Solved: Still need help:Pix515E Hairpin access to inter-Lan error:%PIX-session-3-305006

sean chang · ‎09-02-2010

Hi, Everyone,

Our Pix515E, OS 8.0.4, has been working for long time, recently we need configure a new VLAN for accounting group, PCs hooked to this VLAN must have full access to our existing internal LAN, I have scratched my head for serveral days to get it work, so far no luck. PCs of VLAN can get outside (Internet), but no way they can access inside systems. Pix logged error 305006 ( or 305005) of something like:

Sep 2 12:35:09 pix515e :Sep 02 12:37:46 EDT: %PIX-session-3-305006: p
ortmap translation creation failed for udp src vlan10:192.168.100.100/54310 dst inside:10.1.1.7/53

Sep 2 12:21:49 pix515e :Sep 02 12:24:27 EDT: %PIX-session-3-305005: N
o translation group found for udp src vlan10:192.168.100.100/51015 dst inside:10.1.1.7/53

I have tried " crypt ikekmp nat-traversal" No LUCK; I have tried all kinds of access-rules no luck... I really don't understand why the inter-lan traffic is not allowed...

My shorted version of config is listed in the following: we have DMZ too, but unrelated here, becuase all I want know is allow traffic from VLAN-->INSIDE to happen. Any suggestions are greatly appreciated.

PIX Version 8.0(4)
!
hostname pix515E

!
interface Ethernet0
nameif outside
security-level 0
ip address 71.X.X.X 255.255.255.0
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.254 255.255.0.0
ospf cost 10
!
interface Ethernet1.10
description Vlan on inside
vlan 10
nameif vlan10
security-level 100
ip address 192.168.100.1 255.255.255.0
ospf cost 10

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list inside_access_in extended permit icmp pix-inside 255.255.0.0 any echo
access-list inside_access_in extended permit udp pix-inside 255.255.0.0 any object-group ntp-udp
access-list inside_access_in extended permit tcp pix-inside 255.255.0.0 any eq domain

access-list inside_access_in extended permit tcp host et2 any eq smtp

access-list inside_access_in extended permit udp host new-cis-router any

access-list vlan10_access_in extended permit ip any any

arp timeout 14400
nat-control
global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 10.1.1.0 255.255.255.0
nat (inside) 10 10.1.2.0 255.255.255.0
nat (inside) 10 10.1.0.0 255.255.0.0
nat (vlan10) 10 192.168.100.0 255.255.255.0

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 71.X.X.X 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal

threat-detection basic-threat

group-policy cnf-vpn-cls internal
group-policy cnf-vpn-cls attributes
wins-server value 10.1.1.7
dns-server value 10.1.1.7 10.1.1.205
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value *.com

tunnel-group cnf-vpn-cls type remote-access
tunnel-group cnf-vpn-cls general-attributes
address-pool cnf-8-ip

isakmp ikev1-user-authentication none
tunnel-group cnf-vpn-cls ppp-attributes
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 768
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context

Kureli Sankar · ‎09-02-2010

You have same security.

interface Ethernet1.10
description Vlan on inside
vlan 10
nameif vlan10
security-level 100 --------------------------------------> change that to a 90
ip address 192.168.100.1 255.255.255.0
ospf cost 10

change the security level to a 90

or add

static (vlan10,inside) 192.168.100.0 192.168.100.1 net 255.255.255.0

-KS

View solution in original post

Kureli Sankar · ‎09-02-2010

You need static translation from inside to vlan.

static (inside,vlan10) 10.1.0.0 10.1.0.0 net 255.255.0.0

That should take care of it.

-KS

sean chang · ‎09-02-2010

Thank you KS, I really appreciate your help.

I run the configuration you suggested, but unfortunately it did not make any difference, the log still shows error 305006:

Sep 2 15:56:28 pix515e :Sep 02 15:59:06 EDT: %PIX-session-3-305006: portmap translation creation failed for icmp src vlan10:192.168.100.100 dst inside:10.1.1.7 (type 8, code 0)

(the configuration command is accepted, I ran under the PIX console, I can view it by ADSM).

thanks.

Kureli Sankar · ‎09-02-2010

You have same security.

interface Ethernet1.10
description Vlan on inside
vlan 10
nameif vlan10
security-level 100 --------------------------------------> change that to a 90
ip address 192.168.100.1 255.255.255.0
ospf cost 10

change the security level to a 90

or add

static (vlan10,inside) 192.168.100.0 192.168.100.1 net 255.255.255.0

-KS

sean chang · ‎09-02-2010

I typed it incorrectly.

Last octet was a .1 instead it should be a 0

static (vlan10,inside) 192.168.100.0 192.168.100.0 net 255.255.255.0

-KS

sean chang · ‎09-02-2010

Once again, thank you very much for the help. Unfortunately these changes did not work, the same 305006 error.

I know this is really hard, I got another system guy tried for 4 days plus countless hours from myself did not make it work

Kureli Sankar · ‎09-02-2010

This is strange.

You are seeing both these messages?

Sep 2 12:35:09 pix515e :Sep 02 12:37:46 EDT: %PIX-session-3-305006: p
ortmap translation creation failed for udp src vlan10:192.168.100.100/54310 dst inside:10.1.1.7/53

Sep 2 12:21:49 pix515e :Sep 02 12:24:27 EDT: %PIX-session-3-305005: N
o translation group found for udp src vlan10:192.168.100.100/51015 dst inside:10.1.1.7/53

The above two are diff. One is

port map translation creation failed ------> means the global line is the problem

the other is

no translation group found -----> this means the nat line is the problem.

pls. post the output of

sh nameif

sh ip

sh arp | i vlan10

-KS

sean chang · ‎09-07-2010

Thank you very much, kusankar.

Great news, it actually works now !!! ( I was off Last Friday becuase of EARL and Monday too).

when I came to work this morning, it still did not work, but the log message shows this way:

Sep 7 10:25:33 pix515E:Sep 07 10:28:18 EDT: %PIX-session-3-106014: Deny inbound icmp src vlan10:192.168.100.100 dst inside:10.1.1.7 (type 8, code 0

Then I remember I changed VLAN10 security level from 100-->90 and I checked this box (on ADSM): "Enable traffic between 2 or more interfaces which are configured with same security levels", so when I changed back VLAN10 security from 90--->100, traffic from VLAN10 -->inside is working perfectly.

Now I have a slightly different configuration (actually this was the original problem, I build a new VLAN for testing first and I thought the problems are the same): our accounting dept IT guy wants his own control of a cisco ROUTER, he got 3 VLANs already, for this PIX515E, he built a VLAN8 with IP 10.8.1.0/24, he routes all VLAN8 traffic to another router connected to PIX directly (10.1.2.222), his VLAN8 can go outside (internet) , but not inside, log is almost identical:

Sep 7 11:23:03 pix515e:Sep 07 11:25:50 EDT: %PIX-session-3-305006: portmap translation creation failed for udp src inside:10.1.1.7/53 dst inside:10.8.1.103/51196 (type 0, code 0)

*****Note: I ping from 10.8.1.103 XP PC but this log shows the coming-back-way failed*****

( config related to inside8)

#name 10.8.1.0 inside8 description routed-inside-network

#access-list inside_access_in extended permit ip inside8 255.255.255.0 any

#nat (inside) 10 inside8 255.255.255.0
#route inside inside8 255.255.255.0 10.1.2.222 1

when I try to do the same thing as you suggested above, PIX does not allow me:

pix515E(config)# static (inside,inside8) pix-inside pix-inside netmask 255.255.0.0

static (inside,inside8) pix-inside pix-inside netmask 255.255.0.0
^
ERROR: % Invalid input detected at '^' marker.

I work here as ORACLE DBA , we don't have complex networking here so Cisco stuff is kind of my side job, please excuse me for not being able to really grasp what you did actually made the difference regarding error 305006. I know I'm too dumb I can't fix the same error with some different configuration.

Once again, I really appreciate your tremendous help.

sean chang · ‎09-10-2010

I know I might better start a new discussion becuase the problem is somewhat different, but the messages are the same 305006, just this time the traffic is routed to PIX from another VLAN, the destination is still U-turn access to inside LAN. Any suggestions and advises are greatly appreciated.

----copied from previous posting