Re: PIX Question [7:65095]

2003-03-18 Thread Richard Deal
Was this NAT or PAT? If PAT, and the client kept on trying to open up new connections, the source port would probably be different for each, thus a new xlate in the translation table. Cheers1 -- Richard A. Deal Visit my home page at http://home.cfl.rr.com/dealgroup/ Author of Cisco PIX

RE: PIX Question [7:65095]

2003-03-14 Thread Symon Thurlow
New source port for each outbound FTP connection probably. Symon -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED] Sent: 13 March 2003 18:12 To: [EMAIL PROTECTED] Subject: Re: PIX Question [7:65095] I don't understand why the xlate table would grow. I can understand

Re: PIX Question [7:65095]

2003-03-14 Thread Richard Deal
Was this NAT or PAT? If PAT, and the client kept on trying to open up new connections, the source port would probably be different for each, thus a new xlate in the translation table. Cheers1 -- Richard A. Deal Visit my home page at http://home.cfl.rr.com/dealgroup/ Author of Cisco PIX

Re: PIX Question [7:65095]

2003-03-13 Thread Scott Roberts
strange that it would create another translation instead of using the old one?? I suppose its more an error in the client software thinking it still has a valid server connection and tries to open a brand new one then. the only thing that comes to my mind would be to expire your translations

Re: PIX Question [7:65095]

2003-03-13 Thread John Neiberger
I don't understand why the xlate table would grow. I can understand the connections table growing, sure, but did the PIX really re-translate the same internal address over 7000 times in just few minutes? John Scott Roberts 3/13/03 11:08:29 AM strange that it would create another translation

Re: PIX Question [7:65095]

2003-03-12 Thread Richard Deal
Manny, Yes, you can limit the maximum number of connections to a device and the maximum number of half-open (embryonic) connections. This is done with the NAT command, at least in your case, since the connections are going from high-to-low security levels. The NAT command allows you to specify

Re: PIX Question [7:65095]

2003-03-12 Thread Kent Hundley
Manny, A couple of thoughts, not necessarily in order of applicability: 1) Change the timeout values for idle connections for conn (connection slot) from 1 hr to 5-10 min and change the xlate timeout from 3 hrs to 5-10 minutes. These are idle timeouts and will probably work for most environments

Re: PIX Question [7:65095]

2003-03-11 Thread Joel Salminen
I'm not sure of the exact metric, but you should enable syslog and have this sent to a syslog server. With syslog server you can have the system parse the syslog and react to particular entries. Of course that depends on what you use to manage the syslog db. Manny wrote in message news:[EMAIL