Re: [fw-wiz] PIX 6.1 xlate issues

Hello Shiv--

I recently saw a PIX 515E become so overwhelmed with the number of NAT
translations that it exhausted the memory it had and pretty much stopped
passing traffic until the dynamic NAT table was cleared. It turns out that a
virus on the inside had infected a handful of Billy Boxes and was sending
connection requests on TCP port 445. I solved this by explicitly denying
that outbound destination port.

First of all, do you have an outbound ACL? If not, create one explicitly
permitting the known outbound traffic. If that is still a problem, or you
already do have an outbound ACL, then capture some level 7 logs from the PIX
and have a look. Are there connection requests to ports that you would not

Oh, BTW, I think that I discovered the memory shortage based upon the
show xlate count, a log entry and the show mem output.

On Wed, Aug 20, 2008 at 1:02 AM, B Shivanthan <shivi@xxxxxxxxxxxxxx> wrote:

Hello there,
I am using a PIX 6.1 (I know its quite old and replacement procedures
already in place) and facing problems with xlates getting
overwhelmed. I have this firewall serving our corporate network, where I
have a proxy server, SMTP server, DNS server and about 1500 users
browsing the web through the proxy, along with other servers which I do
static NAT on.

Overtime, my SMTP server loses connectivity with the DNS server (residing
outside the firewall) for name resolution and the only
remedy to this is to clear the xlate. I've set the xlate timeout to as low
as 30 mins, but the problem still persist.

Does anyone know of any resolution to this problem ?

Many thanks


firewall-wizards mailing list

firewall-wizards mailing list

Relevant Pages

  • RE: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices
    ... The Nat 0 rule should be used for the internal server. ... This will allow trafic to traverse the PIX from ... Assuming you have the Server Statically mapped to an external Address: ... PIX 520, Three interfaces - inside, Outside and DMZ. ...
  • Re: Pre-purchase Question about PIX 515E
    ... We use a VPN concentrator for VPN dial-up, but the PIX 515E ... server), or are those "pass-through" sessions, clients passing through ... sesssions (but you might need to do Policy NAT.) ...
  • Re: PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT (Part 3)
    ... I said that no traffic is comming through nat at the server... ... VPN is no problem... ... Ethereal or similar to see if traffic is even arriving at the PIX? ...
  • Re: IPSec PassThrough PIX to ISA
    ... Is your ISA running on Win 2003 Servers? ... >> Recently I installed a PIX in front of ISA Server. ... >> I read an article that the PIX should not have an inside NAT, ... If I remove the nat, ...
  • Re: EBS 2008, TMG and external firewall. Dont want double NAT
    ... This is done because Exchange is bound to the internal interface and leaves the external interface to be *completely* controlled by TMG...a good security guideline by the way. ... If you are disabling NAT then you'll need to change this from a publishing rule to an access rule, but it should still work fine. ... The first is an access rule allows traffic from the internal IP to the external interface and to the messaging server ... One of the default rules is an "internet access for all users" that allows http and https by default. ...