PIX firewall NATing problem

Hi,

I wonder is someone seeing something similar before.
I'm experiencing very strange problem but first briefly about
configuration.
I got PIX 515E v7.0(2) on the front and ISA Server and a couple of
other computers on DMZ zone.
So after some time of using internet trough ISA server, users loosing
ability to browse, there is no incoming SMTP messages as well, but
other computes on DMZ can access internet with no problem.
Usually simple restart of firewall will fix it.
Once i check translation state show xlate and it displays around 300 of
PAT translation to ISA server. I'm not sure if this is normal but after
running clear xlate, clients starts browsing internet again.

What is happening?
Any ideal will be appreciated.

Regards,
Yuriy.

Re: PIX firewall NATing problem

Yuriy wrote:
> Hi,
>
> I wonder is someone seeing something similar before.
> I'm experiencing very strange problem but first briefly about
> configuration.
> I got PIX 515E v7.0(2) on the front and ISA Server and a couple of
> other computers on DMZ zone.
> So after some time of using internet trough ISA server, users loosing
> ability to browse, there is no incoming SMTP messages as well, but
> other computes on DMZ can access internet with no problem.
> Usually simple restart of firewall will fix it.
> Once i check translation state show xlate and it displays around 300 of
> PAT translation to ISA server. I'm not sure if this is normal but after
> running clear xlate, clients starts browsing internet again.
>
> What is happening?
> Any ideal will be appreciated.
>
> Regards,
> Yuriy.
>

try upgrading to the latest version 7.0.6. 7.0.2 is more than a year
old and bug ridden.

Re: PIX firewall NATing problem

Can you post PIX config ??


Yuriy wrote:
> Hi,
>
> I wonder is someone seeing something similar before.
> I'm experiencing very strange problem but first briefly about
> configuration.
> I got PIX 515E v7.0(2) on the front and ISA Server and a couple of
> other computers on DMZ zone.
> So after some time of using internet trough ISA server, users loosing
> ability to browse, there is no incoming SMTP messages as well, but
> other computes on DMZ can access internet with no problem.
> Usually simple restart of firewall will fix it.
> Once i check translation state show xlate and it displays around 300 of
> PAT translation to ISA server. I'm not sure if this is normal but after
> running clear xlate, clients starts browsing internet again.
>
> What is happening?
> Any ideal will be appreciated.
>
> Regards,
> Yuriy.

Re: PIX firewall NATing problem

Hi,

Thank you for your reply.
Unfortunately not. Company policy does not allow me to do so.
But I would appreciate any clues you have.

Regards,
Yuriy.

CK wrote:

> Can you post PIX config ??
>
>
> Yuriy wrote:
> > Hi,
> >
> > I wonder is someone seeing something similar before.
> > I'm experiencing very strange problem but first briefly about
> > configuration.
> > I got PIX 515E v7.0(2) on the front and ISA Server and a couple of
> > other computers on DMZ zone.
> > So after some time of using internet trough ISA server, users loosing
> > ability to browse, there is no incoming SMTP messages as well, but
> > other computes on DMZ can access internet with no problem.
> > Usually simple restart of firewall will fix it.
> > Once i check translation state show xlate and it displays around 300 of
> > PAT translation to ISA server. I'm not sure if this is normal but after
> > running clear xlate, clients starts browsing internet again.
> >
> > What is happening?
> > Any ideal will be appreciated.
> >
> > Regards,
> > Yuriy.

Re: PIX firewall NATing problem

Okay i understand the confidiantiality .

Do you have IP reverse path verify enable for IP Spoofing on both the
interfaces.
What is the idle time for minimum XLATE translation?


CK


Yuriy wrote:
> Hi,
>
> Thank you for your reply.
> Unfortunately not. Company policy does not allow me to do so.
> But I would appreciate any clues you have.
>
> Regards,
> Yuriy.
>
> CK wrote:
>
> > Can you post PIX config ??
> >
> >
> > Yuriy wrote:
> > > Hi,
> > >
> > > I wonder is someone seeing something similar before.
> > > I'm experiencing very strange problem but first briefly about
> > > configuration.
> > > I got PIX 515E v7.0(2) on the front and ISA Server and a couple of
> > > other computers on DMZ zone.
> > > So after some time of using internet trough ISA server, users loosing
> > > ability to browse, there is no incoming SMTP messages as well, but
> > > other computes on DMZ can access internet with no problem.
> > > Usually simple restart of firewall will fix it.
> > > Once i check translation state show xlate and it displays around 300 of
> > > PAT translation to ISA server. I'm not sure if this is normal but after
> > > running clear xlate, clients starts browsing internet again.
> > >
> > > What is happening?
> > > Any ideal will be appreciated.
> > >
> > > Regards,
> > > Yuriy.

Re: PIX firewall NATing problem

Hi,

Thanks again for your help.
Yes, reverse path verify is enabled on both interfaces and XLATE
timeout is set to 3:00:00.


Regards,
Yuriy.



CK wrote:

> Okay i understand the confidiantiality .
>
> Do you have IP reverse path verify enable for IP Spoofing on both the
> interfaces.
> What is the idle time for minimum XLATE translation?
>
>
> CK
>
>
> Yuriy wrote:
> > Hi,
> >
> > Thank you for your reply.
> > Unfortunately not. Company policy does not allow me to do so.
> > But I would appreciate any clues you have.
> >
> > Regards,
> > Yuriy.
> >
> > CK wrote:
> >
> > > Can you post PIX config ??
> > >
> > >
> > > Yuriy wrote:
> > > > Hi,
> > > >
> > > > I wonder is someone seeing something similar before.
> > > > I'm experiencing very strange problem but first briefly about
> > > > configuration.
> > > > I got PIX 515E v7.0(2) on the front and ISA Server and a couple of
> > > > other computers on DMZ zone.
> > > > So after some time of using internet trough ISA server, users loosing
> > > > ability to browse, there is no incoming SMTP messages as well, but
> > > > other computes on DMZ can access internet with no problem.
> > > > Usually simple restart of firewall will fix it.
> > > > Once i check translation state show xlate and it displays around 300 of
> > > > PAT translation to ISA server. I'm not sure if this is normal but after
> > > > running clear xlate, clients starts browsing internet again.
> > > >
> > > > What is happening?
> > > > Any ideal will be appreciated.
> > > >
> > > > Regards,
> > > > Yuriy.

Re: PIX firewall NATing problem

That seems to be OKAY
IS there any kinds of rules running on any interface e.g. Access-list
and what the NAt traslations on PIX.



CK

Yuriy wrote:
> Hi,
>
> Thanks again for your help.
> Yes, reverse path verify is enabled on both interfaces and XLATE
> timeout is set to 3:00:00.
>
>
> Regards,
> Yuriy.
>
>
>
> CK wrote:
>
> > Okay i understand the confidiantiality .
> >
> > Do you have IP reverse path verify enable for IP Spoofing on both the
> > interfaces.
> > What is the idle time for minimum XLATE translation?
> >
> >
> > CK
> >
> >
> > Yuriy wrote:
> > > Hi,
> > >
> > > Thank you for your reply.
> > > Unfortunately not. Company policy does not allow me to do so.
> > > But I would appreciate any clues you have.
> > >
> > > Regards,
> > > Yuriy.
> > >
> > > CK wrote:
> > >
> > > > Can you post PIX config ??
> > > >
> > > >
> > > > Yuriy wrote:
> > > > > Hi,
> > > > >
> > > > > I wonder is someone seeing something similar before.
> > > > > I'm experiencing very strange problem but first briefly about
> > > > > configuration.
> > > > > I got PIX 515E v7.0(2) on the front and ISA Server and a couple of
> > > > > other computers on DMZ zone.
> > > > > So after some time of using internet trough ISA server, users loosing
> > > > > ability to browse, there is no incoming SMTP messages as well, but
> > > > > other computes on DMZ can access internet with no problem.
> > > > > Usually simple restart of firewall will fix it.
> > > > > Once i check translation state show xlate and it displays around 300 of
> > > > > PAT translation to ISA server. I'm not sure if this is normal but after
> > > > > running clear xlate, clients starts browsing internet again.
> > > > >
> > > > > What is happening?
> > > > > Any ideal will be appreciated.
> > > > >
> > > > > Regards,
> > > > > Yuriy.

Re: PIX firewall NATing problem

Post removed (X-No-Archive: yes)

Re: PIX firewall NATing problem

Hi again,

Thank you everyone who was involved in conversation.

I have been out for a while so was not able to update this post.
However since my absence, there was no problem with firewall at all.
So upgrading IOS to 7.2(1) seems fix the problem!

Thanks everyone again for all the help you give.

Regards,
Yuriy


CK wrote:

> That seems to be OKAY
> IS there any kinds of rules running on any interface e.g. Access-list
> and what the NAt traslations on PIX.
>
>
>
> CK
>
> Yuriy wrote:
> > Hi,
> >
> > Thanks again for your help.
> > Yes, reverse path verify is enabled on both interfaces and XLATE
> > timeout is set to 3:00:00.
> >
> >
> > Regards,
> > Yuriy.
> >
> >
> >
> > CK wrote:
> >
> > > Okay i understand the confidiantiality .
> > >
> > > Do you have IP reverse path verify enable for IP Spoofing on both the
> > > interfaces.
> > > What is the idle time for minimum XLATE translation?
> > >
> > >
> > > CK
> > >
> > >
> > > Yuriy wrote:
> > > > Hi,
> > > >
> > > > Thank you for your reply.
> > > > Unfortunately not. Company policy does not allow me to do so.
> > > > But I would appreciate any clues you have.
> > > >
> > > > Regards,
> > > > Yuriy.
> > > >
> > > > CK wrote:
> > > >
> > > > > Can you post PIX config ??
> > > > >
> > > > >
> > > > > Yuriy wrote:
> > > > > > Hi,
> > > > > >
> > > > > > I wonder is someone seeing something similar before.
> > > > > > I'm experiencing very strange problem but first briefly about
> > > > > > configuration.
> > > > > > I got PIX 515E v7.0(2) on the front and ISA Server and a couple of
> > > > > > other computers on DMZ zone.
> > > > > > So after some time of using internet trough ISA server, users loosing
> > > > > > ability to browse, there is no incoming SMTP messages as well, but
> > > > > > other computes on DMZ can access internet with no problem.
> > > > > > Usually simple restart of firewall will fix it.
> > > > > > Once i check translation state show xlate and it displays around 300 of
> > > > > > PAT translation to ISA server. I'm not sure if this is normal but after
> > > > > > running clear xlate, clients starts browsing internet again.
> > > > > >
> > > > > > What is happening?
> > > > > > Any ideal will be appreciated.
> > > > > >
> > > > > > Regards,
> > > > > > Yuriy.