PIX 501 - reaching xlate limit?

From: Paul Hutchings (paul_at_spamcop.net)
Date: 05/23/03


Date: 23 May 2003 16:04:10 GMT

Very new to the PIX so please bear with me if I'm not quite up on the
terminology.

Basically we have a bunch of public IPs and a PIX501 in the following
config:

Internet
|
outside x.x.x.x
pix
inside y.y.y.a
|
DMZ Machine 1
(y.y.y.b, y.y.y.c, y.y.y.d, y.y.y.e)
DMZ Machine 2
(y.y.y.f, y.y.y.g, y.y.y.h, y.y.y.i)
DMZ Machine 3
(y.y.y.j)

All the IPs on the y.y.y.0 network are public.

I was told that the 10 user limit would only count on machines initiating
outbound connections, i.e the three primary public IPs on the three
machines.

I was told that they would not be counted when a machine on the internet
initiates an inbound connection (say http or smtp) and data is sent in
reply.

So, using PDM I setup all my hosts, one per IP address and used static NAT
and setup inbound and outbound ACLs.

All works, however when I do a "show Xlate" I get a gradually higher number
as (I presume) external machines connect through the PIX to the various
hosts defined for each public IP.

When the limit hits ten (we have around 18 public IPs bound across the
three physical machines) nothing more can come in until the xlate times
out.

"clear xlate" does what I'd expect, releases all xlates so the process
begins again..

I suspect I'm either missing something, or the supplier got it wrong (which
is a little troubling as they're a cisco gold partner, not just a box
shifter).

Not sure if my entire config needs listing, can do so if needed.

TIA for any advice,

regards
Paul

-- 
paul <at> spamcop.net