×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

I can't ping ,but rather telnet.

Unanswered Question
Aug 28th, 2006
User Badges:

show version:

pix525primary# show version


Cisco PIX Security Appliance Software Version 7.0(4)


Compiled on Thu 13-Oct-05 21:43 by builders

System image file is "flash:/image.bin"

Config file at boot was "startup-config"


pix525primary up 4 days 14 hours


Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB


Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5)

0: Ext: Ethernet0 : address is 0015.fa81.31a4, irq 10

1: Ext: Ethernet1 : address is 0015.fa81.31a5, irq 11

2: Ext: Ethernet2 : address is 0005.5d18.2de8, irq 11

3: Ext: Ethernet3 : address is 0005.5d18.2dea, irq 10

4: Ext: Ethernet4 : address is 0005.5d18.2de7, irq 9

5: Ext: Ethernet5 : address is 0005.5d18.2de9, irq 5


Licensed features for this platform:

Maximum Physical Interfaces : 10

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : Unlimited


This platform has an Unrestricted (UR) license.


Serial Number: 809255246

Running Activation Key: 0x21227a88 0x11164335 0x6365db57 0x6475487d

Configuration last modified by enable_15 at 11:44:46.043 beijin Mon Aug 28 2006


descripions:

configuratin as following:

static (reuter,inside) 168.2.2.246 192.168.1.2netmask 255.255.255.255

global (reuter) 1 192.168.1.100-192.168.1.200 netmask 255.255.255.0

nat (inside) 1 access-list reuterjy

access-list reuterjy extended permit icmp host 168.2.0.111 168.2.2.0 255.255.255.0

access-list reuterjy extended permit ip host 168.2.0.111 168.2.2.0 255.255.255.0

以168.2.0.111 ping 168.2.2.246 ,error report:

Aug 28 2006 13:44:13: %PIX-3-305006: portmap translation creation failed for icmp src inside:168.2.0.111 dst reuter:168.2.2.246 (type 8, code 0)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Fernando_Meza Mon, 08/28/2006 - 19:58
User Badges:
  • Gold, 750 points or more

Hi .. it seems that your static instructions are not correct can you post the output of show run interface





xbw Mon, 08/28/2006 - 23:30
User Badges:

168.2.0.111--------inside---pix-----reuter(outside)------192.168.1.100


168.2.0.111 ping 168.2.2.246 ,error report:

Aug 28 2006 13:44:13: %PIX-3-305006: portmap translation creation failed for icmp src inside:168.2.0.111 dst reuter:168.2.2.246 (type 8, code 0)

but 168.2.0.111 can telnet 168.2.2.246 .

why!?

vijayasankar Tue, 08/29/2006 - 01:03
User Badges:
  • Silver, 250 points or more

Hi,


If you could provide the complete config ( be sure to hide sensitive information,public ips in the config), and let us know what you would like to acheive, it would be very helpful to check it.


Where is 168.2.2.246 located? is in on the inside segment ?

Kindly clarify this.


If you want to NAT your inside ip 168.2.2.246 to outside ( reuter) ip 192.168.1.2, then the correct static command should be as follows


static ( inside, reuter) 192.168.1.2 168.2.2.246 netmask 255.255.255.255



-VJ




xbw Tue, 08/29/2006 - 16:55
User Badges:

configuratin as following:

static (reuter,inside) 168.2.2.246 192.168.1.2netmask 255.255.255.255

global (reuter) 1 192.168.1.100-192.168.1.200 netmask 255.255.255.0

nat (inside) 1 access-list reuterjy

access-list reuterjy extended permit icmp host 168.2.0.111 168.2.2.0 255.255.255.0

access-list reuterjy extended permit ip host 168.2.0.111 168.2.2.0 255.255.255.0


vijayasankar Tue, 08/29/2006 - 20:47
User Badges:
  • Silver, 250 points or more

As i have pointed out earlier, have you corrected the static statements for Natting 168.2.2.246 to 192.168.1.2 ?

Correct statement should be

"static ( inside, reuter) 192.168.1.2 168.2.2.246 netmask 255.255.255.255 ".


Presently your config is having the static nat configured as follows, which is not correct, hence please correct this.

static (reuter,inside) 168.2.2.246 192.168.1.2netmask 255.255.255.255 ( Not correct)


-VJ




xbw Wed, 08/30/2006 - 17:37
User Badges:

thanks,the static statements that is static (reuter,inside) is an outside nat .that is to say : After outside NAT is configured, when a packet arrives at the outer (less secure) interface of the PIX, the PIX

attempts to locate an existing xlate (address translation entry) in the connections database. If no xlate exists, it

searches the NAT policy from the running configuration. If a NAT policy is located, an xlate is created and

inserted into the database. The PIX then rewrites the source address to the mapped or global address and

transmits the packet on the inside interface. Once the xlate is established, the addresses of any subsequent

packets can be quickly translated by consulting the entries in the connections database.

hence the static (reuter,inside) 168.2.2.246 192.168.1.2netmask 255.255.255.255 is correct.


xbw Thu, 08/31/2006 - 16:36
User Badges:

Can you still help me!?

xbw Tue, 08/29/2006 - 19:12
User Badges:

About the complete config ,please see the attachments:

When I ping the host(168.1.12.156) with the client (168.2.2.209),an error is reported.but I can telnet the host (168.1.12.156)with the client (168.2.2.209). please help me!

168.2.2.209(client)---inside----pix----ssn---server 168.1.12.156

Aug 30 2006 10:49:34: %PIX-3-305006: portmap translation creation failed for icmp src inside:168.2.2.209 dst ssn:168.1.12.156 (type 8, code 0)



Attachment: 
vijayasankar Tue, 08/29/2006 - 21:03
User Badges:
  • Silver, 250 points or more

Hi,


Could you provide the complete statements of the ACL tofuzhou, I could see only the following lines in the config provided by you, which is incomplete.


access-list tofuzhou extended permit tcp 168.2.2.0 255.255.255.0 host 168.1.12.

access-list tofuzhou extended permit tcp 168.2.2.0 255.255.255.0 host 168.1.12.


Only TCP traffic is permitted in the ACL, if you want to allow ICMP also to be included in this, then you need to add them.

access-list tofuzhou extended permit icmp 168.2.2.0 255.255.255.0 168.2.33.0 255.255.255.0

access-list tofuzhou extended permit icmp 168.2.2.0 255.255.255.0 host 168.1.12.156



This ACL tofuzhou is tied to the NAT inside and global (ssn) as follows.


nat (inside) 6 access-list tofuzhou

global (ssn) 6 168.2.33.250 netmask 255.255.255.0


What is that you are trying to acheive by the above global command?


If you want to translate all the traffic originating from the inside interface ( matched by ACL "tofuzhou") destined to the DMZ SSN to get PAT'ed to the ip 168.2.33.250, then the command should be as follows


nat (inside) 6 access-list tofuzhou

global (ssn) 6 168.2.33.250


Kindly clarify on what you would like to acheive for the traffic going from inside interface to the DMZ ssn.



-VJ


xbw Wed, 08/30/2006 - 00:26
User Badges:

configuratin as following:

static (reuter,inside) 168.2.2.246 192.168.1.2netmask 255.255.255.255

global (reuter) 1 192.168.1.100-192.168.1.200 netmask 255.255.255.0

nat (inside) 1 access-list reuterjy

access-list reuterjy extended permit icmp host 168.2.0.111 168.2.2.0 255.255.255.0

access-list reuterjy extended permit ip host 168.2.0.111 168.2.2.0 255.255.255.0

A inside(interface) client (168.2.0.111) ping a reuter(outside) server( 168.2.2.246 ),An error report as follows:

Aug 28 2006 13:44:13: %PIX-3-305006: portmap translation creation failed for icmp src inside:168.2.0.111 dst reuter:168.2.2.246 (type 8, code 0)

but it can telnet the server( 168.2.2.246 ).

how can i solve this problem. i don't concerne about the ACL tofuzhou .

tht topology

168.2.0.111--------inside---pix-----reuter------192.168.1.100

xbw Wed, 08/30/2006 - 00:44
User Badges:

My question :

A inside(interface) client (168.2.0.111) ping a reuter(outside) server( 168.2.2.246 ),An error report as follows: (as well as inside to ssn)

Aug 28 2006 13:44:13: %PIX-3-305006: portmap translation creation failed for icmp src inside:168.2.0.111 dst reuter:168.2.2.246 (type 8, code 0)

but it can telnet the server( 168.2.2.246 ).

how can i solve this problem. i don't concerne about the ACL tofuzhou .

tht topology

168.2.0.111--------inside---pix-----reuter------192.168.1.100

Actions

This Discussion