[c-nsp] FWSM v2.3.3 NAT issue
Brett Looney
brett at looney.id.au
Thu Dec 29 18:58:42 EST 2005
Josh,
At 03:16 30/12/2005, you wrote:
> > As a side note, one of the most annoying things about the
> > PIX/FWSM is that cisco *recommends* that you do a "clear
> > xlate" after changing any NAT rules or anything associated
> > with them. That's just crazy - it drops all of the user
> > sessions running through the box - and in this case the
> > customer is a 24x7x365 operation - getting a window to do a
> > "clear xlate" is next to impossible. Surely the software can
> > be smart enough to figure out what to clear without dropping
> > all the sessions. Bah! ;-)
>
>Just to check, are you aware of and using the 'clear xlate local <ip>'
>or 'clear xlate global <ip>' syntax? If there are existing translations
>and you make a NAT change you do need to clear that translation, but not
>all of them.
Yeah - I do know about that and it is handy in a lot of situations,
except where we've got a few hundred hosts running through the box.
But you're right, it does solve some of the problems. Still, it would
be nice for the software to figure it out for you...
Thanks!
B.
More information about the cisco-nsp
mailing list