Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Strange PIX problem

I have a Cisco PIX 506e securing a small network. It has been working fine allowing internet access for my users and VPN traffic apart from a very strange fault has occured over the last couple of days whereby some users on the network have internet access while others do not. Settings on users PC's are identicle apart from the static ip address which is unique for each PC.

When looking at syslog error messages I see the following error for users who can't connect

%PIX-3-305006: regular translation creation failed for udp src inside:192.168.0.21/1052 dst outside:192.168.78.29/53

any ideas anyone on how I can fix this?

The baffling thing is some users have internet access while others do not.

  • Other Security Subjects
11 REPLIES
Gold

Re: Strange PIX problem

Hello Jamal,

The PIX error message '%PIX-3-305006' means the following :

%PIX-3-305006: type translation creation failed for protocol

Explanation A protocol (UDP, TCP, or ICMP) failed to create a translation through the PIX Firewall. The type can be static, portmapped (PAT), or regular.

Action This message can be either an internal error or an error in the configuration

So, in saying this can you post your configuration either here on the forum or if you like direct to myself at: noc1@vodafone.net - PLEASE REMEMBER TO CHANGE PASSWORDS AND REAL IP's.

Thanks --

New Member

Re: Strange PIX problem

Hi,

Thanks for getting back to me. I have seen the interpretation of the error message on the cisco website but it doesn't give me any clues as to how to cure the error. Attached is the config ay help would be realy appreciated. This config has been running on the PIX for 3 months without problems. Only now has it developed this issue.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable

passwd

hostname pixfirewall

domain-name

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list acl_in permit tcp any any eq www

access-list acl_in permit tcp any any eq domain

access-list acl_in permit udp any any eq domain

access-list acl_in permit tcp any any eq https

access-list acl_in permit udp any any range netbios-ns 139

access-list acl_in permit tcp any any range 137 netbios-ssn

access-list acl_in permit icmp any any

access-list acl_in deny tcp any any eq 4444

access-list acl_in deny tcp any any eq 69

access-list acl_in deny tcp any any eq 135

access-list no_nat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list vpn permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

pager lines 24

logging on

logging monitor warnings

logging trap debugging

logging host inside x.x.x.x

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x x.x.x.x

ip address inside x.x.x.x 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x-x.x.x.x

nat (inside) 0 access-list no_nat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_in in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address

crypto map newmap 10 set peer x.x.x.x

crypto map newmap 10 set transform-set myset

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet x.x.x.x 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:

pixfirewall#

Gold

Re: Strange PIX problem

Hi -

Can you take out the following ACL :

access-list vpn permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list acl_in deny tcp any any eq 69

access-list acl_in deny tcp any any eq 135

Remember to save to config with command 'write memory' and also do command 'clear xlate' after your change.

and see if you get the error.

Thanks -

New Member

Re: Strange PIX problem

Hi,

access-list vpn permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

Relates to a VPN I have setup and so I can't remove this.

access-list acl_in deny tcp any any eq 69

access-list acl_in deny tcp any any eq 135

Both relate to the blaster worm that hit PC's last week and prevents the blaster from hitting any of the PC's on the inside interface.

Gold

Re: Strange PIX problem

Hi Jamal,

The reason I was asking for removal of the above two access-list is your original error is stating that a inside client(IP) failed to build a UDP connection to the outside IP, As TCP/UDP use port 135 and you are denying port 135 with the access-list then you are likely to see the formentioned error. I'm aware of the 'blaster worm virus' and the port it uses to attack clients. You could test your firewall to see if there are any 'holes' visible from the outside (Internet) by going to the following site: www.grc.com and use 'Shields UP' (This is a secure site).

Also, looking at the error message, the inside client (IP) is trying to connect to a outside DNS client (port 53 for UDP). Another thing is, you say that the VPN access-list can't be removed, But you have no command 'nat(inside)0 access-list VPN' for the mentioned access-list ??

Let me know your thoughts -

Thanks - Jay

New Member

Re: Strange PIX problem

Hi Jay,

Many thanks for your help and time on this issue.

The VPN access list does actually have a

nat(inside)0 access-list VPN command in the config.

I sent across a slightly older config which did work as I wasn't at the office when I sent it through.

I looked at the config again this morning and found that if I issued the following command

clear xlate

this allowed machines to connect however as I went round to each machine I found that if I connected more than 4 machines then the same problem would occur again.

The deny tcp access list statements were actually added after this problem occured and having just removed them after your posting this seem to have no effect.

Jamal

New Member

Re: Strange PIX problem

Repeated message

Gold

Re: Strange PIX problem

Hi Jamal,

OK, Can you post your current config and also what sort of licence have you got for the PIX i.e. Ristricted, Unristricted etc.. a 'show version' Will tell you this. MAKESURE TO CHANGE REAL IP's and PASSWORDS. Or if you like post direct to me at noc1@vodafone.net

Thanks - Jay

New Member

Re: Strange PIX problem

Hi Jay,

The PIX has a restricted licence. Since my last I have fixed the issue. I setup PAT on the PIX and this allowed all users to connect and I have had no problems reported so far.

Many thanks for your help.

Jamal

142
Views
0
Helpful
11
Replies
This widget could not be displayed.