Strange PIX problem

j.khandia · ‎08-26-2003

I have a Cisco PIX 506e securing a small network. It has been working fine allowing internet access for my users and VPN traffic apart from a very strange fault has occured over the last couple of days whereby some users on the network have internet access while others do not. Settings on users PC's are identicle apart from the static ip address which is unique for each PC.

When looking at syslog error messages I see the following error for users who can't connect

%PIX-3-305006: regular translation creation failed for udp src inside:192.168.0.21/1052 dst outside:192.168.78.29/53

any ideas anyone on how I can fix this?

The baffling thing is some users have internet access while others do not.

jmia · ‎08-26-2003

Hello Jamal,

The PIX error message '%PIX-3-305006' means the following :

%PIX-3-305006: type translation creation failed for protocol

Explanation A protocol (UDP, TCP, or ICMP) failed to create a translation through the PIX Firewall. The type can be static, portmapped (PAT), or regular.

Action This message can be either an internal error or an error in the configuration

So, in saying this can you post your configuration either here on the forum or if you like direct to myself at: noc1@vodafone.net - PLEASE REMEMBER TO CHANGE PASSWORDS AND REAL IP's.

Thanks --

j.khandia · ‎08-26-2003

Hi,

Thanks for getting back to me. I have seen the interpretation of the error message on the cisco website but it doesn't give me any clues as to how to cure the error. Attached is the config ay help would be realy appreciated. This config has been running on the PIX for 3 months without problems. Only now has it developed this issue.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable

passwd

hostname pixfirewall

domain-name

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list acl_in permit tcp any any eq www

access-list acl_in permit tcp any any eq domain

access-list acl_in permit udp any any eq domain

access-list acl_in permit tcp any any eq https

access-list acl_in permit udp any any range netbios-ns 139

access-list acl_in permit tcp any any range 137 netbios-ssn

access-list acl_in permit icmp any any

access-list acl_in deny tcp any any eq 4444

access-list acl_in deny tcp any any eq 69

access-list acl_in deny tcp any any eq 135

access-list no_nat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list vpn permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

pager lines 24

logging on

logging monitor warnings

logging trap debugging

logging host inside x.x.x.x

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x x.x.x.x

ip address inside x.x.x.x 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x-x.x.x.x

nat (inside) 0 access-list no_nat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_in in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address

crypto map newmap 10 set peer x.x.x.x

crypto map newmap 10 set transform-set myset

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet x.x.x.x 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:

pixfirewall#

jmia · ‎08-26-2003

Hi -

Can you take out the following ACL :

access-list vpn permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list acl_in deny tcp any any eq 69

access-list acl_in deny tcp any any eq 135

Remember to save to config with command 'write memory' and also do command 'clear xlate' after your change.

and see if you get the error.

Thanks -

j.khandia · ‎08-26-2003

Hi,

access-list vpn permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

Relates to a VPN I have setup and so I can't remove this.

access-list acl_in deny tcp any any eq 69

access-list acl_in deny tcp any any eq 135

Both relate to the blaster worm that hit PC's last week and prevents the blaster from hitting any of the PC's on the inside interface.

jmia · ‎08-27-2003

Hi Jamal,

The reason I was asking for removal of the above two access-list is your original error is stating that a inside client(IP) failed to build a UDP connection to the outside IP, As TCP/UDP use port 135 and you are denying port 135 with the access-list then you are likely to see the formentioned error. I'm aware of the 'blaster worm virus' and the port it uses to attack clients. You could test your firewall to see if there are any 'holes' visible from the outside (Internet) by going to the following site: www.grc.com and use 'Shields UP' (This is a secure site).

Also, looking at the error message, the inside client (IP) is trying to connect to a outside DNS client (port 53 for UDP). Another thing is, you say that the VPN access-list can't be removed, But you have no command 'nat(inside)0 access-list VPN' for the mentioned access-list ??

Let me know your thoughts -

Thanks - Jay

j.khandia · ‎08-27-2003

Hi Jay,

Many thanks for your help and time on this issue.

The VPN access list does actually have a

nat(inside)0 access-list VPN command in the config.

I sent across a slightly older config which did work as I wasn't at the office when I sent it through.

I looked at the config again this morning and found that if I issued the following command

clear xlate

this allowed machines to connect however as I went round to each machine I found that if I connected more than 4 machines then the same problem would occur again.

The deny tcp access list statements were actually added after this problem occured and having just removed them after your posting this seem to have no effect.

Jamal

j.khandia · ‎08-27-2003

Repeated message

jmia · ‎08-27-2003

Hi Jamal,

OK, Can you post your current config and also what sort of licence have you got for the PIX i.e. Ristricted, Unristricted etc.. a 'show version' Will tell you this. MAKESURE TO CHANGE REAL IP's and PASSWORDS. Or if you like post direct to me at noc1@vodafone.net

Thanks - Jay

j.khandia · ‎08-27-2003

Hi Jay,

The PIX has a restricted licence. Since my last I have fixed the issue. I setup PAT on the PIX and this allowed all users to connect and I have had no problems reported so far.

Many thanks for your help.

Jamal

cpalayoor · ‎08-27-2003

Hi,

I had a similar problem with a Pix a few months back.

The problem was diagnosed as a buffer overflow.

and was fixed with a patch from Cisco.

You may try a clear xlate and see if that temporarily solves your problem.

If it does you may need to get a patch from Cisco.

Regards

CP

j.khandia · ‎08-28-2003

Hi,

Many thanks I will take this up with Cisco and try and get a patch from them. I tried the clear xlate a few days back and it does clear down the translations however I get the same problem after more than 4 machines try to connect to the internet.

I entered a single global port address translation address and this seems to have fixed the issue for now.

Regards

Jamal