cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1039
Views
3
Helpful
11
Replies

I can't ping ,but rather telnet.

xbw
Level 1
Level 1

show version:

pix525primary# show version

Cisco PIX Security Appliance Software Version 7.0(4)

Compiled on Thu 13-Oct-05 21:43 by builders

System image file is "flash:/image.bin"

Config file at boot was "startup-config"

pix525primary up 4 days 14 hours

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5)

0: Ext: Ethernet0 : address is 0015.fa81.31a4, irq 10

1: Ext: Ethernet1 : address is 0015.fa81.31a5, irq 11

2: Ext: Ethernet2 : address is 0005.5d18.2de8, irq 11

3: Ext: Ethernet3 : address is 0005.5d18.2dea, irq 10

4: Ext: Ethernet4 : address is 0005.5d18.2de7, irq 9

5: Ext: Ethernet5 : address is 0005.5d18.2de9, irq 5

Licensed features for this platform:

Maximum Physical Interfaces : 10

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has an Unrestricted (UR) license.

Serial Number: 809255246

Running Activation Key: 0x21227a88 0x11164335 0x6365db57 0x6475487d

Configuration last modified by enable_15 at 11:44:46.043 beijin Mon Aug 28 2006

descripions:

configuratin as following:

static (reuter,inside) 168.2.2.246 192.168.1.2netmask 255.255.255.255

global (reuter) 1 192.168.1.100-192.168.1.200 netmask 255.255.255.0

nat (inside) 1 access-list reuterjy

access-list reuterjy extended permit icmp host 168.2.0.111 168.2.2.0 255.255.255.0

access-list reuterjy extended permit ip host 168.2.0.111 168.2.2.0 255.255.255.0

以168.2.0.111 ping 168.2.2.246 ,error report:

Aug 28 2006 13:44:13: %PIX-3-305006: portmap translation creation failed for icmp src inside:168.2.0.111 dst reuter:168.2.2.246 (type 8, code 0)

11 Replies 11

Fernando_Meza
Level 7
Level 7

Hi .. it seems that your static instructions are not correct can you post the output of show run interface

168.2.0.111--------inside---pix-----reuter(outside)------192.168.1.100

168.2.0.111 ping 168.2.2.246 ,error report:

Aug 28 2006 13:44:13: %PIX-3-305006: portmap translation creation failed for icmp src inside:168.2.0.111 dst reuter:168.2.2.246 (type 8, code 0)

but 168.2.0.111 can telnet 168.2.2.246 .

why!?

Hi,

If you could provide the complete config ( be sure to hide sensitive information,public ips in the config), and let us know what you would like to acheive, it would be very helpful to check it.

Where is 168.2.2.246 located? is in on the inside segment ?

Kindly clarify this.

If you want to NAT your inside ip 168.2.2.246 to outside ( reuter) ip 192.168.1.2, then the correct static command should be as follows

static ( inside, reuter) 192.168.1.2 168.2.2.246 netmask 255.255.255.255

-VJ

configuratin as following:

static (reuter,inside) 168.2.2.246 192.168.1.2netmask 255.255.255.255

global (reuter) 1 192.168.1.100-192.168.1.200 netmask 255.255.255.0

nat (inside) 1 access-list reuterjy

access-list reuterjy extended permit icmp host 168.2.0.111 168.2.2.0 255.255.255.0

access-list reuterjy extended permit ip host 168.2.0.111 168.2.2.0 255.255.255.0

As i have pointed out earlier, have you corrected the static statements for Natting 168.2.2.246 to 192.168.1.2 ?

Correct statement should be

"static ( inside, reuter) 192.168.1.2 168.2.2.246 netmask 255.255.255.255 ".

Presently your config is having the static nat configured as follows, which is not correct, hence please correct this.

static (reuter,inside) 168.2.2.246 192.168.1.2netmask 255.255.255.255 ( Not correct)

-VJ

thanks,the static statements that is static (reuter,inside) is an outside nat .that is to say : After outside NAT is configured, when a packet arrives at the outer (less secure) interface of the PIX, the PIX

attempts to locate an existing xlate (address translation entry) in the connections database. If no xlate exists, it

searches the NAT policy from the running configuration. If a NAT policy is located, an xlate is created and

inserted into the database. The PIX then rewrites the source address to the mapped or global address and

transmits the packet on the inside interface. Once the xlate is established, the addresses of any subsequent

packets can be quickly translated by consulting the entries in the connections database.

hence the static (reuter,inside) 168.2.2.246 192.168.1.2netmask 255.255.255.255 is correct.

Can you still help me!?

About the complete config ,please see the attachments:

When I ping the host(168.1.12.156) with the client (168.2.2.209),an error is reported.but I can telnet the host (168.1.12.156)with the client (168.2.2.209). please help me!

168.2.2.209(client)---inside----pix----ssn---server 168.1.12.156

Aug 30 2006 10:49:34: %PIX-3-305006: portmap translation creation failed for icmp src inside:168.2.2.209 dst ssn:168.1.12.156 (type 8, code 0)

Hi,

Could you provide the complete statements of the ACL tofuzhou, I could see only the following lines in the config provided by you, which is incomplete.

access-list tofuzhou extended permit tcp 168.2.2.0 255.255.255.0 host 168.1.12.

access-list tofuzhou extended permit tcp 168.2.2.0 255.255.255.0 host 168.1.12.

Only TCP traffic is permitted in the ACL, if you want to allow ICMP also to be included in this, then you need to add them.

access-list tofuzhou extended permit icmp 168.2.2.0 255.255.255.0 168.2.33.0 255.255.255.0

access-list tofuzhou extended permit icmp 168.2.2.0 255.255.255.0 host 168.1.12.156

This ACL tofuzhou is tied to the NAT inside and global (ssn) as follows.

nat (inside) 6 access-list tofuzhou

global (ssn) 6 168.2.33.250 netmask 255.255.255.0

What is that you are trying to acheive by the above global command?

If you want to translate all the traffic originating from the inside interface ( matched by ACL "tofuzhou") destined to the DMZ SSN to get PAT'ed to the ip 168.2.33.250, then the command should be as follows

nat (inside) 6 access-list tofuzhou

global (ssn) 6 168.2.33.250

Kindly clarify on what you would like to acheive for the traffic going from inside interface to the DMZ ssn.

-VJ

configuratin as following:

static (reuter,inside) 168.2.2.246 192.168.1.2netmask 255.255.255.255

global (reuter) 1 192.168.1.100-192.168.1.200 netmask 255.255.255.0

nat (inside) 1 access-list reuterjy

access-list reuterjy extended permit icmp host 168.2.0.111 168.2.2.0 255.255.255.0

access-list reuterjy extended permit ip host 168.2.0.111 168.2.2.0 255.255.255.0

A inside(interface) client (168.2.0.111) ping a reuter(outside) server( 168.2.2.246 ),An error report as follows:

Aug 28 2006 13:44:13: %PIX-3-305006: portmap translation creation failed for icmp src inside:168.2.0.111 dst reuter:168.2.2.246 (type 8, code 0)

but it can telnet the server( 168.2.2.246 ).

how can i solve this problem. i don't concerne about the ACL tofuzhou .

tht topology

168.2.0.111--------inside---pix-----reuter------192.168.1.100

My question :

A inside(interface) client (168.2.0.111) ping a reuter(outside) server( 168.2.2.246 ),An error report as follows: (as well as inside to ssn)

Aug 28 2006 13:44:13: %PIX-3-305006: portmap translation creation failed for icmp src inside:168.2.0.111 dst reuter:168.2.2.246 (type 8, code 0)

but it can telnet the server( 168.2.2.246 ).

how can i solve this problem. i don't concerne about the ACL tofuzhou .

tht topology

168.2.0.111--------inside---pix-----reuter------192.168.1.100

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: