I have an internal server that periodically is unavailable to outside users. When I run SHOW XLATE it does not appear in the list. So I log onto that server and go onto the internet. It then appears in the translation list.
What is the command I need to set a static entry in this list?
Thanks
There is no way in PIX 6.x to create an entry that will always show up in "show xlate".
A translation created with 'static' is always available to the outside, but PIX 6.x will not activate the translation in the "show xlate" table until the first time that traffic needs the translation, whether that be for incoming or outgoing traffic. Once a 'static' translation is built, PIX 6.x will not time it out and it will remain in the "show xlate" table until the next "clear xlate" or reboot. Until the first traffic, it is a -potential- translation, but the PIX does not enter it in the table until the first traffic (incoming -or- outgoing.)
You can also create translations via "nat 0 access-list". If I recall correctly (I can't verify this), those translations do NOT show up in "show xlate", because in a way the PIX considers them to be the opposite of translations.
Translations can be built via "nat 0" [no "access-list" qualifier]; I do not recall if those show up in "show xlate" as I never use that construct. I -think- these translations do time out, but I am not certain. These kinds of translations will -not- be activated in response to incoming traffic, only in response to outgoing traffic -- but if outgoing traffic has created one of these translations, then incoming traffic can make use of that translation to create new connections to a server (access-list permitting.)
Finally, translations can be built via "nat" [with a non-zero policy]. Those translations *do* time out, and are re-activated by traffic going from inside to outside, very much like you are describing. These kinds of translations will -not- be activated in response to incoming traffic, only in response to outgoing traffic, and if outgoing traffic has created one of these translations, then the only incoming traffic that can use it to create new connections to a server would be from the host the outgoing traffic wsa headed to (and even then, only as permitted by access-lists and as managed by "fixup" -- e.g., ftp.) Another way of putting that is that except as allowed by "fixup" [or one other obscure and dangerous command], outside hosts cannot form new connections by making use of an active outgoing translation created by "nat" with a non-zero policy number.
What this leads to is two possible explanations for what you are seeing:
a) that you are using "nat 0" with no access-list qualifier and your translations are timing out when there does not happen to be any activity for a time; or
b) that you are using "nat" with a non-zero policy number and have outgoing UDP traffic from the server that is activating a translation, but sometimes there are pauses in that flow and the UDP translation gets timed out after two minutes of inactivity. [TCP translations can time out from inactivity too, but the timeout is much longer.]
What you are seeing should not occur if you are using 'static' -- there are still timeouts with 'static' but you would have slightly different symptoms.
If you intend that outside hosts should be able to form new inward connections, then the server should be translated with either "static" or "nat 0 access-list".
If "two minutes of inactivity" rings a bell, then "show timeout" and see if the existing values are suitable for your needs.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.