Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1167
Views
0
Helpful
3
Replies

FWSM-3-305006: portmap translation creation failed

albert_coll
Level 1
Level 1

‎10-09-2008 08:31 AM - edited ‎03-11-2019 06:55 AM

Hello,

I have just installed a pair of FWSM in two different Catalys 6509 in HA mode.

I left every access-list completely opened for test purposes. The stations connected to any inside interface can communicate with any other inside or outside station.

The problem is that from any station located outside is not possible to ping any FWSM inside interface. Every time a ping fails, the FWSM log is appended with a message like this:

Oct 09 2008 12:26:21: %FWSM-3-305006: portmap translation creation failed for icmp src outside:10.23.212.113 dst Subnet198:10.23.212.254 (type 8, code 0)

Unlike FWSM interfaces, when the outside station pings any inside station, it works.

I thik that I have all these items well defined:

- Static routing at both the FWSM and the Catalysts.

- Icmp permit any for every interface.

- The command same-security-traffic permit inter-interface is present.

- Access-lists completely opened and applyied to every interface.

The documentation states that the 305006 could be related to some static translations. But i was unable to overcome the problem by modifying the translations repeteadly.

I would be very grateful to anyone that could give any clue about this.

Labels:
0 Helpful
3 Replies 3

albert_coll
Level 1
Level 1

‎10-09-2008 08:54 AM

I post a sample of the configuration. (Names and ip numbers are different for privacy):

FWSM-SF/FWSM-1023# show run

: Saved

:

FWSM Version 3.2(5)

!

hostname FWSM-1023

enable password xxxxxxxxxxxxxx encrypted

names

!

interface Vlan225

shutdown

nameif Subnet197

security-level 95

ip address 10.23.197.254 255.255.255.0 standby 10.23.197.253

!

interface Vlan405

nameif Subnet201

security-level 95

ip address 10.23.201.254 255.255.255.0 standby 10.23.201.253

!

interface Vlan445

nameif outside

security-level 0

ip address 10.23.212.117 255.255.255.248 standby 10.23.212.116

!

passwd xxxxxxxxxxxxxxx encrypted

same-security-traffic permit inter-interface

access-list Subnet197_in extended permit icmp any any

access-list Subnet197_in extended permit ip any any

access-list Subnet201_in extended permit icmp any any

access-list Subnet201_in extended permit ip any any

access-list outside_in extended permit icmp any any

access-list outside_in extended permit ip any any

no pager

logging enable

logging timestamp

logging buffered informational

logging trap informational

logging history warnings

logging asdm debugging

mtu Subnet197 1500

mtu Subnet201 1500

mtu outside 1500

icmp permit any Subnet197

icmp permit any Subnet201

icmp permit any outside

no asdm history enable

arp timeout 14400

nat-control

static (Subnet197,outside) 10.23.197.0 10.23.197.0 netmask 255.255.255.0

static (Subnet201,outside) 10.23.201.0 10.23.201.0 netmask 255.255.255.0

access-group Subnet197_in in interface Subnet197

access-group Subnet201_in in interface Subnet201

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.23.212.115 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

snmp-server location

snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect skinny

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:

: end

0 Helpful

Syed Iftekhar Ahmed
Level 8
Level 8
In response to albert_coll

‎10-09-2008 10:32 AM

What you are trying to achieve (to ping the inside interface for an FWSM

context from the outside) is not possible by design.

You can use the managment-access command and ping the inside interface from the outside only if you are coming across an IPSEC tunnel.

Syed Iftekhar Ahmed

0 Helpful

albert_coll
Level 1
Level 1
In response to Syed Iftekhar Ahmed

‎10-09-2008 11:09 AM

Thank you for your reply.

I was not aware of the unability to ping from an outside station to any inside FSWM interface, even with the access-lists completely opened.

Kind regards.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card