I can not connect private network accross PIX.

admin_2 · ‎05-18-2004

Hi,

I try to connect my private network (192.168.1.0/255.255.255.0) to Internet accross PIX 515E (inside 192.168.1.150/255.255.255.0, outside a.b.c.d/255.255.255.252)

access-list inside01 permit tcp 192.168.1.0 255.255.255.0 any eq www

access-list inside01 permit tcp 192.168.1.0 255.255.255.0 any eq 53

access-list inside01 permit udp 192.168.1.0 255.255.255.0 any eq 53

access-group inside01 in interface inside

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

route outside 0 0 a.b.c.e 1

but, when I try connect to the internet from 192.168.1.163, I can see this:

305006 portmap translation creation failed for udp src inside: 192.168.1.160/1031 dst outside <AddressOfOurDnsServer>/53

I've no static (inside,outside).

Can You help me, pleas?

Thanx, Milan (milan@lanex.cz)

P.S.: when I type:

static (inside,outside) a.b.c.d 192.168.1.163 netmask 255.255.255.255 0 0

I´m connected to internet, but only from PC with IP 192.168.1.163 :-(

mostiguy · ‎05-18-2004

You are using the same netblock in two places. You are also trying to use RFC1918 ip address space across the internet, which will not work. You cannot route those IP addresses across the internet

Report Inappropriate Content · ‎05-18-2004

Hi,

I re-type my message. Now I wrote all my IP addresses. Can you write me, please, where I try to use same netblock?

************

I try to connect my private network (192.168.1.0/255.255.255.0) to Internet accross PIX 515E (inside 192.168.1.150/255.255.255.0, outside 194.228.117.86/255.255.255.252)

access-list inside01 permit tcp 192.168.1.0 255.255.255.0 any eq www

access-list inside01 permit tcp 192.168.1.0 255.255.255.0 any eq 53

access-list inside01 permit udp 192.168.1.0 255.255.255.0 any eq 53

access-group inside01 in interface inside

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

route outside 0 0 194.228.117.85 1

but, when I try connect to the internet from PC with IP 192.168.1.163, I can see this:

305006 portmap translation creation failed for udp src inside: 192.168.1.163/1031 dst outside <194.228.2.1>/53

I've no static (inside,outside).

Can You help me, pleas?

Thanx, Milan (milan@lanex.cz)

P.S.: when I type:

static (inside,outside) 194.228.117.86 192.168.1.163 netmask 255.255.255.255 0 0

I´m connected to internet, but only from PC with IP 192.168.1.163 :-(

********************

ehirsel · ‎05-18-2004

If it works when you have static (inside,outside) 194.228.117.86 192.168.1.163 netmask 255.255.255.255 but not when you don't, after removing the static, do a clear xlate command to flush out the pix xlate cache.

If you still get the portmap failure after doing removing the static and running clear xlate, try this command on a pc: telnet 194.228.2.1 53 to attempt a connection on tcp port 53 of the dns server and see if you are able to make a connection. The easiest way to tell is to run the show xlate command on the pix to see if one exists.

Let me know how it goes.

Report Inappropriate Content · ‎05-18-2004

Of course I use clear xlate after I did any changes.

I tried your tip, and this is result:

305006: portmap translation creation failed for tcp src inside:192.168.1.163/1044 dst outside:194.228.2.1/53

it´s only my idea, but .... I use access-group inside01 in interface inside..., it is right?

jmia · ‎05-18-2004

Milan,

Can you add on your inside ACL (inside01) the following and let me know what happens:

access-list inside01 permit ip any any

and issue write mem to save and also issue clear xlate

Let me know..

Jay

Report Inappropriate Content · ‎05-18-2004

Hi,

the same situation...

305006: portmap translation creation failed for icmp src inside:192.168.1.163 dst outside:81.31.5.5 (type 8, code 0)....

ehirsel · ‎05-18-2004

Do a show nameif and post the results here.

Also, as another test, remove the access-list off of the inside interface, and re-try the telnet to port 53 and see if you get the same results. Yes, if you want to limit what crosses the pix from the inside, you do apply the acl to the inside interface, but I for this test, remove it just to eliminate the acl somehow being corrupt.

Report Inappropriate Content · ‎05-18-2004

nameif ethernet0 outside security0

nameif ethernet1 inside security100

when I re-try telnet, result is same.

now I have acl:

access-list inside01 permit ip any any

access-list inbound permit ip any any

first is used i interface inside, second in interf. outside. result is same.

when I use:

static (inside,outside) 194.228.117.86 192.168.1.163 netmask 255.255.255.255 0 0

I can from PC 192.168.1.163 connect to internet, but only from this PC.

ehirsel · ‎05-19-2004

Can you post your config? Scrub out sensitive data, and also let me know what version of the pix code you are running.

Thanks, Ed

Report Inappropriate Content · ‎05-19-2004

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password xxxxx

passwd xxxx

hostname pix

domain-name lanex.cz

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inside01 permit ip any any

access-list inbound permit ip any any

pager lines 24

logging console debugging

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 194.x.x.x.x.255.252

ip address inside 192.168.1.150 255.255.255.0

no ip address dmz

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

access-group inbound in interface outside

access-group inside01 in interface inside

route outside 0.0.0.0 0.0.0.0 194.228.117.85 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxx

milan

ehirsel · ‎05-19-2004

Your config looks to be correct. There may be a bug in the pix processing. Try this test:

Instead of nat (inside) 1 192.168.1.0 255.255.255.0 0 0 code nat (inside) 1 0 0 0 0 (note the 4 0's) and see if the xlate occurs properly. In every example that uses global (xxx) id interface the nat had 0 as the source and mask.

Report Inappropriate Content · ‎05-19-2004

oh my good..., I had to restart PIX and now I can connect from everyone PC...

configuration of PIX is same.

it is possible?