Cisco PIX 515 - Some users/hosts cannot access the internet

Discussion in 'Cisco' started by Jixes, Mar 7, 2006.

  1. Jixes

    Jixes Guest

    We have a Cisco PIX 515 which has been working fine for the last 3
    years, but recently since doubling the number of hosts (to 20
    hosts/pc's), every time we restart the PIX some of the users will not
    be able to get internet access.

    Sometimes it will be just one host and then another time it will be two
    or three hosts. The hosts that can't get internet access seem to change
    every time the PIX is reset. The PIX has a very simple configuration
    just set up to give users internet access and is not configured for
    VPN/DHCP etc and all the users are host/access rules are set to use ANY
    outside host. (0.0.0.0)

    Does anybody know why this is happening?

    Is it because we only have a pool of 16 useable static IP addresses
    (issued to us by our ISP)?

    Any Advice really would be appreciated! Thanks
     
    Jixes, Mar 7, 2006
    #1
    1. Advertisements

  2. Jixes

    william Guest

    How many user licence do you have?? Maybe a ten user license?

    That will stop you from allowing everyone to traverse the pix.

    [email protected] gmail.com
     
    william, Mar 7, 2006
    #2
    1. Advertisements

  3. Jixes

    Jixes Guest

    Thanks for your response William. We have an unlimited user licence,
    detailed below

    Cisco PIX Firewall Version 6.2(2)
    Cisco PIX Device Manager Version 2.0(2)

    Compiled on Fri 07-Jun-02 17:49 by morlee

    Sovrin up 2 hours 49 mins

    Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz
    Flash i28F640J5 @ 0x300, 16MB
    BIOS Flash AT29C257 @ 0xfffd8000, 32KB

    0: ethernet0: address is 0001.64ff.ce82, irq 10
    1: ethernet1: address is 0001.64ff.ce83, irq 7
    Licensed Features:
    Failover: Disabled
    VPN-DES: Enabled
    VPN-3DES: Disabled
    Maximum Interfaces: 3
    Cut-through Proxy: Enabled
    Guards: Enabled
    URL-filtering: Enabled
    Inside Hosts: Unlimited
    Throughput: Unlimited
    IKE peers: Unlimited
     
    Jixes, Mar 7, 2006
    #3
  4. Jixes

    Merv Guest

    If you are doing 1 to 1 translation with the 16 ISP-provided addresses,
    then try configuring the overload option on the NAT commands which will
    use port address translation (PAT or NAPT)
     
    Merv, Mar 7, 2006
    #4
  5. The PIX 501 is the only PIX that has limits on the number of inside
    hosts.
     
    Walter Roberson, Mar 7, 2006
    #5
  6. Jixes

    Michael Pye Guest

    I've seen these symptoms before. In our case we had to lower the xlate
    time. We had a small range of 1-1 NATed addresses that each internal
    user would get assigned and would find that they would all get used up
    and no-one else could get internet access. Lowering the xlate time so
    that users who had not accessed the internet and therefore done no NAT
    for 30 mins kept the xlate table small enough so that it hasn't been a
    problem since.
    i.e.
    timeout xlate 0:30:00
    keep an eye on what IPs are used with:
    show xlate
     
    Michael Pye, Mar 7, 2006
    #6
  7. Jixes

    Jixes Guest

    Thanks for the reply. In the GUI interface i have found the xlate
    gragh/table under Monitoring > Connection Graphs > Xlates.

    Where can i find the 'xlate' settings you refer to? Would it be under
    System Properties > Advanced> Timeouts and then the connection or
    translation field?

    At the moment the all users/hosts are used to set a Dynamic address
    range of from 227 to 240. Is the long term solution (as we may add more
    users/hosts to the network) to get a larger address range issued to us
    by our ISP?

    Is there anyway to configure the PIX so that external addresses are
    dynamically assigned by our ISP (using their address range) to overcome
    this problem?

    Thanks for all your help.
     
    Jixes, Mar 7, 2006
    #7
  8. Jixes

    Jixes Guest

    Forgot to mention in my previous post that the majority of users are
    only using the internet and don't need a static IP address route etc.
    They just use the internet for surfing.
     
    Jixes, Mar 7, 2006
    #8
  9. Jixes

    Merv Guest

    You do not need to have one IP address for each active users.

    Switch to port address translation using one of the IP address assigned
    by you ISP and be done with it .
     
    Merv, Mar 7, 2006
    #9
  10. Jixes

    Jixes Guest

    Thanks Merv,

    I have have made the change to the dynamic address pool so that i am
    now working with one IP address with PAT for my address pool for these
    hosts.

    Thanks for your help/advice.

    Kind Regards

    James
     
    Jixes, Mar 7, 2006
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.