PIX 501 - reaching xlate limit?

From: Paul Hutchings (paul_at_spamcop.net)
Date: 05/23/03


Date: 23 May 2003 16:04:10 GMT

Very new to the PIX so please bear with me if I'm not quite up on the
terminology.

Basically we have a bunch of public IPs and a PIX501 in the following
config:

Internet
|
outside x.x.x.x
pix
inside y.y.y.a
|
DMZ Machine 1
(y.y.y.b, y.y.y.c, y.y.y.d, y.y.y.e)
DMZ Machine 2
(y.y.y.f, y.y.y.g, y.y.y.h, y.y.y.i)
DMZ Machine 3
(y.y.y.j)

All the IPs on the y.y.y.0 network are public.

I was told that the 10 user limit would only count on machines initiating
outbound connections, i.e the three primary public IPs on the three
machines.

I was told that they would not be counted when a machine on the internet
initiates an inbound connection (say http or smtp) and data is sent in
reply.

So, using PDM I setup all my hosts, one per IP address and used static NAT
and setup inbound and outbound ACLs.

All works, however when I do a "show Xlate" I get a gradually higher number
as (I presume) external machines connect through the PIX to the various
hosts defined for each public IP.

When the limit hits ten (we have around 18 public IPs bound across the
three physical machines) nothing more can come in until the xlate times
out.

"clear xlate" does what I'd expect, releases all xlates so the process
begins again..

I suspect I'm either missing something, or the supplier got it wrong (which
is a little troubling as they're a cisco gold partner, not just a box
shifter).

Not sure if my entire config needs listing, can do so if needed.

TIA for any advice,

regards
Paul

-- 
paul <at> spamcop.net


Relevant Pages

  • Re: PIX 501 - reaching xlate limit?
    ... set the xlate timeout to 5 min, instead of PIXOS defaults off 3 hours! ... > Basically we have a bunch of public IPs and a PIX501 in the following ... > DMZ Machine 1 ...
    (comp.security.firewalls)
  • PIX - help with initial rules/terminology
    ... ISA External NIC (Primary Public IP + several additional public IPs) ... Soon to be PIX ... IP of the ISA and the two DMZ machines out on protocols X, Y and Z, and to ...
    (comp.security.firewalls)
  • Re: Cisco PIX-501 questions
    ... IS it possible that your Internet router is also translating the 'real' ... addresses to the ones configured on the PIX? ... > Those are the public IPs. ...
    (comp.security.firewalls)
  • Mapping IP address
    ... access-list outside-to-Inside permit tcp host 69.y.y.y host 64.x.x.x eq www ... I am running out of public IPs and I guess I have to use the PIX ... Outside IP and forward the port to internal machine, but not sure how to do ...
    (comp.dcom.sys.cisco)
  • Re: resource access behind PIX
    ... PIX ALCs to web servers on the same private range by accessing the public IPs on ... if you want an inside packet to access an inside ...
    (comp.dcom.sys.cisco)