Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Static Translations from non-existant hosts

This is probably just something else that I do not undrstand about the pix, but want to know what is going on. I am getting log message 305009 "Built static translation from inside: some-IP to outside: same-IP" from non-existant hosts and subnets. First assumption is that there might be some spoofing going on, but sniffing the link between our internal router and pix shows no traffic from this host. Is this a scan? If so, why is the static translation from inside to outside?

  • Other Security Subjects
1 REPLY
Cisco Employee

Re: Static Translations from non-existant hosts

The "from" and "to" in this messgae don't indicate the direction the traffic as seen in (ie, the PIX didn't have to actually see traffic FROM some-IP). All this message is telling you is that the PIX created a translation in its internal table because it saw traffic from OR to this address. The message is indicating a translation was created from one interface to another, and the message will always say FROM the higher security interface TO the lower security interface, it's not telling you that it actually saw traffic from one interface to the other.

You must have a static command set up translating this IP address to itself between the inside and outside interfaces, so if the PIX sees traffic going to this address from the outside, or coming from this address on the inside, it'll have to create a translation for it and this message will be displayed.

Again, it doesn't signify the traffic direction, just that traffic is seen.

As for what it might be, quite possibly a scan of all available hosts on that subnet, quite possibly something completely harmless also. If it's a scan I'd expect to see one of these messages for every host on the subnet, if you don't see this then it may be something entirely different.

81
Views
0
Helpful
1
Replies