Cisco PIX 515 - Some users/hosts cannot access the internet

Discussion in 'Cisco' started by Jixes, Mar 7, 2006.

  Jixes

    Jixes Guest

    We have a Cisco PIX 515 which has been working fine for the last 3
    years, but recently since doubling the number of hosts (to 20
    hosts/pc's), every time we restart the PIX some of the users will not
    be able to get internet access.

    Sometimes it will be just one host and then another time it will be two
    or three hosts. The hosts that can't get internet access seem to change
    every time the PIX is reset. The PIX has a very simple configuration
    just set up to give users internet access and is not configured for
    VPN/DHCP etc and all the users are host/access rules are set to use ANY
    outside host. (

    Does anybody know why this is happening?

    Is it because we only have a pool of 16 useable static IP addresses
    (issued to us by our ISP)?

    Any Advice really would be appreciated! Thanks
    Jixes, Mar 7, 2006
  william

    william Guest

    How many user licence do you have?? Maybe a ten user license?

    That will stop you from allowing everyone to traverse the pix.

    [email protected]
    william, Mar 7, 2006
  Jixes

    Jixes Guest

    Thanks for your response William. We have an unlimited user licence,
    detailed below

    Cisco PIX Firewall Version 6.2(2)
    Cisco PIX Device Manager Version 2.0(2)

    Compiled on Fri 07-Jun-02 17:49 by morlee

    Sovrin up 2 hours 49 mins

    Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz
    Flash i28F640J5 @ 0x300, 16MB
    BIOS Flash AT29C257 @ 0xfffd8000, 32KB

    0: ethernet0: address is 0001.64ff.ce82, irq 10
    1: ethernet1: address is 0001.64ff.ce83, irq 7
    Licensed Features:
    Failover: Disabled
    VPN-DES: Enabled
    VPN-3DES: Disabled
    Maximum Interfaces: 3
    Cut-through Proxy: Enabled
    Guards: Enabled
    URL-filtering: Enabled
    Inside Hosts: Unlimited
    Throughput: Unlimited
    IKE peers: Unlimited
    Jixes, Mar 7, 2006
  Merv

    Merv Guest

    If you are doing 1 to 1 translation with the 16 ISP-provided addresses,
    then try configuring the overload option on the NAT commands which will
    use port address translation (PAT or NAPT)
    Merv, Mar 7, 2006
  5. The PIX 501 is the only PIX that has limits on the number of inside
    Walter Roberson, Mar 7, 2006
  Michael Pye

    Michael Pye Guest

    I've seen these symptoms before. In our case we had to lower the xlate
    time. We had a small range of 1-1 NATed addresses that each internal
    user would get assigned and would find that they would all get used up
    and no-one else could get internet access. Lowering the xlate time so
    that users who had not accessed the internet and therefore done no NAT
    for 30 mins kept the xlate table small enough so that it hasn't been a
    problem since.
    timeout xlate 0:30:00
    keep an eye on what IPs are used with:
    show xlate
    Michael Pye, Mar 7, 2006
  Jixes

    Jixes Guest

    Thanks for the reply. In the GUI interface i have found the xlate
    gragh/table under Monitoring > Connection Graphs > Xlates.

    Where can i find the 'xlate' settings you refer to? Would it be under
    System Properties > Advanced> Timeouts and then the connection or
    translation field?

    At the moment the all users/hosts are used to set a Dynamic address
    range of from 227 to 240. Is the long term solution (as we may add more
    users/hosts to the network) to get a larger address range issued to us
    by our ISP?

    Is there anyway to configure the PIX so that external addresses are
    dynamically assigned by our ISP (using their address range) to overcome
    this problem?

    Thanks for all your help.
    Jixes, Mar 7, 2006
  Jixes

    Jixes Guest

    Forgot to mention in my previous post that the majority of users are
    only using the internet and don't need a static IP address route etc.
    They just use the internet for surfing.
    Jixes, Mar 7, 2006
  Merv

    Merv Guest

    You do not need to have one IP address for each active users.

    Switch to port address translation using one of the IP address assigned
    by you ISP and be done with it .
    Merv, Mar 7, 2006
  Jixes

    Jixes Guest

    Thanks Merv,

    I have have made the change to the dynamic address pool so that i am
    now working with one IP address with PAT for my address pool for these

    Thanks for your help/advice.

    Kind Regards

    Jixes, Mar 7, 2006
