Re: PIX 501 - reaching xlate limit?

From: Walter Roberson (roberson_at_ibd.nrc-cnrc.gc.ca)
Date: 05/23/03

Next message: Duane Arnold: "Re: Mailserver Firewall"
Previous message: Clouse: "Re: Mailserver Firewall"
In reply to: Paul Hutchings: "PIX 501 - reaching xlate limit?"
Next in thread: Cable606: "Re: PIX 501 - reaching xlate limit?"
Reply: Cable606: "Re: PIX 501 - reaching xlate limit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 23 May 2003 17:19:57 GMT

In article <Xns9384ADA4F2037paulhutchingsspamcop@130.133.1.4>,
Paul Hutchings <paul@spamcop.net> wrote:
:Very new to the PIX so please bear with me if I'm not quite up on the
:terminology.

:Basically we have a bunch of public IPs and a PIX501 in the following

:I was told that the 10 user limit would only count on machines initiating
:outbound connections, i.e the three primary public IPs on the three
:machines.

:I was told that they would not be counted when a machine on the internet
:initiates an inbound connection (say http or smtp) and data is sent in
:reply.

There have been several bugs related to the handling of the
user limit. Make sure that you have checked the Cisco Bug Navigator
for the release you are running. [And make sure in the BN that you
widen the filters to severity 1-6 instead of the default 1-2.]

In PIX 6.2, whatever the -theory- might be about when the
count gets incremented, in -practice- "containers" are generated
for each valid translation destination that makes it through the
incoming ACLs, even if the destination machine does not exist.

The behaviour is fairly easy for us to prove. We hae a VPN from our
central office to a remote 501 (PIX 6.2), with open access on some of
the ports. If we nmap the remote network, we will run out of containers
after the 50th IP address [50 user license], even though we have fewer
than 50 machines on the remote network.

-- 
Would you buy a used bit from this man??

Next message: Duane Arnold: "Re: Mailserver Firewall"
Previous message: Clouse: "Re: Mailserver Firewall"
In reply to: Paul Hutchings: "PIX 501 - reaching xlate limit?"
Next in thread: Cable606: "Re: PIX 501 - reaching xlate limit?"
Reply: Cable606: "Re: PIX 501 - reaching xlate limit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

general vlan questions
... PIX 506 at 6.3. ... I am curious about VLANS (I'm not a network admin, ... a DMZ subnet, a wireless subnet, and a subnet for a group ... I do not want the guest machines to ever reach the inside ...
(comp.dcom.sys.cisco)
Re: Too many firewalls?
... > can't see it on my network places. ... If you just had the PIX 501 connected to the modem and nothing else, ... 501 would use the ISP's DNS servers, the machines connected to the PIX, ... So what that there are three or four machines that the PIX is protecting, ...
(comp.security.firewalls)
File sharing across 2 PIX 501s with NAT
... I have a LAN behind a PIX 501 (PIX-01) with all internal ... I want the LAN machines to be able to access file shares on the servers ...
(comp.dcom.sys.cisco)
WinXP Pro 10 user limit question
... I've got a 10 user limit problem... ... I have 15 computers, all running Pro, and peer-to-peer networked as a single ... workgroup into a single linksys router that hooks into a fractional T1. ... application that 10 other machines access constantly and that the remaining ...
(microsoft.public.windowsxp.network_web)
Re: Windows update behind cisco pix
... If some machines are working and some aren't, it mostly likely is not your ... We use a PIX, and have never had any issues with any of our servers or ... computers running Windows Update, and we don't have any special ports opened ... | I would get "unable to verify publisher on activeX" then Got error 0X8dddd ...
(microsoft.public.windowsupdate)