Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
709
Views
0
Helpful
11
Replies

PIX 515E unable to translate internal IP addresses

Tshi M
Level 5
Level 5

‎04-26-2007 05:04 AM - edited ‎03-11-2019 03:04 AM

for some reasons that i can't figure out, a PIX 515E is unable to translate internal IP addresses. I get the following errors:

Apr 25 2007 18:38:54: %PIX-3-305006: portmap translation creation failed for tcp src inside:10.1.1.112/2865 dst outside:198.207.140.31

Apr 25 2007 18:38:54: %PIX-7-609002: Teardown local-host inside:10.1.1.112 duration 0:00:00

Apr 25 2007 18:38:54: %PIX-7-609002: Teardown local-host outside:198.207.140.31 duration 0:00:00

Apr 25 2007 18:38:54: %PIX-7-609001: Built local-host inside:10.1.1.112

Apr 25 2007 18:38:54: %PIX-7-609001: Built local-host outside:63.160.214.20

Apr 25 2007 18:38:54: %PIX-3-305006: portmap translation creation failed for tcp src inside:10.1.1.112/2866 dst outside:63.160.214

Apr 25 2007 18:38:54: %PIX-7-609002: Teardown local-host inside:10.1.1.112 duration 0:00:00

Apr 25 2007 18:38:54: %PIX-7-609002: Teardown local-host outside:63.160.214.20 duration 0:00:00

I am not even to reach it from the internal router when trying to trace route an external IP address and using the internal PIX address as the next hop.

Attached is the config.

Labels:
Preview file
8 KB
0 Helpful
11 Replies 11

sachinraja
Level 9
Level 9

‎04-26-2007 05:12 AM

Hello mbuyi,

On the nat statements i see the network 10.1.1.0/24 given a nat ID 3, but there are no global statements corresponding to NAT ID 3. can you change the nat id of this network to 1 and try this ? or else give a seperate global statement for nat id 3

global (outside) 3 208.58.x.6

try this and let us know if this solves ur issue.. hope this helps.. all the best.. rate replies if found useful..

Raj

0 Helpful

Tshi M
Level 5
Level 5
In response to sachinraja

‎04-26-2007 05:18 AM

Raj,

YOu have a good point but I had the same problem when i was using:

global (outside) 1 208.58.x.4-208.58.x.6

global (outside) 1 208.58.x.7

nat (inside) 1 10.0.0.0 255.0.0.0

0 Helpful

sachinraja
Level 9
Level 9
In response to Tshi M

‎04-26-2007 05:25 AM

Hello myubi

try some simple commands.. did u try the following:

nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 1 208.58.x.7 or

global (outside) 1 interface

This should work for sure... I think in your case, you have a lot of subnets in the main supernet 10.0.0.0/8.. do not give this on the nat inside directly.. give it as specific subnets, which is a good way of configuring...

try this and let us know if it works.. all the best..

Raj

0 Helpful

Tshi M
Level 5
Level 5
In response to sachinraja

‎05-01-2007 07:18 AM

Well here what I opted to use:

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0

static (inside,outside) 208.58.x.7 10.1.1.4 netmask 255.255.255.255

static (inside,outside) 208.58.x.8 10.1.1.92 netmask 255.255.255.255

This seems to work fine only for NON STATIC internal IP. Both internal IP addresses that are stically NATTED are not able to access the Internet or be accessed from the Internet. Everything else works fine.

0 Helpful

Tshi M
Level 5
Level 5
In response to Tshi M

‎05-01-2007 10:07 AM

Just to rule out the inside network, I created a DMZ. However, I am still having a problem with the static NAT. I am unable to access NATTED IP address. Attached is the new config.

Thanks

Preview file
8 KB
0 Helpful

acomiskey
Level 10
Level 10
In response to Tshi M

‎05-01-2007 10:14 AM

You used a 10.1.1.x address for dmz host in your new static.

static (dmz,outside) 208.58.x.3 10.1.1.92 netmask 255.255.255.255

Your dmz network is 172.16.253.x. You would need something like...

static (dmz,outside) 208.58.x.3 172.16.253.x netmask 255.255.255.255

0 Helpful

Tshi M
Level 5
Level 5
In response to acomiskey

‎05-01-2007 10:18 AM

My fault, that is a typo. Here it is:

names

name 172.16.253.200 Polycom description Video conferencing placed in DMZ

static (dmz,outside) 208.58.x.3 Polycom netmask 255.255.255.255

0 Helpful

acomiskey
Level 10
Level 10
In response to Tshi M

‎05-01-2007 10:23 AM

Too many x's to know if you allowed traffic in your acl from-Internet-In

0 Helpful

Tshi M
Level 5
Level 5
In response to acomiskey

‎05-01-2007 10:39 AM

access-list from-Internet-In extended permit tcp any host 208.58.x.2 eq https

access-list from-Internet-In extended permit tcp any host 208.58.x.2 eq www

access-list from-Internet-In extended permit object-group TCP_UDP any host 208.58.x.3 object-group VIDEO

0 Helpful

Tshi M
Level 5
Level 5
In response to Tshi M

‎05-01-2007 10:54 AM

This looking more and more like a bug. I added a second server to the DMZ and I assigned a static IP. Well once I did that, the server is no longer able to access the Internet.

Global 208.58.x.2 Local 10.1.1.4

Global 208.58.x.3 Local Polycom

Global 208.58.x.4 Local 172.16.253.201

So it does not matter if it is inside or in the DMZ

0 Helpful

Tshi M
Level 5
Level 5
In response to Tshi M

‎05-01-2007 11:34 AM

well it was not a bug after all. All I had to do was to enable arp.

sysopt noproxyarp outside

no sysopt noproxyarp outside

i will do the same thing for the inside

sysopt noproxyarp inside

no sysopt noproxyarp inside

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card