cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
661
Views
5
Helpful
6
Replies

portmap translation fails

mauro.elias
Level 1
Level 1

hello,

i've been dealing with a problem that finally resulted to be bigger than my habilities to solve it:

I administer a pix 535, ver. 6.2(2), and the problem is that my users behind it fail to establish ftp/telnet/web... any conection.

the syslog server shows this error:

<163>Jan 17 2003 11:03:54: %PIX-3-305006: portmap translation creation failed for tcp src inside:11.254.12.161/19010 dst outside:213.9.178.76/80

in 17-Jan 10:55:19.35 from 11.254.12.67

the problem is solved once I run "clear xlate" in the pix, and my users can ftp, telnet and browse the web, but the problem reapears again after a short period of time (20 min... 1 hour...), and I have to clear the translation tables again!!

I've tried to find what this error means, but I can find nothing else than "this can be an internal error or an error in the configuration"...

any clues???

thank you in advance

1 Accepted Solution

Accepted Solutions

176,263 xlates? Any wonder you're running out of translations with only two addresses. How many users do you have inside this PIX? Are you sure you don't have a machine inside that is creating 1000's of connections to external hosts, maybe one that is infected with a virus/worm.

Check your xlate table next time you see the counter getting high and see if one machine is using up most of the xlates. Check the same thing in the connection table, then fix that machine if you find one.

View solution in original post

6 Replies 6

gfullage
Cisco Employee
Cisco Employee

We probably need to see your PIX configuration, but I'll give it a shot. Outbound connections are controlled by the nat/global statements in the PIX. The PIX is running out of IP addresses and ports to NAt your inside traffic to. You probably have something like:

> global (outside) 1 x.x.x.1 - x.x.x.254

> nat (inside) 1 0 0

or something similar. This says nat all your inside addresses to IP adresses x.x.x.1 to x.x.x.254. Once these are all used, you'll get the port translation failed error, cause the PIX has run out of IP addresses. Keep in mind that one internal user can use up 10 or so IP addresses just by going to one web site.

Change your above config (or whatever you have) to:

> global (outside) 1 x.x.x.1 - x.x.x.253

> global (outside) 1 x.x.x.254

> nat (inside) 1 0 0

This says use x.x.x.1 to x.x.x.253 for NAT'ing the inside IP addresses, and then when you run out start PAT'ing everything to the x.x.x.254 address. This will give you up to 65000 translations just with this one IP address, more than enough for a mid-size company.

If you're still not sure what to do, please post your config, make sure to xxxxxx out the global IP addresses and your passwords.

ok, here's the config:

: Saved

:

PIX Version 6.2(2)

nameif gb-ethernet0 outside security0

nameif gb-ethernet1 inside security100

nameif gb-ethernet2 Failover_fw security55

nameif ethernet0 dmz security50

nameif ethernet1 intf4 security30

nameif ethernet2 intf5 security25

enable password xxXxxx encrypted

passwd XXXXXX encrypted

hostname PIX-IMSS-1

domain-name XXXX.XXX.mx

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

object-group network XXXSERVERS

network-object host 216.15.255.131

network-object host 200.32.3.188

network-object host 216.15.243.145

network-object host 216.15.191.44

network-object host 216.148.213.149

network-object host 207.153.254.54

network-object host 204.176.10.176

network-object host 62.81.62.169

network-object host 200.53.64.230

network-object host 65.243.196.210

network-object host 207.153.226.209

network-object host 207.68.183.187

network-object host 209.163.234.172

network-object host 209.67.42.29

network-object host 207.153.254.58

network-object host 209.207.135.134

network-object host 63.241.16.56

network-object host 64.4.53.7

network-object host 64.4.52.7

network-object host 64.4.43.7

network-object host 64.4.44.7

network-object host 64.4.45.7

network-object host 66.163.171.128

network-object host 64.58.76.98

network-object host 64.58.76.99

network-object host 64.12.164.65

network-object host 64.12.164.193

network-object host 207.46.104.20

network-object host 66.119.67.254

network-object host 64.58.79.230

network-object host 205.188.179.233

network-object host 64.12.200.89

network-object host 66.163.172.116

network-object host 66.218.71.198

network-object host 216.127.33.92

network-object host 64.58.76.37

network-object host 212.19.149.26

object-group network COMPAS

network-object host 11.254.43.38

network-object host 11.254.13.59

access-list OUT permit tcp any host xxxxxx.143.4 eq www

access-list OUT permit tcp any host xxxxxx.143.4 eq https

access-list OUT permit tcp any host xxxxxx.143.6 eq www

access-list OUT permit tcp any host xxxxxx.143.7 eq www

access-list OUT permit tcp any host xxxxxx.143.8 eq www

access-list OUT permit tcp any host xxxxxx.143.9 eq smtp

access-list OUT permit tcp any host xxxxxx.143.10 eq 8080

access-list OUT permit tcp any host xxxxxx.143.10 eq www

access-list OUT permit tcp any host xxxxxx.143.11 eq www

access-list OUT permit tcp any host xxxxxx.143.12 eq www

access-list OUT permit tcp any host xxxxxx.143.12 eq 5100

access-list OUT permit tcp any host xxxxxx.143.20 eq domain

access-list OUT permit udp any host xxxxxx.143.20 eq domain

access-list DMZ permit tcp any host 11.254.12.21 eq domain

access-list DMZ permit udp any host 11.254.12.21 eq domain

access-list DMZ permit ip any host 11.254.12.36

access-list DMZ permit tcp host 71.10.23.10 11.0.0.0 255.0.0.0 eq 1525

access-list DMZ permit tcp host 71.10.23.34 host 11.254.12.234 eq smtp

access-list DMZ permit tcp host 71.10.23.34 any eq sqlnet

access-list DMZ permit tcp 71.10.23.0 255.255.255.0 11.254.12.0 255.255.255.0 eq 135

access-list DMZ permit udp 71.10.23.0 255.255.255.0 11.254.12.0 255.255.255.0 eq netbios-ns

access-list DMZ permit tcp 71.10.23.0 255.255.255.0 11.254.12.0 255.255.255.0 eq netbios-ssn

access-list DMZ permit udp 71.10.23.0 255.255.255.0 11.254.12.0 255.255.255.0 eq netbios-dgm

access-list DMZ permit tcp host 71.10.23.10 11.0.0.0 255.0.0.0 eq 1526

access-list DMZ permit tcp host 71.10.23.11 11.0.0.0 255.0.0.0 eq 1526

access-list DMZ permit tcp host 71.10.23.14 11.0.0.0 255.0.0.0 eq 1526

access-list DMZ permit tcp host 71.10.23.11 11.0.0.0 255.0.0.0 eq 1525

access-list DMZ permit tcp host 71.10.23.14 11.0.0.0 255.0.0.0 eq 1525

access-list DMZ permit tcp any host 148.207.38.1 eq domain

access-list DMZ permit udp any host 148.207.38.1 eq domain

access-list DMZ permit tcp any host 204.153.24.1 eq domain

access-list DMZ permit udp any host 204.153.24.1 eq domain

access-list IN deny udp any any eq netbios-ns

access-list IN permit ip object-group COMPAS any

access-list IN deny ip any object-group XXXSERVERS

access-list IN deny tcp any any eq 1863

access-list IN permit ip any any

pager lines 24

logging on

logging timestamp

logging buffered warnings

logging trap warnings

logging host inside 11.254.43.38

interface gb-ethernet0 1000auto

interface gb-ethernet1 1000auto

interface gb-ethernet2 1000auto

interface ethernet0 100full

interface ethernet1 auto shutdown

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu Failover_fw 1500

mtu dmz 1500

mtu intf4 1500

mtu intf5 1500

ip address outside xxxxxx.143.15 255.255.255.0

ip address inside 11.254.12.67 255.255.255.0

ip address Failover_fw 72.10.24.30 255.255.255.0

ip address dmz 71.10.23.99 255.255.255.0

ip address intf4 127.0.0.1 255.255.255.255

ip address intf5 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

failover

failover timeout 0:00:00

failover poll 3

failover ip address outside xxxxxx.143.14

failover ip address inside 11.254.12.66

failover ip address Failover_fw 72.10.24.29

failover ip address dmz 71.10.23.98

failover ip address intf4 0.0.0.0

failover ip address intf5 0.0.0.0

failover link Failover_fw

failover lan unit primary

failover lan interface Failover_fw

failover lan key ********

failover lan enable

pdm history enable

arp timeout 14400

global (outside) 1 xxxxxx.143.16

global (outside) 1 xxxxxx.143.17

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

alias (dmz) 71.10.23.34 xxxxxx.143.10 255.255.255.255

static (dmz,outside) xxxxxx.143.6 71.10.23.11 netmask 255.255.255.255 0 0

static (dmz,outside) xxxxxx.143.7 71.10.23.25 netmask 255.255.255.255 0 0

static (dmz,outside) xxxxxx.143.8 71.10.23.13 netmask 255.255.255.255 0 0

static (dmz,outside) xxxxxx.143.12 71.10.23.35 netmask 255.255.255.255 0 0

static (inside,outside) xxxxxx.143.4 11.254.12.233 netmask 255.255.255.255 0 0

static (inside,outside) xxxxxx.143.9 11.254.12.234 netmask 255.255.255.255 0 0

static (dmz,outside) xxxxxx.143.10 71.10.23.34 netmask 255.255.255.255 0 0

static (inside,outside) xxxxxx.143.20 11.254.12.21 netmask 255.255.255.255 0 0

static (inside,dmz) 11.0.0.0 11.0.0.0 netmask 255.0.0.0 0 0

access-group OUT in interface outside

access-group IN in interface inside

access-group DMZ in interface dmz

route outside 0.0.0.0 0.0.0.0 xxxxxx.143.254 1

route inside 10.0.0.0 255.0.0.0 11.254.12.254 1

route inside 11.0.0.0 255.0.0.0 11.254.12.254 1

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:00:15 absolute

timeout xlate 0:01:00

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 11.254.43.40 255.255.255.255 inside

http 11.254.43.38 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

crypto dynamic-map dyna 20 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map mymap 10 ipsec-isakmp dynamic dyna

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

telnet timeout 1

ssh 11.254.43.40 255.255.255.255 inside

ssh 11.254.43.38 255.255.255.255 inside

ssh timeout 60

terminal width 100

Cryptochecksum:xxxxxx

: end

according to a cisco document, if I see the portmap traslation error message in my logs, I must decrease the xlate timeout, which i've done to 1 min. And the problem dissapeared all day; I thought that the problem was gonne, but this morning when I saw my syslog server, I found the portmap traslation error again. It seems that we are consuming 65000 X 2 traslations!!!!! it's unbeleivable!!! or do you think that I must add more IP addresses to my global pool???

thanks in advance for your advice

What does a "sho conn count" and "sho xlate" tell you as to how many sessions and translations you have going at the time of the message?

sh conn count:

11266 in use, 941228 most used

sh xlate:

12528 in use, 176263 most used

at the time I ran these commands I have the least users online, it's 9PM... and I added 3 more PAT addresses in the morning, and in the whole day I haven't seen the portmap error message. Do you think that with this number of connections I really need that many PAT addresses?? or am I exagerating?

Is there a rule of how many PAT addresses I need?

176,263 xlates? Any wonder you're running out of translations with only two addresses. How many users do you have inside this PIX? Are you sure you don't have a machine inside that is creating 1000's of connections to external hosts, maybe one that is infected with a virus/worm.

Check your xlate table next time you see the counter getting high and see if one machine is using up most of the xlates. Check the same thing in the connection table, then fix that machine if you find one.

Had this config been working earlier? If so, there's a worm running loose on the internet that is gobbling resources. Check http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: