From: MADMAN (dave@interprise.com)
Date: Mon Dec 23 2002 - 18:16:24 GMT-3
No bug. The PIX is a security box and if it can't do something it's
configured to do it shuts down fearing the worst. You could liken the
disabling of syslog to a burglar disabling a video camera before doing
the deed.
Dave
Alfred Chin wrote:
> Brian,
>
> I did have a syslog server setup on the PIX. Once I removed the syslog
> settings, the PIX start to do NAT again.
>
> Why Syslog function on PIX can affecting the NAT/PAT? Is this a bug?
>
> It's working as of now. But I still wish to setup syslog function. Any
> recommendation?
>
> Thanks for the help.
>
> Alfred Chin
>
>
>
> ----- Original Message -----
> From: "Brian T. Albert" <brian.albert@worldnet.att.net>
> To: "Sabertech Cisco Training" <haskins@sabertech.net>; "Alfred Chin"
> <chinalfr@attbi.com>; <security@groupstudy.com>
> Sent: Monday, December 23, 2002 1:49 PM
> Subject: RE: PIX Question/Help?
>
>
>
>>Alfred,
>>
>>I have seen this error if you have a syslog server set up in your config
>>using TCP instead of UDP to communicate with it, and you lose connectivity
>>to the syslog server. Such as with:
>>
>>logging on
>>logging host (inside) 192.168.0.100 tcp/1468
>>
>>HTH
>>
>>Brian T. Albert
>>CCIE #9682
>>brian.albert@worldnet.att.net
>>
>>-----Original Message-----
>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>>Sabertech Cisco Training
>>Sent: Monday, December 23, 2002 10:49 AM
>>To: Alfred Chin; security@groupstudy.com
>>Subject: RE: PIX Question/Help?
>>
>>
>>Can you supply the entire config?
>>
>>
>>
>>-----Original Message-----
>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>>Alfred Chin
>>Sent: Monday, December 23, 2002 8:25 AM
>>To: security@groupstudy.com
>>Subject: PIX Question/Help?
>>
>>
>>GlacierI run into some weird problem while setting up a new PIX. I hope
>>someone might have some idea what is wrong with my setting or just the
>>hardware.
>>
>>Basically, I try to use NAT from my inside interface to outside interface.
>>Here is a sample config.
>>
>>ip address outside 216.3.99.2 255.255.255.128
>>ip address inside 192.168.0.1 255.255.255.0
>>global (outside) 1 216.3.99.3 netmask 255.255.255.128
>>nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>>route outside 0.0.0.0 0.0.0.0 216.3.99.1 1
>>
>>Here is the problem, the PIX can't perform any NAT/PAT function. Traffic
>
> is
>
>>not being NAT/PAT from inside to outside. Turn on debugging on the PIX.
>>Here is a log from the debugging.
>>
>>111008: User 'enable_15' executed the 'clear logging' command.
>>111009: User 'enable_15' executed cmd: show logging
>>609001: Built local-host inside:192.168.0.226
>>201008: The PIX is disallowing new connections.
>>305006: portmap translation creation failed for tcp src
>>inside:192.168.0.226/2265 dst outside:64.58.76.178/80
>>201008: The PIX is disallowing new connections.
>>305006: portmap translation creation failed for tcp src
>>inside:192.168.0.226/2265 dst outside:64.58.76.178/80
>>201008: The PIX is disallowing new connections.
>>305006: portmap translation creation failed for tcp src
>>inside:192.168.0.226/2265 dst outside:64.58.76.178/80
>>201008: The PIX is disallowing new connections.
>>305006: portmap translation creation failed for tcp src
>>inside:192.168.0.226/2266 dst outside:64.58.76.222/80
>>201008: The PIX is disallowing new connections.
>>305006: portmap translation creation failed for tcp src
>>inside:192.168.0.226/2266 dst outside:64.58.76.222/80
>>201008: The PIX is disallowing new connections.
>>305006: portmap translation creation failed for tcp src
>>inside:192.168.0.226/2266 dst outside:64.58.76.222/80
>>201008: The PIX is disallowing new connections.
>>305006: portmap translation creation failed for tcp src
>>inside:192.168.0.226/2267 dst outside:64.58.76.224/80
>>201008: The PIX is disallowing new connections.
>>305006: portmap translation creation failed for tcp src
>>inside:192.168.0.226/2267 dst outside:64.58.76.224/80
>>201008: The PIX is disallowing new connections.
>>
>>This is a PIX 515UR running PIX ver 6.2.2.
>>
>>Thanks in advance.
>>
>>Merry Christmas & Happy New Year to all
>>
>>
>>Alfred Chin
>
> .
-- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367"You don't make the poor richer by making the rich poorer." --Winston Churchill .
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:51 GMT-3