FWSM: Strange xlate and lost connectivity

Discussion in 'Cisco' started by Hoffa, Oct 9, 2007.

  1. Hoffa

    Hoffa Guest

    Hi

    I've had some really weird problems with my FWSM after a migration
    this weekend.
    The network as set up as seen below, "ApplicationNet" and "UserNet"
    have the same security level and I have "same security permit intra
    interface" enabled.

    Internet
    |
    |
    FWSM----ApplicationNet
    |
    |
    UserNet

    I have a static set up to redirect web traffic to a server on our DMZ,
    and this is causing me alot of problems.
    Suddenly the users from the Internet cannot access the web service and
    neither can anyone on the UserNet.
    I do a show xlate detail and get the following result


    Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
    o - outside, r - portmap, s - static
    1223 in use, 10418 most used
    NAT from INTERNET:217.15.245.131 to INTERNET:217.15.245.131 flags Ii

    I do a clear xlate on the global IP and the same show command then
    gives

    Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
    o - outside, r - portmap, s - static
    1168 in use, 10418 most used
    NAT from DMZ:192.168.144.201 to INTERNET:217.15.245.131 flags si

    And once again the web service is accessible. Then later the same day
    I get the same problem again and can't see anything on the syslogs
    despite running on debug level.

    Whats going on here?
    /Fredrik
    Hoffa, Oct 9, 2007
    #1
    1. Advertising

  2. Hoffa

    sivakumar

    Joined:
    Sep 25, 2008
    Messages:
    1
    Hi,

    Try nat 0 command on the host

    the syntax as below

    nat (interface) 0 ---ip_add--- ---mask--- tcp 0 1000

    0 - infinte genuine conn]
    1000 - max embryonic connections

    ip_add -- ip address of the host which disconnects often

    give a look on nat 0 command usage..

    try and reply..

    bye...
    sivakumar, Sep 25, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Walter Roberson

    Re: Setting xlate=500 on the PIX....

    Walter Roberson, Jul 17, 2003, in forum: Cisco
    Replies:
    0
    Views:
    471
    Walter Roberson
    Jul 17, 2003
  2. jan david dijk

    PIX 506E Deny inbound (No xlate) tcp

    jan david dijk, Feb 8, 2004, in forum: Cisco
    Replies:
    6
    Views:
    12,124
    huyhong
    Jan 7, 2009
  3. Ben Beechick
    Replies:
    1
    Views:
    5,481
  4. dexx
    Replies:
    0
    Views:
    385
  5. Hoffa
    Replies:
    2
    Views:
    1,177
    Hoffa
    Oct 29, 2007
Loading...

Share This Page