cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
252
Views
0
Helpful
1
Replies

Static Translations from non-existant hosts

rosspbarnes
Level 1
Level 1

This is probably just something else that I do not undrstand about the pix, but want to know what is going on. I am getting log message 305009 "Built static translation from inside: some-IP to outside: same-IP" from non-existant hosts and subnets. First assumption is that there might be some spoofing going on, but sniffing the link between our internal router and pix shows no traffic from this host. Is this a scan? If so, why is the static translation from inside to outside?

1 Reply 1

gfullage
Cisco Employee
Cisco Employee

The "from" and "to" in this messgae don't indicate the direction the traffic as seen in (ie, the PIX didn't have to actually see traffic FROM some-IP). All this message is telling you is that the PIX created a translation in its internal table because it saw traffic from OR to this address. The message is indicating a translation was created from one interface to another, and the message will always say FROM the higher security interface TO the lower security interface, it's not telling you that it actually saw traffic from one interface to the other.

You must have a static command set up translating this IP address to itself between the inside and outside interfaces, so if the PIX sees traffic going to this address from the outside, or coming from this address on the inside, it'll have to create a translation for it and this message will be displayed.

Again, it doesn't signify the traffic direction, just that traffic is seen.

As for what it might be, quite possibly a scan of all available hosts on that subnet, quite possibly something completely harmless also. If it's a scan I'd expect to see one of these messages for every host on the subnet, if you don't see this then it may be something entirely different.