Pix Static Entry for Translation LIst

Discussion in 'Cisco' started by paulriker, Mar 13, 2006.

  1. paulriker

    paulriker Guest

    I have an internal server that periodically is unavailable to outside
    users. When I run SHOW XLATE it does not appear in the list. So I log
    onto that server and go onto the internet. It then appears in the
    translation list.

    What is the command I need to set a static entry in this list?

    paulriker, Mar 13, 2006
    1. Advertisements

  2. There is no way in PIX 6.x to create an entry that will always
    show up in "show xlate".

    A translation created with 'static' is always available to the
    outside, but PIX 6.x will not activate the translation in the
    "show xlate" table until the first time that traffic needs
    the translation, whether that be for incoming or outgoing traffic.
    Once a 'static' translation is built, PIX 6.x will not time
    it out and it will remain in the "show xlate" table until the next
    "clear xlate" or reboot. Until the first traffic, it is a -potential-
    translation, but the PIX does not enter it in the table until the
    first traffic (incoming -or- outgoing.)

    You can also create translations via "nat 0 access-list". If I
    recall correctly (I can't verify this), those translations
    do NOT show up in "show xlate", because in a way the PIX
    considers them to be the opposite of translations.

    Translations can be built via "nat 0" [no "access-list" qualifier];
    I do not recall if those show up in "show xlate" as I never use
    that construct. I -think- these translations do time out, but I
    am not certain. These kinds of translations will -not- be activated
    in response to incoming traffic, only in response to outgoing
    traffic -- but if outgoing traffic has created one of these
    translations, then incoming traffic can make use of that translation
    to create new connections to a server (access-list permitting.)

    Finally, translations can be built via "nat" [with a non-zero policy].
    Those translations *do* time out, and are re-activated by
    traffic going from inside to outside, very much like you are
    describing. These kinds of translations will -not- be activated
    in response to incoming traffic, only in response to outgoing
    traffic, and if outgoing traffic has created one of these
    translations, then the only incoming traffic that can use
    it to create new connections to a server would be from the host
    the outgoing traffic wsa headed to (and even then, only as
    permitted by access-lists and as managed by "fixup" -- e.g., ftp.)
    Another way of putting that is that except as allowed by "fixup"
    [or one other obscure and dangerous command], outside hosts cannot
    form new connections by making use of an active outgoing translation
    created by "nat" with a non-zero policy number.

    What this leads to is two possible explanations for what you
    are seeing:

    a) that you are using "nat 0" with no access-list qualifier
    and your translations are timing out when there does not happen
    to be any activity for a time; or

    b) that you are using "nat" with a non-zero policy number and
    have outgoing UDP traffic from the server that is activating
    a translation, but sometimes there are pauses in that flow and
    the UDP translation gets timed out after two minutes of inactivity.
    [TCP translations can time out from inactivity too, but the
    timeout is much longer.]

    What you are seeing should not occur if you are using 'static' --
    there are still timeouts with 'static' but you would have
    slightly different symptoms.

    If you intend that outside hosts should be able to form new
    inward connections, then the server should be translated with
    either "static" or "nat 0 access-list".

    If "two minutes of inactivity" rings a bell, then "show timeout"
    and see if the existing values are suitable for your needs.
    Walter Roberson, Mar 13, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.