PIX 515E unable to translate internal IP addresses

Unanswered Question
Apr 26th, 2007

for some reasons that i can't figure out, a PIX 515E is unable to translate internal IP addresses. I get the following errors:

Apr 25 2007 18:38:54: %PIX-3-305006: portmap translation creation failed for tcp src inside:10.1.1.112/2865 dst outside:198.207.140.31


Apr 25 2007 18:38:54: %PIX-7-609002: Teardown local-host inside:10.1.1.112 duration 0:00:00

Apr 25 2007 18:38:54: %PIX-7-609002: Teardown local-host outside:198.207.140.31 duration 0:00:00

Apr 25 2007 18:38:54: %PIX-7-609001: Built local-host inside:10.1.1.112

Apr 25 2007 18:38:54: %PIX-7-609001: Built local-host outside:63.160.214.20

Apr 25 2007 18:38:54: %PIX-3-305006: portmap translation creation failed for tcp src inside:10.1.1.112/2866 dst outside:63.160.214

Apr 25 2007 18:38:54: %PIX-7-609002: Teardown local-host inside:10.1.1.112 duration 0:00:00

Apr 25 2007 18:38:54: %PIX-7-609002: Teardown local-host outside:63.160.214.20 duration 0:00:00


I am not even to reach it from the internal router when trying to trace route an external IP address and using the internal PIX address as the next hop.

Attached is the config.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Thu, 04/26/2007 - 05:12

Hello mbuyi,


On the nat statements i see the network 10.1.1.0/24 given a nat ID 3, but there are no global statements corresponding to NAT ID 3. can you change the nat id of this network to 1 and try this ? or else give a seperate global statement for nat id 3


global (outside) 3 208.58.x.6


try this and let us know if this solves ur issue.. hope this helps.. all the best.. rate replies if found useful..


Raj

Tshi M Thu, 04/26/2007 - 05:18

Raj,


YOu have a good point but I had the same problem when i was using:

global (outside) 1 208.58.x.4-208.58.x.6

global (outside) 1 208.58.x.7


nat (inside) 1 10.0.0.0 255.0.0.0

sachinraja Thu, 04/26/2007 - 05:25

Hello myubi


try some simple commands.. did u try the following:


nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 1 208.58.x.7 or

global (outside) 1 interface


This should work for sure... I think in your case, you have a lot of subnets in the main supernet 10.0.0.0/8.. do not give this on the nat inside directly.. give it as specific subnets, which is a good way of configuring...


try this and let us know if it works.. all the best..


Raj

Tshi M Tue, 05/01/2007 - 07:18

Well here what I opted to use:

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0

static (inside,outside) 208.58.x.7 10.1.1.4 netmask 255.255.255.255

static (inside,outside) 208.58.x.8 10.1.1.92 netmask 255.255.255.255


This seems to work fine only for NON STATIC internal IP. Both internal IP addresses that are stically NATTED are not able to access the Internet or be accessed from the Internet. Everything else works fine.

acomiskey Tue, 05/01/2007 - 10:14

You used a 10.1.1.x address for dmz host in your new static.


static (dmz,outside) 208.58.x.3 10.1.1.92 netmask 255.255.255.255


Your dmz network is 172.16.253.x. You would need something like...


static (dmz,outside) 208.58.x.3 172.16.253.x netmask 255.255.255.255

Tshi M Tue, 05/01/2007 - 10:18

My fault, that is a typo. Here it is:


names

name 172.16.253.200 Polycom description Video conferencing placed in DMZ


static (dmz,outside) 208.58.x.3 Polycom netmask 255.255.255.255





acomiskey Tue, 05/01/2007 - 10:23

Too many x's to know if you allowed traffic in your acl from-Internet-In

Tshi M Tue, 05/01/2007 - 10:39

access-list from-Internet-In extended permit tcp any host 208.58.x.2 eq https

access-list from-Internet-In extended permit tcp any host 208.58.x.2 eq www

access-list from-Internet-In extended permit object-group TCP_UDP any host 208.58.x.3 object-group VIDEO

Tshi M Tue, 05/01/2007 - 10:54

This looking more and more like a bug. I added a second server to the DMZ and I assigned a static IP. Well once I did that, the server is no longer able to access the Internet.

Global 208.58.x.2 Local 10.1.1.4

Global 208.58.x.3 Local Polycom

Global 208.58.x.4 Local 172.16.253.201


So it does not matter if it is inside or in the DMZ

Tshi M Tue, 05/01/2007 - 11:34

well it was not a bug after all. All I had to do was to enable arp.

sysopt noproxyarp outside

no sysopt noproxyarp outside


i will do the same thing for the inside

sysopt noproxyarp inside

no sysopt noproxyarp inside

Actions

This Discussion