Re: PIX: immediately applying access rules to established connections

["Julian M D" <julianmd () gmail com>]

Strange.

Usage Guidelines
The clear xlate command clears the contents of the translation slots
("xlate" refers to the translation slot). Translation slots can
persist after key changes have been made. Always use the clear xlate
command after adding, changing, or removing the aaa-server,
access-list, alias, global, nat, route, or static commands in your
configuration.

An xlate describes a NAT or PAT session. These sessions can be viewed
with the show xlate command with the detail option. There are two
types of xlates: static and dynamic.

A static xlate is a persistent xlate that is created using the static
command. Static xlates can only be removed by removing the static
command from the configuration; the clear xlate does not remove the
static translation rule. If you remove a static command from the
configuration, preexisting connections that use the static rule can
still forward traffic. Use the clear local-host to deactivate these
connections.

A dynamic xlate is an xlate that is created on demand with traffic
processing (through the nat or global command). The clear xlate
removes dynamic xlates and their associated connections. You can also
use the clear local-host command to clear the xlate and associated
connections. If you remove a nat or a global command from the
configuration, the dynamic xlate and associated connections may remain
active. Use the clear xlate or the clear local-host command to remove
these connections.

Examples
The following example shows how to clear the current translation and
connection slot information:

hostname# clear xlate global

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/c3_711.htm#wp2034746

On 6/15/06, Vahid Pazirandeh <vpaziran () yahoo com> wrote:
> --- Julian M D <julianmd () gmail com> wrote:
>
> > clear xlate
> >
> > -it will close down all current connections - beware
>
>
> Actually I had tried typing "clear xlate" and that didn't help.  Hrm...
> -Vahid
>
>
>
>
> > On 6/15/06, Vahid Pazirandeh <vpaziran () yahoo com> wrote:
> > > Hi all,
> > >
> > > I noticed that after I made some changes to my access-lists with a PIX
> > 7.1(2),
> > > the rules only applied to new connections being made.  The connections that
> > > were already established (like tcp sessions) were unfortunately not
> > affected.
> > > How can I affect all currently established connections with my new
> > access-list
> > > rules?  Is there a "clear" command that'll do the trick?
> > >
> > > Thanks for reading. :-)
> > >
> > > -Vahid
> > >
> > > =============================================
> > >  "Make it better before you make it faster."
> > > =============================================
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam?  Yahoo! Mail has the best spam protection around
> > > http://mail.yahoo.com
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards () listserv icsalabs com
> > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () listserv icsalabs com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> =============================================
>  "Make it better before you make it faster."
> =============================================
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards