Troubleshooting

If you change an access list, change NAT, or do anything else that can alter what packets are allowed to flow through the firewall, you may not see the results until you execute the clear xlate command.

Xlate is short for translation. A translation is created for every conversation that is active on the PIX. To see what xlates are active on your PIX, use the show xlate command:

PIX#sho xlate
10 in use, 114 most used
PAT Global 10.0.0.5(9364) Local 192.168.1.110(1141)
PAT Global 10.0.0.5(1211) Local 192.168.1.100(3090)
PAT Global 10.0.0.5(1210) Local 192.168.1.100(3089)
PAT Global 10.0.0.5(1209) Local 192.168.1.100(3088)
PAT Global 10.0.0.5(1215) Local 192.168.1.100(3094)
PAT Global 10.0.0.5(1213) Local 192.168.1.100(3092)
PAT Global 10.0.0.5(1212) Local 192.168.1.100(3091)
PAT Global 10.0.0.5(9324) Local 192.168.1.110(1127)
PAT Global 10.0.0.5(1047) Local 192.168.1.100(2958)
Global 10.0.0.11 Local 192.168.1.11

The PAT Global entries are live connections from my PC to the Web. I had a download running through a web browser, plus a few web pages open. The last entry is a static translation resulting from the static configuration entered earlier.

To clear xlates, use the clear xlate command:

PIX#clear xlate

Warning

When you clear xlates, every session on the firewall will be broken, and will need to be rebuilt. If your PIX is protecting an e-commerce web site, transactions will be broken, and customers may become unhappy. Clearing xlates should not be done unless there is ...

Get Network Warrior now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Network Warrior by Gary A. Donahue

Troubleshooting

Warning

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly