Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PIX 6.1 xlate issues

From: "Christopher J. Wargaski" <wargo1 () gmail com>
Date: Thu, 4 Sep 2008 00:14:42 -0500
Hello Shiv--

   I recently saw a PIX 515E become so overwhelmed with the number of NAT
translations that it exhausted the memory it had and pretty much stopped
passing traffic until the dynamic NAT table was cleared. It turns out that a
virus on the inside had infected a handful of Billy Boxes and was sending
connection requests on TCP port 445. I solved this by explicitly denying
that outbound destination port.

   First of all, do you have an outbound ACL? If not, create one explicitly
permitting the known outbound traffic. If that is still a problem, or you
already do have an outbound ACL, then capture some level 7 logs from the PIX
and have a look. Are there connection requests to ports that you would not
expect?

   Oh, BTW, I think that I discovered the memory shortage based upon the
show xlate count, a log entry and the show mem output.

On Wed, Aug 20, 2008 at 1:02 AM, B Shivanthan <shivi () batelco com bh> wrote:


 Hello there,
I am using a PIX 6.1 (I know its quite old and replacement procedures
already in place) and facing problems with xlates getting
overwhelmed. I have this firewall serving our corporate network, where I
have a proxy server, SMTP server, DNS server and about 1500 users
browsing the web through the proxy, along with other servers which I do
static NAT on.

Overtime, my SMTP server loses connectivity with the DNS server (residing
outside the firewall) for name resolution and the only
remedy to this is to clear the xlate. I've set the xlate timeout to as low
as 30 mins, but the problem still persist.

Does anyone know of any resolution to this problem ?

Many thanks

Regards
Shiv


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: