Cisco PIX 515 - Some users/hosts cannot access the internet

How many user licence do you have?? Maybe a ten user license?

That will stop you from allowing everyone to traverse the pix.

wwalla@ gmail.com

Thanks for your response William. We have an unlimited user licence, detailed below

Cisco PIX Firewall Version 6.2(2) Cisco PIX Device Manager Version 2.0(2)

Compiled on Fri 07-Jun-02 17:49 by morlee

Sovrin up 2 hours 49 mins

Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz Flash i28F640J5 @ 0x300, 16MB BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0001.64ff.ce82, irq 10 1: ethernet1: address is 0001.64ff.ce83, irq 7 Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES: Disabled Maximum Interfaces: 3 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: Unlimited Throughput: Unlimited IKE peers: Unlimited

If you are doing 1 to 1 translation with the 16 ISP-provided addresses, then try configuring the overload option on the NAT commands which will use port address translation (PAT or NAPT)

The PIX 501 is the only PIX that has limits on the number of inside hosts.

I've seen these symptoms before. In our case we had to lower the xlate time. We had a small range of 1-1 NATed addresses that each internal user would get assigned and would find that they would all get used up and no-one else could get internet access. Lowering the xlate time so that users who had not accessed the internet and therefore done no NAT for 30 mins kept the xlate table small enough so that it hasn't been a problem since. i.e. timeout xlate 0:30:00 keep an eye on what IPs are used with: show xlate

-- Michael

Thanks for the reply. In the GUI interface i have found the xlate gragh/table under Monitoring > Connection Graphs > Xlates.

Where can i find the 'xlate' settings you refer to? Would it be under System Properties > Advanced> Timeouts and then the connection or translation field?

At the moment the all users/hosts are used to set a Dynamic address range of from 227 to 240. Is the long term solution (as we may add more users/hosts to the network) to get a larger address range issued to us by our ISP?

Is there anyway to configure the PIX so that external addresses are dynamically assigned by our ISP (using their address range) to overcome this problem?

Thanks for all your help.

Forgot to mention in my previous post that the majority of users are only using the internet and don't need a static IP address route etc. They just use the internet for surfing.

You do not need to have one IP address for each active users.

Switch to port address translation using one of the IP address assigned by you ISP and be done with it .

Thanks Merv,

I have have made the change to the dynamic address pool so that i am now working with one IP address with PAT for my address pool for these hosts.

Thanks for your help/advice.

Kind Regards

James