Re: [fw-wiz] PIX: immediately applying access rules to established connections

Strange.

Usage Guidelines
The clear xlate command clears the contents of the translation slots
("xlate" refers to the translation slot). Translation slots can
persist after key changes have been made. Always use the clear xlate
command after adding, changing, or removing the aaa-server,
access-list, alias, global, nat, route, or static commands in your
configuration.

An xlate describes a NAT or PAT session. These sessions can be viewed
with the show xlate command with the detail option. There are two
types of xlates: static and dynamic.

A static xlate is a persistent xlate that is created using the static
command. Static xlates can only be removed by removing the static
command from the configuration; the clear xlate does not remove the
static translation rule. If you remove a static command from the
configuration, preexisting connections that use the static rule can
still forward traffic. Use the clear local-host to deactivate these
connections.

A dynamic xlate is an xlate that is created on demand with traffic
processing (through the nat or global command). The clear xlate
removes dynamic xlates and their associated connections. You can also
use the clear local-host command to clear the xlate and associated
connections. If you remove a nat or a global command from the
configuration, the dynamic xlate and associated connections may remain
active. Use the clear xlate or the clear local-host command to remove
these connections.

Examples
The following example shows how to clear the current translation and
connection slot information:

hostname# clear xlate global

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/c3_711.htm#wp2034746

On 6/15/06, Vahid Pazirandeh <vpaziran@xxxxxxxxx> wrote:


--- Julian M D <julianmd@xxxxxxxxx> wrote:

clear xlate

-it will close down all current connections - beware



Actually I had tried typing "clear xlate" and that didn't help. Hrm...
-Vahid




On 6/15/06, Vahid Pazirandeh <vpaziran@xxxxxxxxx> wrote:
Hi all,

I noticed that after I made some changes to my access-lists with a PIX
7.1(2),
the rules only applied to new connections being made. The connections that
were already established (like tcp sessions) were unfortunately not
affected.

How can I affect all currently established connections with my new
access-list
rules? Is there a "clear" command that'll do the trick?

Thanks for reading. :-)

-Vahid

=============================================
"Make it better before you make it faster."
=============================================

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



=============================================
"Make it better before you make it faster."
=============================================

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards