Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
755
Views
4
Helpful
5
Replies

PIX 525 is disallowing new connections

noc
Level 1
Level 1

‎01-03-2003 02:31 PM - edited ‎02-20-2020 10:28 PM

I am using PIX 525 running 6.2 to protect inside and dmz networks. I am using static NAT. The PIX is denying outbound connections from dmz as well as inside interfaces though implicit permit is already there. the log messages are:

"201008: The PIX is disallowing new connections.

305006:outbound static translation creation failed for tcp src ................

Please Help to resolve the issue.

0 Helpful
5 Replies 5

tvanginneken
Level 4
Level 4

‎01-03-2003 03:42 PM

Hi,

have a look at this url:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/syslog/pixemsgs.htm#xtocid5

and you will find this info:

%PIX-3-201008: The PIX is disallowing new connections.

Explanation

This message occurs when you have enabled TCP syslogging and the syslog server cannot be reached, or when using PFSS (PIX Firewall Syslog Server) and the disk on the Windows NT system is full.

Action

Disable TCP syslogging. If using PFSS, free up space on the Windows NT system where PFSS resides. Also make sure that the syslog host is up and you can ping the host from the PIX Firewall console. Then restart TCP syslogging to allow traffic.

%PIX-3-305006: type translation creation failed for protocol

Explanation

A protocol (UDP, TCP, or ICMP) failed to create a translation through the PIX Firewall. The type can be static, portmapped (PAT), or regular.

Action

This message can be either an internal error or an error in the configuration.

Kind Regards,

Tom

noc
Level 1
Level 1
In response to tvanginneken

‎01-06-2003 12:41 PM

Both the problems have been resolved. Thanks for your help.

Another issue is that I am able to ping from inside to DMZ but not been able to access other services like web/ftp etc. the log shows the following message:

302013:built outbound tcp connection 7 for DMZ

Where I am wrong?

0 Helpful

tvanginneken
Level 4
Level 4
In response to noc

‎01-06-2003 01:59 PM

Hi,

is it possible to post:

- the translation commands from the inside to the dmz

- the access-lists applied to the inside interface and the dmz interface

Thanks!

Kind Regards,

Tom

0 Helpful

noc
Level 1
Level 1
In response to tvanginneken

‎01-07-2003 04:31 AM

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet3 DMZ security60

static (DMZ,outside) 192.168.1.2 192.168.1.2 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.2.2 192.168.2.2 netmask 255.255.255.255 0 0

static (inside, DMZ) 192.168.2.2 192.168.2.2 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group DMZ_access_in in interface DMZ

0 Helpful

thong.do
Level 1
Level 1

‎01-07-2003 06:27 AM

Check your NAT configuration, might be it is related to subnet mask .

And you should check your logging host or temporary disable forwarding cisco logs to the logging host.

Thong Do

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card