PIX firewall error message

yangmin · ‎12-16-2004

I have the following situation: I have one internal network with one Class C subnet, and the whole class C subnet is statically translated to the company's global WAN from inside to the WAN interface. Inside has security of 100, and WAN is 0. I newly created one more interface for VPN traffic, and VPN pool is using a private class C subnet. In order for VPN users to be able to enter WAN, i have to translate it into the LAN's subnet. Therefore, i took one LAN IP for the PAT. However, the VPN pool IP could not translated to the LAN IP with error message of "portmapped translation could not be created", however, when i use static translation from one of the VPN pool IP to the same LAN IP, it has no issue to translate.

May i know the reason for this problem, and how can i resolve it. I definitely don't want to use static mapping for the VPN pool to LAN IPs. Can PAT used for IP-Sec traffic?

Thanks for answering it!

d-garnett · ‎12-17-2004

If I understand you right,

i think that you have the following in your config)

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

if so this is what is happening

1 - vpn user connects and (for example) tries to open a web session to an internal server (sends a TCP SYNchronization packet).

2 - the internal web server sends back an ACKnowledgement to this toward the Firewall. Now if everything that hits the firewall's inside interface to get out is destined to be NAT'd then the firewall will complain because it is recieving an ACK to an outside host when no Translation Slot was previously created (The internal Web Server did not start this session). The PIX being the Stateful Firewall that it is will not like this. If you pin up some sort of NAT statement to adjust this behavior it should fix this problem.

____________________________________________________

you really do not have to translate it to the LAN, you should be able to use another pool of IP Addresses exclusively for the VPN Users.

lets say............

External Address: 3.3.3.3 (All internal hosts are translated to this)

VPN Pool: 2.2.2.0 /24 (remote access host acquire an address from this pool)

Internal LAN: 1.1.1.0/24 (your internal lan)

Then make sure that you do NOT nat the responce traffic coming back to the vpn users

sysopt connection permit-ipsec

ip local pool VPN-USERS 2.2.2.1-2.2.2.254

access-list VPN-NO-NAT permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

nat (inside) 0 access-list VPN-NO-NAT

also just for completeness.......

crypto dynamic-map RA-USERS 20 match address VPN-NO-NAT

p.s. just make sure that your internal routing infrastructure has a route to point to the firewall for your vpn pool.

I run PPTP and IPSec Tunnels on our PIX in this fashion using a different ip pool for each method.

hope this helps

yangmin · ‎12-18-2004

Hi, d-garnett, thanks a lot for your advise. Maybe, i should explain it more clearly. My PIX firewall has 6 interfaces, one Internet DMZ, where the VPN Concentrator connects to, and one Internal DMZ, where the other side of the VPN concentrator connects to. One Internet interface, one company global WAN interface, and the other is LAN interface.

I was using private class C subnet for different pools of VPN users, and they don't have problem to connects to LAN servers once the whole LAN is completely statically translated from LAN interface to VPN interface. However, when they need to enter the global WAN, the IP address has to be NAT to the global WAN recognizable IPs.

Currently, the LAN servers and users are using those assigned global WAN recoginzable IPs by HQ. Therefore,in order to allow VPN users to access servers in global WAN, i have to use some of the LAN IPs, which is currently not in use, as NAT pool for VPN ips. The error message occures at this moment, and no traffic could be flow through the PIX firewall. ACL has no restriction, therefore, i could only suspect it is either the NAT configuration issue or PIX firewall bug.

Anybody encountered this issue before?

yangmin · ‎12-18-2004

Actually, i did two testing. One is with PAT and the other is with Static NAT from VPN interface to WAN interface, and the global IP is same. PAT is failed, however, static NAT is succeed.Not sure whether it is the problem with IP-Sec traffic and PAT? Any configuration can avoid it?

Thanks for experts' advise!

yangmin · ‎12-20-2004

Finally, i found out the reason. The ip used for the global pool is included in the static translation of the subnets from the inside interface to outside interface. Therefore, PIX can't use this IP as the global ip for another interface, although configuration wise, it won't complain about it.