PIX firewall NATing problem

Hi,

I wonder is someone seeing something similar before. I'm experiencing very strange problem but first briefly about configuration. I got PIX 515E v7.0(2) on the front and ISA Server and a couple of other computers on DMZ zone. So after some time of using internet trough ISA server, users loosing ability to browse, there is no incoming SMTP messages as well, but other computes on DMZ can access internet with no problem. Usually simple restart of firewall will fix it. Once i check translation state show xlate and it displays around 300 of PAT translation to ISA server. I'm not sure if this is normal but after running clear xlate, clients starts browsing internet again.

What is happening? Any ideal will be appreciated.

Regards, Yuriy.

Reply to
Yuriy
Loading thread data ...

try upgrading to the latest version 7.0.6. 7.0.2 is more than a year old and bug ridden.

Reply to
uNiXpSyChO

Can you post PIX config ??

Yuriy wrote:

Reply to
CK

Hi,

Thank you for your reply. Unfortunately not. Company policy does not allow me to do so. But I would appreciate any clues you have.

Regards, Yuriy.

CK wrote:

Reply to
Yuriy

Okay i understand the confidiantiality .

Do you have IP reverse path verify enable for IP Spoofing on both the interfaces. What is the idle time for minimum XLATE translation?

CK

Yuriy wrote:

Reply to
CK

Hi,

Thanks again for your help. Yes, reverse path verify is enabled on both interfaces and XLATE timeout is set to 3:00:00.

Regards, Yuriy.

CK wrote:

Reply to
Yuriy

That seems to be OKAY IS there any kinds of rules running on any interface e.g. Access-list and what the NAt traslations on PIX.

CK

Yuriy wrote:

Reply to
CK

Try updating the PIX to the latest 7.0(x) release, currently 7.0(5); I vaguely recall some problems which sound like the ones you're experiencing, with early versions of 7.0 code.

Cheers,

Matt

Reply to
Matthew Melbourne

Hi again,

Thank you everyone who was involved in conversation.

I have been out for a while so was not able to update this post. However since my absence, there was no problem with firewall at all. So upgrading IOS to 7.2(1) seems fix the problem!

Thanks everyone again for all the help you give.

Regards, Yuriy

CK wrote:

Reply to
Yuriy

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.