Still need help:Pix515E Hairpin access to inter-Lan error:%PIX-session-3-305006

Answered Question
Sep 2nd, 2010
User Badges:

Hi, Everyone,


Our Pix515E, OS 8.0.4, has been working for long time, recently we need  configure a  new VLAN for accounting group, PCs hooked to this VLAN must have full access to our existing internal LAN, I have  scratched my head for serveral days to get it work, so far no luck.  PCs of VLAN can get outside (Internet), but no way they can access inside systems. Pix logged error 305006 ( or 305005) of  something like:


Sep  2 12:35:09 pix515e :Sep 02 12:37:46 EDT: %PIX-session-3-305006: p
ortmap translation creation failed for udp src vlan10:192.168.100.100/54310 dst inside:10.1.1.7/53


Sep  2 12:21:49 pix515e :Sep 02 12:24:27 EDT: %PIX-session-3-305005: N
o translation group found for udp src vlan10:192.168.100.100/51015 dst inside:10.1.1.7/53


I  have  tried " crypt ikekmp nat-traversal"  No LUCK;  I have tried all kinds of  access-rules no luck...   I  really don't understand why the inter-lan traffic is not allowed...


My shorted version of  config is listed in the following:  we have DMZ too, but unrelated here, becuase all I want know is  allow traffic from VLAN-->INSIDE  to happen.  Any suggestions are  greatly  appreciated.





PIX Version 8.0(4)
!
hostname pix515E



!
interface Ethernet0
nameif outside
security-level 0
ip address 71.X.X.X 255.255.255.0
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.254 255.255.0.0
ospf cost 10
!
interface Ethernet1.10
description Vlan on inside
vlan 10
nameif vlan10
security-level 100
ip address 192.168.100.1 255.255.255.0
ospf cost 10



same-security-traffic permit inter-interface
same-security-traffic permit intra-interface



access-list inside_access_in extended permit icmp pix-inside 255.255.0.0 any echo
access-list inside_access_in extended permit udp pix-inside 255.255.0.0 any object-group ntp-udp
access-list inside_access_in extended permit tcp pix-inside 255.255.0.0 any eq domain


access-list inside_access_in extended permit tcp host et2 any eq smtp



access-list inside_access_in extended permit udp host new-cis-router any


access-list vlan10_access_in extended permit ip any any


arp timeout 14400
nat-control
global (outside) 10 interface


nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 10.1.1.0 255.255.255.0
nat (inside) 10 10.1.2.0 255.255.255.0
nat (inside) 10 10.1.0.0 255.255.0.0
nat (vlan10) 10 192.168.100.0 255.255.255.0


access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 71.X.X.X 1


timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000


crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside


crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal


threat-detection basic-threat


group-policy cnf-vpn-cls internal
group-policy cnf-vpn-cls attributes
wins-server value 10.1.1.7
dns-server value 10.1.1.7 10.1.1.205
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value *.com


tunnel-group cnf-vpn-cls type remote-access
tunnel-group cnf-vpn-cls general-attributes
address-pool cnf-8-ip

isakmp ikev1-user-authentication none
tunnel-group cnf-vpn-cls ppp-attributes
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 768
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context

Correct Answer by Kureli Sankar about 6 years 8 months ago

You have same security.


interface Ethernet1.10
description Vlan on inside
vlan 10
nameif vlan10
security-level 100 --------------------------------------> change that to a 90
ip address 192.168.100.1 255.255.255.0
ospf cost 10


change the security level to a 90

or add

static (vlan10,inside) 192.168.100.0 192.168.100.1 net 255.255.255.0


-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kureli Sankar Thu, 09/02/2010 - 12:38
User Badges:
  • Cisco Employee,

You need static translation from inside to vlan.


static (inside,vlan10) 10.1.0.0 10.1.0.0 net 255.255.0.0


That should take care of it.


-KS

sean chang Thu, 09/02/2010 - 13:01
User Badges:

Thank you KS, I really appreciate your help.



I run the configuration you suggested, but unfortunately it did not make any difference, the log still shows error 305006:


Sep  2 15:56:28 pix515e :Sep 02 15:59:06 EDT: %PIX-session-3-305006: portmap translation creation failed for icmp src vlan10:192.168.100.100 dst inside:10.1.1.7 (type 8, code 0)


(the configuration command is accepted, I ran under the PIX console, I can view it by ADSM).


thanks.

Correct Answer
Kureli Sankar Thu, 09/02/2010 - 13:06
User Badges:
  • Cisco Employee,

You have same security.


interface Ethernet1.10
description Vlan on inside
vlan 10
nameif vlan10
security-level 100 --------------------------------------> change that to a 90
ip address 192.168.100.1 255.255.255.0
ospf cost 10


change the security level to a 90

or add

static (vlan10,inside) 192.168.100.0 192.168.100.1 net 255.255.255.0


-KS

sean chang Thu, 09/02/2010 - 13:16
User Badges:

I typed it incorrectly.

Last octet was a .1 instead it should be a 0


static (vlan10,inside) 192.168.100.0 192.168.100.0 net 255.255.255.0


-KS

sean chang Thu, 09/02/2010 - 13:28
User Badges:

Once again, thank you very much for the help.  Unfortunately these changes did not work, the same 305006 error.


I know this is really hard, I got another system guy tried  for  4 days  plus countless hours from myself did not make it work

Kureli Sankar Thu, 09/02/2010 - 14:36
User Badges:
  • Cisco Employee,

This is strange.

You are seeing both these messages?


Sep  2 12:35:09 pix515e :Sep 02 12:37:46 EDT: %PIX-session-3-305006: p
ortmap translation creation failed for udp src vlan10:192.168.100.100/54310 dst inside:10.1.1.7/53


Sep  2 12:21:49 pix515e :Sep 02 12:24:27 EDT: %PIX-session-3-305005: N
o translation group found for udp src vlan10:192.168.100.100/51015 dst inside:10.1.1.7/53


The above two are diff. One is

port map translation creation failed  ------> means the global line is the problem

the other is

no translation group found  -----> this means the nat line is the problem.


pls. post the output of

sh nameif

sh ip

sh arp | i vlan10


-KS

sean chang Tue, 09/07/2010 - 08:52
User Badges:

Thank you very much, kusankar.


Great news, it  actually works now !!! ( I was off Last Friday becuase of  EARL and Monday too).

when I came to work this morning, it still did not work, but the log message shows this way:


Sep  7 10:25:33 pix515E:Sep 07 10:28:18 EDT: %PIX-session-3-106014: Deny inbound icmp src vlan10:192.168.100.100 dst inside:10.1.1.7 (type 8, code 0


Then I  remember I changed  VLAN10 security level from 100-->90 and I checked this box (on ADSM): "Enable traffic between 2 or more interfaces which are configured with same security levels",  so when I changed back  VLAN10 security from 90--->100, traffic from VLAN10 -->inside is working perfectly.


Now I have  a  slightly different configuration (actually this was the original problem, I build  a new VLAN for testing first and I thought the problems are the same): our accounting dept IT guy wants his own control of  a  cisco ROUTER, he got 3  VLANs already, for this PIX515E, he built a  VLAN8 with IP 10.8.1.0/24, he routes all VLAN8  traffic to another router connected to PIX directly (10.1.2.222), his  VLAN8 can  go outside (internet) , but not inside, log is almost identical:


Sep  7 11:23:03 pix515e:Sep 07 11:25:50 EDT: %PIX-session-3-305006: portmap translation creation failed for udp src inside:10.1.1.7/53 dst inside:10.8.1.103/51196 (type 0, code 0)

*****Note:  I ping from 10.8.1.103 XP PC but this log shows the coming-back-way failed*****


( config related to inside8)

#name 10.8.1.0 inside8 description routed-inside-network

#access-list inside_access_in extended permit ip inside8 255.255.255.0 any

#nat (inside) 10 inside8 255.255.255.0
#route inside inside8 255.255.255.0 10.1.2.222 1


when I try to do the same thing as  you suggested above, PIX does not allow me:


pix515E(config)# static (inside,inside8) pix-inside pix-inside netmask 255.255.0.0


static (inside,inside8) pix-inside pix-inside netmask 255.255.0.0
                     ^
ERROR: % Invalid input detected at '^' marker.


I work here as ORACLE DBA , we don't have complex networking here so Cisco stuff is kind of my side job,  please  excuse me for not being able to really grasp what you did actually made the difference regarding error 305006. I know  I'm too dumb I can't fix the same error with some different configuration.


Once again,  I really appreciate your tremendous help.

sean chang Fri, 09/10/2010 - 08:29
User Badges:

I know  I might better start  a new discussion becuase the problem is somewhat different, but the messages are the same 305006, just this time the  traffic is  routed to PIX from another VLAN, the destination is still U-turn access to inside LAN.   Any suggestions and  advises are  greatly appreciated.


----copied from previous posting


Now I  have  a  slightly different configuration (actually this was the  original problem, I build  a new VLAN for testing first and I thought  the problems are the same): our accounting dept IT guy wants his own  control of  a  cisco ROUTER, he got 3  VLANs already, for this PIX515E,  he built a  VLAN8 with IP 10.8.1.0/24, he routes all VLAN8  traffic to  another router connected to PIX directly (10.1.2.222), his  VLAN8 can   go outside (internet) , but not inside, log is almost identical:


Sep   7 11:23:03 pix515e:Sep 07 11:25:50 EDT: %PIX-session-3-305006: portmap  translation creation failed for udp src inside:10.1.1.7/53 dst  inside:10.8.1.103/51196 (type 0, code 0)

*****Note:  I ping from 10.8.1.103 XP PC but this log shows the coming-back-way failed*****


( config related to inside8)

#name 10.8.1.0 inside8 description routed-inside-network

#access-list inside_access_in extended permit ip inside8 255.255.255.0 any

#nat (inside) 10 inside8 255.255.255.0
#route inside inside8 255.255.255.0 10.1.2.222 1


when I try to do the same thing as  you suggested above, PIX does not allow me:


pix515E(config)# static (inside,inside8) pix-inside pix-inside netmask 255.255.0.0


static (inside,inside8) pix-inside pix-inside netmask 255.255.0.0
                     ^
ERROR: % Invalid input detected at '^' marker.

Actions

This Discussion