Cisco PIX 501 - Can't remove Translation Rule

Discussion in 'Cisco' started by sam.mattern, Jan 11, 2010.

  1. sam.mattern

    sam.mattern

    Joined:
    Jan 11, 2010
    Messages:
    1
    So here's the story. We got a new server and I need to change 3 or 4 access rules to point to the new server instead of to the old one. Simple enough, just delete the access rules and translation rules for the old server, and create new ones pointing to the new server. However, after I deleted the access rules, when I try to delete the corresponding translation rules I get: "PDM has found that this operation will result in some security rules getting nullified. Please review your translation/security rules, before retrying this operation." Here is my running configuration:

    Building configuration...
    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password o2i7ZKHQ5m9Eky7Q encrypted
    passwd o2i7ZKHQ5m9Eky7Q encrypted
    hostname SPR-PIX
    domain-name spectrumreporting.com
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.10.121 AVID
    name 199.89.0.0 MailRoute
    name 192.168.10.113 DELLSERVER
    name 98.129.77.90 RBWEB
    access-list outside_access_in permit icmp any any
    access-list outside_access_in permit tcp any interface outside eq ftp
    access-list outside_access_in permit tcp any interface outside eq ftp-data
    access-list outside_access_in permit tcp any interface outside eq ssh
    access-list outside_access_in remark Passive Mode for FTP
    access-list outside_access_in permit tcp any interface outside range 23580 23584
    access-list outside_access_in permit tcp any interface outside eq www
    access-list outside_access_in remark For webmail
    access-list outside_access_in permit tcp any interface outside eq imap4
    access-list outside_access_in remark OWA
    access-list outside_access_in permit tcp any interface outside eq https
    access-list outside_access_in remark Intranet
    access-list outside_access_in permit tcp any interface outside eq 444
    access-list outside_access_in remark RWW
    access-list outside_access_in permit tcp any interface outside eq 4125
    access-list outside_access_in remark PPTP (VPN)
    access-list outside_access_in permit tcp any interface outside eq pptp
    access-list outside_access_in remark Incoming mail
    access-list outside_access_in permit tcp MailRoute 255.255.248.0 interface outside eq smtp
    access-list outside_access_in permit tcp any interface outside eq 17575
    access-list sp3ctrum_splitTunnelAcl permit ip 192.168.10.0 255.255.255.0 any
    access-list inside_outbound_nat0_acl permit ip any 172.16.1.0 255.255.255.240
    access-list outside_cryptomap_dyn_20 permit ip any 172.16.1.0 255.255.255.240
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 99.129.111.113 255.255.255.0
    ip address inside 192.168.10.2 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool 172.16.1.1-172.16.1.10
    pdm location 192.168.10.5 255.255.255.255 inside
    pdm location 192.168.10.53 255.255.255.255 inside
    pdm location 64.129.190.0 255.255.255.128 outside
    pdm location 192.168.10.1 255.255.255.255 inside
    pdm location 192.168.10.102 255.255.255.255 inside
    pdm location AVID 255.255.255.255 inside
    pdm location 99.129.111.113 255.255.255.255 inside
    pdm location DELLSERVER 255.255.255.255 inside
    pdm location MailRoute 255.255.248.0 outside
    pdm location 0.0.0.0 255.255.255.255 inside
    pdm location 0.0.0.0 255.255.255.255 outside
    pdm location RBWEB 255.255.255.255 outside
    pdm location 192.168.10.115 255.255.255.255 inside
    pdm location 192.168.10.16 255.255.255.255 inside
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface imap4 DELLSERVER imap4 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 26919 DELLSERVER 26919 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface ftp AVID ftp netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface ftp-data AVID ftp-data netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 23580 AVID 23580 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 23581 AVID 23581 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface ssh AVID ssh netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 23582 AVID 23582 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 23583 AVID 23583 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 23584 AVID 23584 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 43958 AVID 43958 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface www DELLSERVER www netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface smtp DELLSERVER smtp netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface https DELLSERVER https netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 4125 DELLSERVER 4125 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 444 DELLSERVER 444 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface pptp DELLSERVER pptp netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5010 DELLSERVER 5010 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 1433 DELLSERVER 1433 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5011 DELLSERVER 5011 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 85 DELLSERVER 85 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 17575 192.168.10.115 17575 netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 99.129.111.118 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    ntp server 216.29.107.2 source outside
    http server enable
    http 172.16.1.0 255.255.255.240 outside
    http 64.129.190.0 255.255.255.128 outside
    http 192.168.10.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup sp3ctrum address-pool vpnpool
    vpngroup sp3ctrum dns-server 192.168.10.1 216.29.107.5
    vpngroup sp3ctrum default-domain spectrumreporting.com
    vpngroup sp3ctrum split-tunnel sp3ctrum_splitTunnelAcl
    vpngroup sp3ctrum idle-time 1800
    vpngroup sp3ctrum password ********
    telnet 172.16.1.0 255.255.255.240 outside
    telnet 192.168.10.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.10.3-192.168.10.130 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    Cryptochecksum:f47803ec555fde2e5dbbedc8c7c43ee2
    : end
    [OK]


    I'm trying to remove 5010, 5011, and 1433, or change them to point to the new server. I tried re-adding the access rules, deleted them again, saved to flash, no change. Please help! Thanks in advance.
     
    sam.mattern, Jan 11, 2010
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Steve Ames

    translation-rule question

    Steve Ames, Nov 21, 2003, in forum: Cisco
    Replies:
    0
    Views:
    639
    Steve Ames
    Nov 21, 2003
  2. Chris Nichols

    Pix Translation Rule Message

    Chris Nichols, Jul 13, 2004, in forum: Cisco
    Replies:
    2
    Views:
    690
    Chris Nichols
    Jul 14, 2004
  3. polycomuser@gmail.com

    Cisco voice translation-rule

    polycomuser@gmail.com, Nov 18, 2005, in forum: Cisco
    Replies:
    2
    Views:
    14,281
    salinikumar
    Jul 18, 2007
  4. KipBond
    Replies:
    5
    Views:
    1,707
    KipBond
    Jan 26, 2007
  5. mvlbv

    translation rule

    mvlbv, Feb 9, 2007, in forum: Cisco
    Replies:
    0
    Views:
    390
    mvlbv
    Feb 9, 2007
Loading...

Share This Page