Please help me!

xbw · ‎08-29-2006

About the complete config ,please see the attachments:

When I ping the host(168.1.12.156) with the client (168.2.2.209),an error is reported.but I can telnet the host (168.1.12.156)with the client (168.2.2.209). please help me!

168.2.2.209(client)---inside----pix----ssn---server 168.1.12.156

Aug 30 2006 10:49:34: %PIX-3-305006: portmap translation creation failed for icmp src inside:168.2.2.209 dst ssn:168.1.12.156 (type 8, code 0)

vijayasankar · ‎08-29-2006

Hi,

This is the same problem that we are discussing in this post..

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddc0e47

Could you provide the complete statements of the ACL tofuzhou, I could see only the following lines in the config provided by you, which is incomplete.

access-list tofuzhou extended permit tcp 168.2.2.0 255.255.255.0 host 168.1.12.

Only TCP traffic is permitted in the ACL, if you want to allow ICMP also to be included in this, then you need to add them.

access-list tofuzhou extended permit icmp 168.2.2.0 255.255.255.0 168.2.33.0 255.255.255.0

access-list tofuzhou extended permit icmp 168.2.2.0 255.255.255.0 host 168.1.12.156

This ACL tofuzhou is tied to the NAT inside and global (ssn) as follows.

nat (inside) 6 access-list tofuzhou

global (ssn) 6 168.2.33.250 netmask 255.255.255.0

What is that you are trying to acheive by the above global command?

If you want to translate all the traffic originating from the inside interface ( matched by ACL "tofuzhou") destined to the DMZ SSN to get PAT'ed to the ip 168.2.33.250, then the command should be as follows

nat (inside) 6 access-list tofuzhou

global (ssn) 6 168.2.33.250

Kindly clarify on what you would like to acheive for the traffic going from inside interface to the DMZ ssn.

-VJ

xbw · ‎08-31-2006

Can you still help me ?