01-17-2003 10:11 AM - edited 03-09-2019 01:43 AM
hello,
i've been dealing with a problem that finally resulted to be bigger than my habilities to solve it:
I administer a pix 535, ver. 6.2(2), and the problem is that my users behind it fail to establish ftp/telnet/web... any conection.
the syslog server shows this error:
<163>Jan 17 2003 11:03:54: %PIX-3-305006: portmap translation creation failed for tcp src inside:11.254.12.161/19010 dst outside:213.9.178.76/80
in 17-Jan 10:55:19.35 from 11.254.12.67
the problem is solved once I run "clear xlate" in the pix, and my users can ftp, telnet and browse the web, but the problem reapears again after a short period of time (20 min... 1 hour...), and I have to clear the translation tables again!!
I've tried to find what this error means, but I can find nothing else than "this can be an internal error or an error in the configuration"...
any clues???
thank you in advance
Solved! Go to Solution.
01-21-2003 07:45 PM
176,263 xlates? Any wonder you're running out of translations with only two addresses. How many users do you have inside this PIX? Are you sure you don't have a machine inside that is creating 1000's of connections to external hosts, maybe one that is infected with a virus/worm.
Check your xlate table next time you see the counter getting high and see if one machine is using up most of the xlates. Check the same thing in the connection table, then fix that machine if you find one.
01-17-2003 10:14 PM
We probably need to see your PIX configuration, but I'll give it a shot. Outbound connections are controlled by the nat/global statements in the PIX. The PIX is running out of IP addresses and ports to NAt your inside traffic to. You probably have something like:
> global (outside) 1 x.x.x.1 - x.x.x.254
> nat (inside) 1 0 0
or something similar. This says nat all your inside addresses to IP adresses x.x.x.1 to x.x.x.254. Once these are all used, you'll get the port translation failed error, cause the PIX has run out of IP addresses. Keep in mind that one internal user can use up 10 or so IP addresses just by going to one web site.
Change your above config (or whatever you have) to:
> global (outside) 1 x.x.x.1 - x.x.x.253
> global (outside) 1 x.x.x.254
> nat (inside) 1 0 0
This says use x.x.x.1 to x.x.x.253 for NAT'ing the inside IP addresses, and then when you run out start PAT'ing everything to the x.x.x.254 address. This will give you up to 65000 translations just with this one IP address, more than enough for a mid-size company.
If you're still not sure what to do, please post your config, make sure to xxxxxx out the global IP addresses and your passwords.
01-21-2003 07:33 AM
ok, here's the config:
: Saved
:
PIX Version 6.2(2)
nameif gb-ethernet0 outside security0
nameif gb-ethernet1 inside security100
nameif gb-ethernet2 Failover_fw security55
nameif ethernet0 dmz security50
nameif ethernet1 intf4 security30
nameif ethernet2 intf5 security25
enable password xxXxxx encrypted
passwd XXXXXX encrypted
hostname PIX-IMSS-1
domain-name XXXX.XXX.mx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
object-group network XXXSERVERS
network-object host 216.15.255.131
network-object host 200.32.3.188
network-object host 216.15.243.145
network-object host 216.15.191.44
network-object host 216.148.213.149
network-object host 207.153.254.54
network-object host 204.176.10.176
network-object host 62.81.62.169
network-object host 200.53.64.230
network-object host 65.243.196.210
network-object host 207.153.226.209
network-object host 207.68.183.187
network-object host 209.163.234.172
network-object host 209.67.42.29
network-object host 207.153.254.58
network-object host 209.207.135.134
network-object host 63.241.16.56
network-object host 64.4.53.7
network-object host 64.4.52.7
network-object host 64.4.43.7
network-object host 64.4.44.7
network-object host 64.4.45.7
network-object host 66.163.171.128
network-object host 64.58.76.98
network-object host 64.58.76.99
network-object host 64.12.164.65
network-object host 64.12.164.193
network-object host 207.46.104.20
network-object host 66.119.67.254
network-object host 64.58.79.230
network-object host 205.188.179.233
network-object host 64.12.200.89
network-object host 66.163.172.116
network-object host 66.218.71.198
network-object host 216.127.33.92
network-object host 64.58.76.37
network-object host 212.19.149.26
object-group network COMPAS
network-object host 11.254.43.38
network-object host 11.254.13.59
access-list OUT permit tcp any host xxxxxx.143.4 eq www
access-list OUT permit tcp any host xxxxxx.143.4 eq https
access-list OUT permit tcp any host xxxxxx.143.6 eq www
access-list OUT permit tcp any host xxxxxx.143.7 eq www
access-list OUT permit tcp any host xxxxxx.143.8 eq www
access-list OUT permit tcp any host xxxxxx.143.9 eq smtp
access-list OUT permit tcp any host xxxxxx.143.10 eq 8080
access-list OUT permit tcp any host xxxxxx.143.10 eq www
access-list OUT permit tcp any host xxxxxx.143.11 eq www
access-list OUT permit tcp any host xxxxxx.143.12 eq www
access-list OUT permit tcp any host xxxxxx.143.12 eq 5100
access-list OUT permit tcp any host xxxxxx.143.20 eq domain
access-list OUT permit udp any host xxxxxx.143.20 eq domain
access-list DMZ permit tcp any host 11.254.12.21 eq domain
access-list DMZ permit udp any host 11.254.12.21 eq domain
access-list DMZ permit ip any host 11.254.12.36
access-list DMZ permit tcp host 71.10.23.10 11.0.0.0 255.0.0.0 eq 1525
access-list DMZ permit tcp host 71.10.23.34 host 11.254.12.234 eq smtp
access-list DMZ permit tcp host 71.10.23.34 any eq sqlnet
access-list DMZ permit tcp 71.10.23.0 255.255.255.0 11.254.12.0 255.255.255.0 eq 135
access-list DMZ permit udp 71.10.23.0 255.255.255.0 11.254.12.0 255.255.255.0 eq netbios-ns
access-list DMZ permit tcp 71.10.23.0 255.255.255.0 11.254.12.0 255.255.255.0 eq netbios-ssn
access-list DMZ permit udp 71.10.23.0 255.255.255.0 11.254.12.0 255.255.255.0 eq netbios-dgm
access-list DMZ permit tcp host 71.10.23.10 11.0.0.0 255.0.0.0 eq 1526
access-list DMZ permit tcp host 71.10.23.11 11.0.0.0 255.0.0.0 eq 1526
access-list DMZ permit tcp host 71.10.23.14 11.0.0.0 255.0.0.0 eq 1526
access-list DMZ permit tcp host 71.10.23.11 11.0.0.0 255.0.0.0 eq 1525
access-list DMZ permit tcp host 71.10.23.14 11.0.0.0 255.0.0.0 eq 1525
access-list DMZ permit tcp any host 148.207.38.1 eq domain
access-list DMZ permit udp any host 148.207.38.1 eq domain
access-list DMZ permit tcp any host 204.153.24.1 eq domain
access-list DMZ permit udp any host 204.153.24.1 eq domain
access-list IN deny udp any any eq netbios-ns
access-list IN permit ip object-group COMPAS any
access-list IN deny ip any object-group XXXSERVERS
access-list IN deny tcp any any eq 1863
access-list IN permit ip any any
pager lines 24
logging on
logging timestamp
logging buffered warnings
logging trap warnings
logging host inside 11.254.43.38
interface gb-ethernet0 1000auto
interface gb-ethernet1 1000auto
interface gb-ethernet2 1000auto
interface ethernet0 100full
interface ethernet1 auto shutdown
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu Failover_fw 1500
mtu dmz 1500
mtu intf4 1500
mtu intf5 1500
ip address outside xxxxxx.143.15 255.255.255.0
ip address inside 11.254.12.67 255.255.255.0
ip address Failover_fw 72.10.24.30 255.255.255.0
ip address dmz 71.10.23.99 255.255.255.0
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 3
failover ip address outside xxxxxx.143.14
failover ip address inside 11.254.12.66
failover ip address Failover_fw 72.10.24.29
failover ip address dmz 71.10.23.98
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
failover link Failover_fw
failover lan unit primary
failover lan interface Failover_fw
failover lan key ********
failover lan enable
pdm history enable
arp timeout 14400
global (outside) 1 xxxxxx.143.16
global (outside) 1 xxxxxx.143.17
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (dmz) 71.10.23.34 xxxxxx.143.10 255.255.255.255
static (dmz,outside) xxxxxx.143.6 71.10.23.11 netmask 255.255.255.255 0 0
static (dmz,outside) xxxxxx.143.7 71.10.23.25 netmask 255.255.255.255 0 0
static (dmz,outside) xxxxxx.143.8 71.10.23.13 netmask 255.255.255.255 0 0
static (dmz,outside) xxxxxx.143.12 71.10.23.35 netmask 255.255.255.255 0 0
static (inside,outside) xxxxxx.143.4 11.254.12.233 netmask 255.255.255.255 0 0
static (inside,outside) xxxxxx.143.9 11.254.12.234 netmask 255.255.255.255 0 0
static (dmz,outside) xxxxxx.143.10 71.10.23.34 netmask 255.255.255.255 0 0
static (inside,outside) xxxxxx.143.20 11.254.12.21 netmask 255.255.255.255 0 0
static (inside,dmz) 11.0.0.0 11.0.0.0 netmask 255.0.0.0 0 0
access-group OUT in interface outside
access-group IN in interface inside
access-group DMZ in interface dmz
route outside 0.0.0.0 0.0.0.0 xxxxxx.143.254 1
route inside 10.0.0.0 255.0.0.0 11.254.12.254 1
route inside 11.0.0.0 255.0.0.0 11.254.12.254 1
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:00:15 absolute
timeout xlate 0:01:00
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 11.254.43.40 255.255.255.255 inside
http 11.254.43.38 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
crypto dynamic-map dyna 20 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map mymap 10 ipsec-isakmp dynamic dyna
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet timeout 1
ssh 11.254.43.40 255.255.255.255 inside
ssh 11.254.43.38 255.255.255.255 inside
ssh timeout 60
terminal width 100
Cryptochecksum:xxxxxx
: end
according to a cisco document, if I see the portmap traslation error message in my logs, I must decrease the xlate timeout, which i've done to 1 min. And the problem dissapeared all day; I thought that the problem was gonne, but this morning when I saw my syslog server, I found the portmap traslation error again. It seems that we are consuming 65000 X 2 traslations!!!!! it's unbeleivable!!! or do you think that I must add more IP addresses to my global pool???
thanks in advance for your advice
01-21-2003 06:27 PM
What does a "sho conn count" and "sho xlate" tell you as to how many sessions and translations you have going at the time of the message?
01-21-2003 06:42 PM
sh conn count:
11266 in use, 941228 most used
sh xlate:
12528 in use, 176263 most used
at the time I ran these commands I have the least users online, it's 9PM... and I added 3 more PAT addresses in the morning, and in the whole day I haven't seen the portmap error message. Do you think that with this number of connections I really need that many PAT addresses?? or am I exagerating?
Is there a rule of how many PAT addresses I need?
01-21-2003 07:45 PM
176,263 xlates? Any wonder you're running out of translations with only two addresses. How many users do you have inside this PIX? Are you sure you don't have a machine inside that is creating 1000's of connections to external hosts, maybe one that is infected with a virus/worm.
Check your xlate table next time you see the counter getting high and see if one machine is using up most of the xlates. Check the same thing in the connection table, then fix that machine if you find one.
01-25-2003 08:22 AM
Had this config been working earlier? If so, there's a worm running loose on the internet that is gobbling resources. Check http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide