04-26-2007 05:04 AM - edited 03-11-2019 03:04 AM
for some reasons that i can't figure out, a PIX 515E is unable to translate internal IP addresses. I get the following errors:
Apr 25 2007 18:38:54: %PIX-3-305006: portmap translation creation failed for tcp src inside:10.1.1.112/2865 dst outside:198.207.140.31
Apr 25 2007 18:38:54: %PIX-7-609002: Teardown local-host inside:10.1.1.112 duration 0:00:00
Apr 25 2007 18:38:54: %PIX-7-609002: Teardown local-host outside:198.207.140.31 duration 0:00:00
Apr 25 2007 18:38:54: %PIX-7-609001: Built local-host inside:10.1.1.112
Apr 25 2007 18:38:54: %PIX-7-609001: Built local-host outside:63.160.214.20
Apr 25 2007 18:38:54: %PIX-3-305006: portmap translation creation failed for tcp src inside:10.1.1.112/2866 dst outside:63.160.214
Apr 25 2007 18:38:54: %PIX-7-609002: Teardown local-host inside:10.1.1.112 duration 0:00:00
Apr 25 2007 18:38:54: %PIX-7-609002: Teardown local-host outside:63.160.214.20 duration 0:00:00
I am not even to reach it from the internal router when trying to trace route an external IP address and using the internal PIX address as the next hop.
Attached is the config.
04-26-2007 05:12 AM
Hello mbuyi,
On the nat statements i see the network 10.1.1.0/24 given a nat ID 3, but there are no global statements corresponding to NAT ID 3. can you change the nat id of this network to 1 and try this ? or else give a seperate global statement for nat id 3
global (outside) 3 208.58.x.6
try this and let us know if this solves ur issue.. hope this helps.. all the best.. rate replies if found useful..
Raj
04-26-2007 05:18 AM
Raj,
YOu have a good point but I had the same problem when i was using:
global (outside) 1 208.58.x.4-208.58.x.6
global (outside) 1 208.58.x.7
nat (inside) 1 10.0.0.0 255.0.0.0
04-26-2007 05:25 AM
Hello myubi
try some simple commands.. did u try the following:
nat (inside) 1 10.1.1.0 255.255.255.0
global (outside) 1 208.58.x.7 or
global (outside) 1 interface
This should work for sure... I think in your case, you have a lot of subnets in the main supernet 10.0.0.0/8.. do not give this on the nat inside directly.. give it as specific subnets, which is a good way of configuring...
try this and let us know if it works.. all the best..
Raj
05-01-2007 07:18 AM
Well here what I opted to use:
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.0.0.0
static (inside,outside) 208.58.x.7 10.1.1.4 netmask 255.255.255.255
static (inside,outside) 208.58.x.8 10.1.1.92 netmask 255.255.255.255
This seems to work fine only for NON STATIC internal IP. Both internal IP addresses that are stically NATTED are not able to access the Internet or be accessed from the Internet. Everything else works fine.
05-01-2007 10:07 AM
05-01-2007 10:14 AM
You used a 10.1.1.x address for dmz host in your new static.
static (dmz,outside) 208.58.x.3 10.1.1.92 netmask 255.255.255.255
Your dmz network is 172.16.253.x. You would need something like...
static (dmz,outside) 208.58.x.3 172.16.253.x netmask 255.255.255.255
05-01-2007 10:18 AM
My fault, that is a typo. Here it is:
names
name 172.16.253.200 Polycom description Video conferencing placed in DMZ
static (dmz,outside) 208.58.x.3 Polycom netmask 255.255.255.255
05-01-2007 10:23 AM
Too many x's to know if you allowed traffic in your acl from-Internet-In
05-01-2007 10:39 AM
access-list from-Internet-In extended permit tcp any host 208.58.x.2 eq https
access-list from-Internet-In extended permit tcp any host 208.58.x.2 eq www
access-list from-Internet-In extended permit object-group TCP_UDP any host 208.58.x.3 object-group VIDEO
05-01-2007 10:54 AM
This looking more and more like a bug. I added a second server to the DMZ and I assigned a static IP. Well once I did that, the server is no longer able to access the Internet.
Global 208.58.x.2 Local 10.1.1.4
Global 208.58.x.3 Local Polycom
Global 208.58.x.4 Local 172.16.253.201
So it does not matter if it is inside or in the DMZ
05-01-2007 11:34 AM
well it was not a bug after all. All I had to do was to enable arp.
sysopt noproxyarp outside
no sysopt noproxyarp outside
i will do the same thing for the inside
sysopt noproxyarp inside
no sysopt noproxyarp inside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide