Re: PIX 501 - reaching xlate limit?
From: Walter Roberson (roberson_at_ibd.nrc-cnrc.gc.ca)
Date: 23 May 2003 17:19:57 GMT
In article <Xns9384ADA4F2037paulhutchingsspamcop@188.8.131.52>,
Paul Hutchings <firstname.lastname@example.org> wrote:
:Very new to the PIX so please bear with me if I'm not quite up on the
:Basically we have a bunch of public IPs and a PIX501 in the following
:I was told that the 10 user limit would only count on machines initiating
:outbound connections, i.e the three primary public IPs on the three
:I was told that they would not be counted when a machine on the internet
:initiates an inbound connection (say http or smtp) and data is sent in
There have been several bugs related to the handling of the
user limit. Make sure that you have checked the Cisco Bug Navigator
for the release you are running. [And make sure in the BN that you
widen the filters to severity 1-6 instead of the default 1-2.]
In PIX 6.2, whatever the -theory- might be about when the
count gets incremented, in -practice- "containers" are generated
for each valid translation destination that makes it through the
incoming ACLs, even if the destination machine does not exist.
The behaviour is fairly easy for us to prove. We hae a VPN from our
central office to a remote 501 (PIX 6.2), with open access on some of
the ports. If we nmap the remote network, we will run out of containers
after the 50th IP address [50 user license], even though we have fewer
than 50 machines on the remote network.
-- Would you buy a used bit from this man??