Re: Problem passing traffic outside the pix

eelliston · ‎12-21-2004

I am having an issue where all wanted traffic can get in (Webpages, DNS, SMTP, etc.) but no machine from the inside can get out....even with a ping.

I attached my config,

When I try to ping to the outside from inside, I get this error logged...

305006: portmap translation creation failed for icmp src inside:192.168.4.22 dst outside:63.243.97.154 (type 8, code 0)

I also see this for UDP as well...

Any help would be great!

Thanks

jmia · ‎12-22-2004

Eric,

I had a quick look at your config and one thing I noticed is that you dont't seem to have any access-group LANOut in interface inside applied, also for your reference check out the following URL on how to handle icmp traffic through the pix.

http://www.cisco.com/warp/public/110/31.html

Also, remember to issue clear xlate after any modifications to ACLs or statics and save with write mem.

Hope this helps,

Jay

eelliston · ‎12-22-2004

Humm, in with the acl applied (access-group LANOut in interface inside) and clearing the xlate...same problem.

Can't ping...can't surf...humm..

thanks!

eelliston · ‎12-22-2004

Oh, and another thing...

The devices on the inside (windows servers) have 2 IPs on the interface. One is 192.168.4.x the other is 192.168.64.x,192.168.65.x or 192.168.68.x.

I do a translation to that network (one to one)...which seems to work fine.

The problem is when I try to surf outside....the machines primary ip is the 192.168.4.x network, which has a one to many translation (PAT). I dunno why...the client wanted it this way for some reason.

Maybe that will help figure out whats up.

Thanks!