.255 0 0

nat (inside) 3 172.16.11.76 255.255.255.255 0 0

nat (inside) 3 172.16.11.80 255.255.255.255 0 0

nat (inside) 3 172.16.11.84 255.255.255.255 0 0

nat (inside) 2 172.16.11.224 255.255.255.240 0 0

nat (inside) 4 10.0.0.0 255.255.128.0 0 0

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

nat (inside) 1 172.0.0.0 255.0.0.0 0 0

nat (dmz) 1 172.16.13.0 255.255.255.0 0 0

pixfirewall# sh xlate

Global 203.125.152.220 Local 172.16.11.71

Global 203.125.152.221 Local 172.16.11.149

Global 172.16.13.11 Local 172.16.11.139

PAT Global 203.125.152.193(52641) Local 172.16.11.57(1155)

Global 203.125.152.222 Local 172.16.11.120

Global 203.125.152.223 Local 172.16.152.37

Global 203.125.152.216 Local 172.17.1.94

Global 203.125.152.217 Local 172.16.1.20

Global 203.125.152.218 Local 172.16.5.20

Global 172.16.13.12 Local 172.16.1.205

Global 203.125.152.219 Local 172.16.11.139

Global 172.16.13.13 Local 172.16.154.75

Global 203.125.152.212 Local 172.16.11.194

Global 203.125.152.213 Local 172.17.11.91

Global 203.125.152.214 Local 172.17.1.91

Global 203.125.152.215 Local 172.16.5.78

Global 203.125.152.208 Local 172.16.1.22

Global 203.125.152.209 Local 172.16.5.15

Global 203.125.152.210 Local 172.16.151.75

Global 203.125.152.211 Local 172.17.1.23

Global 203.125.152.204 Local 172.16.5.79

Global 203.125.152.205 Local 172.16.5.13

PAT Global 203.125.152.193(52640) Local 172.16.11.57(1154)

Global 203.125.152.206 Local 172.18.1.22

Global 203.125.152.207 Local 172.18.1.104

Global 203.125.152.200 Local 172.16.11.192

Global 203.125.152.201 Local 172.18.1.24

Global 203.125.152.203 Local 172.16.5.17

PAT Global 172.16.13.6(43713) Local 10.0.12.137(12875)

Global 203.125.152.203 Local 172.16.151.72

Global 203.125.152.196 Local 172.16.5.21

Global 203.125.152.197 Local 10.120.10.51

Global 172.16.13.19 Local 172.18.1.254

Global 203.125.152.198 Local 172.17.1.93

Global 203.125.152.199 Local 172.16.11.186

Global 203.125.150.193 Local 172.16.206.30 static

PAT Global 203.125.152.244(21827) Local 172.16.11.233(4493)

PAT Global 203.125.152.244(21811) Local 172.16.11.233(4480)

Global 203.125.152.194 Local 172.16.5.18

Global 172.16.13.20 Local 172.17.1.110

Global 203.125.152.195 Local 172.16.5.14

Global 203.125.150.252 Local 172.16.1.40 static

Global 203.125.152.252 Local 172.16.13.21 static

Global 172.16.13.42 Local 172.18.1.22 static

Global 172.16.13.43 Local 172.17.1.21 static

PAT Global 203.125.152.193(52643) Local 172.16.11.57(1158)

Global 172.16.13.40 Local 172.16.11.21 static

Global 172.16.13.41 Local 172.16.206.21 static

Global 203.125.150.249 Local 172.16.13.27 static

Global 203.125.152.249 Local 172.16.13.23 static

Global 172.16.13.47 Local 10.160.10.53 static

Global 203.125.152.250 Local 172.16.1.41 static

Global 203.125.150.250 Local 172.16.1.24 static

PAT Global 172.16.13.6(43714) Local 10.0.12.140(14384)

Global 172.16.13.44 Local 172.16.152.21 static

Global 203.125.152.251 Local 172.16.13.22 static

Global 172.16.13.45 Local 10.160.10.51 static

Global 203.125.152.245 Local 10.160.10.51 static

Global 203.125.152.246 Local 172.16.13.26 static

Global 203.125.152.247 Local 172.16.13.25 static

Global 203.125.152.240 Local 10.160.10.52 static

Global 203.125.152.241 Local 172.16.18.51 static

PAT Global 203.125.152.244(22080) Local 172.16.11.229(1026)

PA

RE: PIX 520 Xlate Problem [7:63087]

[Danial Morison]

Problem is still persists..getting panic as the users are unable to connect 
from 10's other network with ID tag 4 in the configuration mentioned 
earlier.

HELP..

>From: "Greg Owens Jr" 
>To: "'Danial Morison'" ,
>Subject: RE: PIX 520 Xlate Problem [7:63087]
>Date: Sat, 15 Feb 2003 08:48:09 -0500
>
>
>
>U may want to change your xlate timeout
>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
>Danial Morison
>Sent: Saturday, February 15, 2003 2:58 AM
>To: [EMAIL PROTECTED]
>Subject: PIX 520 Xlate Problem [7:63087]
>
>Hi group ,
>
>Any idea where the problem is..thanks..
>
>
>We have implemented PIX with the following configuration.We have a 3
>inside networks mapped with 2 different public IP pools 203.125.152.0/26 
>and
>
>203.125.150.0/24.Problem is the inside network 10.0.0.0/17(10.0.0.0 subnet
>mask 255.255.128.0) is not able to go to internet after a certain period of
>time ( 2 or 3 days).
>
>Any idea where the problem is..thanks..
>
>172.0.0.0/8
>
>10.0.0.0/8
>
>10.0.0.0/17
>
>Here are the details.
>
>pixfirewall# sh global
>
>global (outside) 1 203.125.152.194-203.125.152.236 netmask 255.255.255.192
>
>global (outside) 4 203.125.150.1-203.125.150.126 netmask 255.255.255.128
>
>global (outside) 2 203.125.152.244 netmask 255.255.255.192
>
>global (outside) 3 203.125.152.248 netmask 255.255.255.192
>
>global (outside) 1 203.125.152.193 netmask 255.255.255.192
>
>global (outside) 4 203.125.150.249 netmask 255.255.255.128
>
>global (dmz) 1 172.16.13.11-172.16.13.20 netmask 255.255.255.0
>
>global (dmz) 2 172.16.13.51-172.16.13.60 netmask 255.255.255.0
>
>global (dmz) 3 172.16.13.61-172.16.13.70 netmask 255.255.255.0
>
>global (dmz) 4 172.16.13.71-172.16.13.80 netmask 255.255.255.0
>
>global (dmz) 1 172.16.13.10 netmask 255.255.255.0
>
>global (dmz) 2 172.16.13.9 netmask 255.255.255.0
>
>global (dmz) 3 172.16.13.8 netmask 255.255.255.0
>
>global (dmz) 4 172.16.13.6 netmask 255.255.255.0
>
>pixfirewall# sh nat
>
>nat (inside) 2 172.16.1.115 255.255.255.255 0 0
>
>nat (inside) 3 172.16.11.76 255.255.255.255 0 0
>
>nat (inside) 3 172.16.11.80 255.255.255.255 0 0
>
>nat (inside) 3 172.16.11.84 255.255.255.255 0 0
>
>nat (inside) 2 172.16.11.224 255.255.255.240 0 0
>
>nat (inside) 4 10.0.0.0 255.255.128.0 0 0
>
>nat (inside) 1 10.0.0.0 255.0.0.0 0 0
>
>nat (inside) 1 172.0.0.0 255.0.0.0 0 0
>
>nat (dmz) 1 172.16.13.0 255.255.255.0 0 0
>
>pixfirewall# sh xlate
>
>Global 203.125.152.220 Local 172.16.11.71
>
>Global 203.125.152.221 Local 172.16.11.149
>
>Global 172.16.13.11 Local 172.16.11.139
>
>PAT Global 203.125.152.193(52641) Local 172.16.11.57(1155)
>
>Global 203.125.152.222 Local 172.16.11.120
>
>Global 203.125.152.223 Local 172.16.152.37
>
>Global 203.125.152.216 Local 172.17.1.94
>
>Global 203.125.152.217 Local 172.16.1.20
>
>Global 203.125.152.218 Local 172.16.5.20
>
>Global 172.16.13.12 Local 172.16.1.205
>
>Global 203.125.152.219 Local 172.16.11.139
>
>Global 172.16.13.13 Local 172.16.154.75
>
>Global 203.125.152.212 Local 172.16.11.194
>
>Global 203.125.152.213 Local 172.17.11.91
>
>Global 203.125.152.214 Local 172.17.1.91
>
>Global 203.125.152.215 Local 172.16.5.78
>
>Global 203.125.152.208 Local 172.16.1.22
>
>Global 203.125.152.209 Local 172.16.5.15
>
>Global 203.125.152.210 Local 172.16.151.75
>
>Global 203.125.152.211 Local 172.17.1.23
>
>Global 203.125.152.204 Local 172.16.5.79
>
>Global 203.125.152.205 Local 172.16.5.13
>
>PAT Global 203.125.152.193(52640) Local 172.16.11.57(1154)
>
>Global 203.125.152.206 Local 172.18.1.22
>
>Global 203.125.152.207 Local 172.18.1.104
>
>Global 203.125.152.200 Local 172.16.11.192
>
>Global 203.125.152.201 Local 172.18.1.24
>
>Global 203.125.152.203 Local 172.16.5.17
>
>PAT Global 172.16.13.6(43713) Local 10.0.12.137(12875)
>
>Global 203.125.152.203 Local 172.16.151.72
>
>Global 203.125.152.196 Local 172.16.5.21
>
>Global 203.125.152.197 Local 10.120.10.51
>
>Global 172.16.13.19 Local 172.18.1.254
>
>Global 203.125.152.198 Local 172.17.1.93
>
>Global 203.125.152.199 Local 172.16.11.186
>
>Global 203.125.150.193 Local 172.16.206.30 static
>
>PAT Global 203.125.152.244(21827) Local 172.16.11.233(4493)
>
>PAT Global 203.125.152.244(21811) Local 172.16.11.233(4480)
>
>Global 203.125.152.194 Local 172.16.5.18
>
>Global 172.16.13.20 Local 172.17.1.110
>
>Global 203.125.152.195 Local 172.16.5.14
>
>Global 203.125.150.252 Local 172.16.1.40 static
>
>Global 203.125