08-28-2006 07:23 PM - edited 03-09-2019 04:02 PM
show version:
pix525primary# show version
Cisco PIX Security Appliance Software Version 7.0(4)
Compiled on Thu 13-Oct-05 21:43 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"
pix525primary up 4 days 14 hours
Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5)
0: Ext: Ethernet0 : address is 0015.fa81.31a4, irq 10
1: Ext: Ethernet1 : address is 0015.fa81.31a5, irq 11
2: Ext: Ethernet2 : address is 0005.5d18.2de8, irq 11
3: Ext: Ethernet3 : address is 0005.5d18.2dea, irq 10
4: Ext: Ethernet4 : address is 0005.5d18.2de7, irq 9
5: Ext: Ethernet5 : address is 0005.5d18.2de9, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : 10
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license.
Serial Number: 809255246
Running Activation Key: 0x21227a88 0x11164335 0x6365db57 0x6475487d
Configuration last modified by enable_15 at 11:44:46.043 beijin Mon Aug 28 2006
descripions:
configuratin as following:
static (reuter,inside) 168.2.2.246 192.168.1.2netmask 255.255.255.255
global (reuter) 1 192.168.1.100-192.168.1.200 netmask 255.255.255.0
nat (inside) 1 access-list reuterjy
access-list reuterjy extended permit icmp host 168.2.0.111 168.2.2.0 255.255.255.0
access-list reuterjy extended permit ip host 168.2.0.111 168.2.2.0 255.255.255.0
以168.2.0.111 ping 168.2.2.246 ,error report:
Aug 28 2006 13:44:13: %PIX-3-305006: portmap translation creation failed for icmp src inside:168.2.0.111 dst reuter:168.2.2.246 (type 8, code 0)
08-28-2006 07:58 PM
Hi .. it seems that your static instructions are not correct can you post the output of show run interface
08-28-2006 11:30 PM
168.2.0.111--------inside---pix-----reuter(outside)------192.168.1.100
168.2.0.111 ping 168.2.2.246 ,error report:
Aug 28 2006 13:44:13: %PIX-3-305006: portmap translation creation failed for icmp src inside:168.2.0.111 dst reuter:168.2.2.246 (type 8, code 0)
but 168.2.0.111 can telnet 168.2.2.246 .
why!?
08-29-2006 01:03 AM
Hi,
If you could provide the complete config ( be sure to hide sensitive information,public ips in the config), and let us know what you would like to acheive, it would be very helpful to check it.
Where is 168.2.2.246 located? is in on the inside segment ?
Kindly clarify this.
If you want to NAT your inside ip 168.2.2.246 to outside ( reuter) ip 192.168.1.2, then the correct static command should be as follows
static ( inside, reuter) 192.168.1.2 168.2.2.246 netmask 255.255.255.255
-VJ
08-29-2006 04:55 PM
configuratin as following:
static (reuter,inside) 168.2.2.246 192.168.1.2netmask 255.255.255.255
global (reuter) 1 192.168.1.100-192.168.1.200 netmask 255.255.255.0
nat (inside) 1 access-list reuterjy
access-list reuterjy extended permit icmp host 168.2.0.111 168.2.2.0 255.255.255.0
access-list reuterjy extended permit ip host 168.2.0.111 168.2.2.0 255.255.255.0
08-29-2006 08:47 PM
As i have pointed out earlier, have you corrected the static statements for Natting 168.2.2.246 to 192.168.1.2 ?
Correct statement should be
"static ( inside, reuter) 192.168.1.2 168.2.2.246 netmask 255.255.255.255 ".
Presently your config is having the static nat configured as follows, which is not correct, hence please correct this.
static (reuter,inside) 168.2.2.246 192.168.1.2netmask 255.255.255.255 ( Not correct)
-VJ
08-30-2006 05:37 PM
thanks,the static statements that is static (reuter,inside) is an outside nat .that is to say : After outside NAT is configured, when a packet arrives at the outer (less secure) interface of the PIX, the PIX
attempts to locate an existing xlate (address translation entry) in the connections database. If no xlate exists, it
searches the NAT policy from the running configuration. If a NAT policy is located, an xlate is created and
inserted into the database. The PIX then rewrites the source address to the mapped or global address and
transmits the packet on the inside interface. Once the xlate is established, the addresses of any subsequent
packets can be quickly translated by consulting the entries in the connections database.
hence the static (reuter,inside) 168.2.2.246 192.168.1.2netmask 255.255.255.255 is correct.
08-31-2006 04:36 PM
Can you still help me!?
08-29-2006 07:12 PM
About the complete config ,please see the attachments:
When I ping the host(168.1.12.156) with the client (168.2.2.209),an error is reported.but I can telnet the host (168.1.12.156)with the client (168.2.2.209). please help me!
168.2.2.209(client)---inside----pix----ssn---server 168.1.12.156
Aug 30 2006 10:49:34: %PIX-3-305006: portmap translation creation failed for icmp src inside:168.2.2.209 dst ssn:168.1.12.156 (type 8, code 0)
08-29-2006 09:03 PM
Hi,
Could you provide the complete statements of the ACL tofuzhou, I could see only the following lines in the config provided by you, which is incomplete.
access-list tofuzhou extended permit tcp 168.2.2.0 255.255.255.0 host 168.1.12.
access-list tofuzhou extended permit tcp 168.2.2.0 255.255.255.0 host 168.1.12.
Only TCP traffic is permitted in the ACL, if you want to allow ICMP also to be included in this, then you need to add them.
access-list tofuzhou extended permit icmp 168.2.2.0 255.255.255.0 168.2.33.0 255.255.255.0
access-list tofuzhou extended permit icmp 168.2.2.0 255.255.255.0 host 168.1.12.156
This ACL tofuzhou is tied to the NAT inside and global (ssn) as follows.
nat (inside) 6 access-list tofuzhou
global (ssn) 6 168.2.33.250 netmask 255.255.255.0
What is that you are trying to acheive by the above global command?
If you want to translate all the traffic originating from the inside interface ( matched by ACL "tofuzhou") destined to the DMZ SSN to get PAT'ed to the ip 168.2.33.250, then the command should be as follows
nat (inside) 6 access-list tofuzhou
global (ssn) 6 168.2.33.250
Kindly clarify on what you would like to acheive for the traffic going from inside interface to the DMZ ssn.
-VJ
08-30-2006 12:26 AM
configuratin as following:
static (reuter,inside) 168.2.2.246 192.168.1.2netmask 255.255.255.255
global (reuter) 1 192.168.1.100-192.168.1.200 netmask 255.255.255.0
nat (inside) 1 access-list reuterjy
access-list reuterjy extended permit icmp host 168.2.0.111 168.2.2.0 255.255.255.0
access-list reuterjy extended permit ip host 168.2.0.111 168.2.2.0 255.255.255.0
A inside(interface) client (168.2.0.111) ping a reuter(outside) server( 168.2.2.246 ),An error report as follows:
Aug 28 2006 13:44:13: %PIX-3-305006: portmap translation creation failed for icmp src inside:168.2.0.111 dst reuter:168.2.2.246 (type 8, code 0)
but it can telnet the server( 168.2.2.246 ).
how can i solve this problem. i don't concerne about the ACL tofuzhou .
tht topology
168.2.0.111--------inside---pix-----reuter------192.168.1.100
08-30-2006 12:44 AM
My question :
A inside(interface) client (168.2.0.111) ping a reuter(outside) server( 168.2.2.246 ),An error report as follows: (as well as inside to ssn)
Aug 28 2006 13:44:13: %PIX-3-305006: portmap translation creation failed for icmp src inside:168.2.0.111 dst reuter:168.2.2.246 (type 8, code 0)
but it can telnet the server( 168.2.2.246 ).
how can i solve this problem. i don't concerne about the ACL tofuzhou .
tht topology
168.2.0.111--------inside---pix-----reuter------192.168.1.100
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide