From: MADMAN (dave@interprise.com)
Date: Mon Dec 23 2002 - 18:13:51 GMT-3
If it's a syslog problem you will see an error like this in the PIX log:
%PIX-3-201008: The PIX is disallowing new connections.
Just ran into this and it wasn't so obvious at first!!
One way to avoid this is send the syslogs to a UDP port not TCP so if
your syslog goes down your PIX doesn't go with it!!
dave
Steve Munro wrote:
> Alfred,
>
> My guess would be that the pix is trying to use tcp syslog to a server that
> is not available. Have you set up a syslog server ? failing that show us the
> output of show xlate and show logging. Do you have any other interfaces
> configured ?
>
> regards,
>
> Steve
>
> -----Original Message-----
> From: Alfred Chin [mailto:chinalfr@attbi.com]
> Sent: 23 December 2002 16:15
> To: Ccielab (E-mail)
> Subject: PIX question/help?
>
>
> GlacierI run into some weird problem while setting up a new PIX. I hope
> someone might have some idea what is wrong with my setting or just the
> hardware.
>
> Basically, I try to use NAT from my inside interface to outside interface.
> Here is a sample config.
>
> ip address outside 216.3.99.2 255.255.255.128
> ip address inside 192.168.0.1 255.255.255.0
> global (outside) 1 216.3.99.3 netmask 255.255.255.128
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> route outside 0.0.0.0 0.0.0.0 216.3.99.1 1
>
> Here is the problem, the PIX can't perform any NAT/PAT function. Traffic is
> not being NAT/PAT from inside to outside. Turn on debugging on the PIX.
> Here is a log from the debugging.
>
> 111008: User 'enable_15' executed the 'clear logging' command.
> 111009: User 'enable_15' executed cmd: show logging
> 609001: Built local-host inside:192.168.0.226
> 201008: The PIX is disallowing new connections.
> 305006: portmap translation creation failed for tcp src
> inside:192.168.0.226/2265 dst outside:64.58.76.178/80
> 201008: The PIX is disallowing new connections.
> 305006: portmap translation creation failed for tcp src
> inside:192.168.0.226/2265 dst outside:64.58.76.178/80
> 201008: The PIX is disallowing new connections.
> 305006: portmap translation creation failed for tcp src
> inside:192.168.0.226/2265 dst outside:64.58.76.178/80
> 201008: The PIX is disallowing new connections.
> 305006: portmap translation creation failed for tcp src
> inside:192.168.0.226/2266 dst outside:64.58.76.222/80
> 201008: The PIX is disallowing new connections.
> 305006: portmap translation creation failed for tcp src
> inside:192.168.0.226/2266 dst outside:64.58.76.222/80
> 201008: The PIX is disallowing new connections.
> 305006: portmap translation creation failed for tcp src
> inside:192.168.0.226/2266 dst outside:64.58.76.222/80
> 201008: The PIX is disallowing new connections.
> 305006: portmap translation creation failed for tcp src
> inside:192.168.0.226/2267 dst outside:64.58.76.224/80
> 201008: The PIX is disallowing new connections.
> 305006: portmap translation creation failed for tcp src
> inside:192.168.0.226/2267 dst outside:64.58.76.224/80
> 201008: The PIX is disallowing new connections.
>
> This is a PIX 515UR running PIX ver 6.2.2.
>
> Thanks in advance.
>
> Merry Christmas & Happy New Year to all
>
>
> Alfred Chin
>
> [GroupStudy.com removed an attachment of type image/jpeg which had a name of
> Glacier Bkgrd.jpg]
> .
> Please note that:
>
> 1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information.
> 2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices.
> 3. The contents of this email are those of the individual and do not necessarily represent the views of the company.
> 4. The company does not conclude contracts by email and all negotiations are subject to contract.
> 5. The company accepts no responsibility once an e-mail and any attachments is sent.
>
> http://www.integralis.com
> .
-- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367"You don't make the poor richer by making the rich poorer." --Winston Churchill .
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:51 GMT-3