Problems Passing Traffic outside the PIX...incoming works fine

I am having an issue where all wanted traffic can get in (Webpages, DNS,
SMTP, etc.) but no machine from the inside can get out....even with a ping.
I attached my config...
When I try to ping to the outside from inside, I get this error logged...

305006: portmap translation creation failed for icmp src inside:192.168.4.22
dst outside:63.243.97.154 (type 8, code 0)

I also see this for UDP as well...

I have tried to remove the ACL on the inside interface...still a no go. I
think its a PAT issue rather than an ACL issue...

The devices on the inside (windows servers) have 2 IPs on the interface. One
is 192.168.4.x the other is 192.168.64.x,192.168.65.x or 192.168.68.x.

I do a translation to that network (one to one)...which seems to work fine.


The problem is when I try to surf outside....the machines primary ip is the
192.168.4.x network, which has a one to many translation (PAT). I dunno
why...the client wanted it this way for some reason.

Maybe that will help figure out whats up.



Any help would be great!

Thanks


Config

PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password xxxxxxxxx. encrypted
passwd xxxxx encrypted
hostname xxxx
domain-name msxxxxxxxx.com
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp strict 21
names
object-group network ServerGroup01
network-object host 216.82.64.61
network-object host 216.82.64.62
network-object host 216.82.64.63
network-object 216.82.64.64 255.255.255.192
network-object 216.82.64.128 255.255.255.128
network-object 216.82.65.0 255.255.255.0
network-object 66.230.68.0 255.255.255.192
network-object 66.230.68.64 255.255.255.224
network-object host 66.230.68.96
network-object host 66.230.68.97
network-object host 66.230.68.98
network-object host 66.230.68.99
network-object host 66.230.68.100
object-group network ServerGroup02
network-object host 66.230.68.100
network-object host 66.230.68.101
network-object host 66.230.68.103
network-object host 66.230.68.102
network-object 66.230.68.104 255.255.255.248
network-object 66.230.68.112 255.255.255.240
network-object 66.230.68.128 255.255.255.128
object-group network DNS
network-object host 216.82.64.20
network-object host 216.82.64.21
network-object host 216.82.64.22
access-list LANIn permit tcp any object-group DNS eq domain
access-list LANIn permit udp any object-group DNS eq domain
access-list LANIn permit tcp any object-group ServerGroup01 eq www
access-list LANIn permit tcp any object-group ServerGroup01 eq https
access-list LANIn permit tcp any object-group ServerGroup01 eq ftp
access-list LANIn permit tcp any object-group ServerGroup01 eq smtp
access-list LANIn permit tcp any object-group ServerGroup02 eq www
access-list LANIn permit tcp any object-group ServerGroup02 eq https
access-list LANIn permit tcp any object-group ServerGroup02 eq ftp
access-list LANIn permit tcp any object-group ServerGroup02 eq smtp
access-list LANIn permit tcp any object-group ServerGroup02 eq pop3
access-list LANIn permit icmp any any
access-list LANOut permit ip any any
access-list LANOut permit icmp any any
access-list LANOut permit icmp any any echo-reply
pager lines 24
logging on
logging buffered errors
logging trap notifications
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 216.183.xxx.xxx 255.255.255.252
ip address inside 192.168.0.1 255.255.0.0
ip address DMZ 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 216.82.64.40
global (outside) 2 216.82.64.41
global (outside) 3 216.82.64.42
global (outside) 4 216.82.64.1
nat (inside) 4 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
nat (inside) 2 192.168.3.0 255.255.255.0 0 0
nat (inside) 3 192.168.4.0 255.255.255.0 0 0
alias (inside) 192.168.64.0 216.82.64.0 255.255.255.0
alias (inside) 192.168.65.0 216.82.65.0 255.255.255.0
alias (inside) 192.168.68.0 66.230.68.0 255.255.255.0
static (inside,outside) 216.82.64.0 192.168.64.0 netmask 255.255.255.0 0 0
static (inside,outside) 216.82.65.0 192.168.65.0 netmask 255.255.255.0 0 0
static (inside,outside) 66.230.68.0 192.168.68.0 netmask 255.255.255.0 0 0
access-group LANIn in interface outside
access-group LANOut in interface outside
route outside 0.0.0.0 0.0.0.0 216.183.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.0.0 255.255.0.0 DMZ
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
terminal width 80
Cryptochecksum:3ab4b1db810e076fd357c7b626e3e029

 

:I am having an issue where all wanted traffic can get in (Webpages, DNS,
:SMTP, etc.) but no machine from the inside can get out....even with a ping.
:I attached my config...
:When I try to ping to the outside from inside, I get this error logged...

:305006: portmap translation creation failed for icmp src inside:192.168.4.22
:dst outside:63.243.97.154 (type 8, code 0)

:global (outside) 1 216.82.64.40
:global (outside) 2 216.82.64.41
:global (outside) 3 216.82.64.42
:global (outside) 4 216.82.64.1
:nat (inside) 4 192.168.0.0 255.255.255.0 0 0
:nat (inside) 1 192.168.2.0 255.255.255.0 0 0
:nat (inside) 2 192.168.3.0 255.255.255.0 0 0
:nat (inside) 3 192.168.4.0 255.255.255.0 0 0

:static (inside,outside) 216.82.64.0 192.168.64.0 netmask 255.255.255.0 0 0
:static (inside,outside) 216.82.65.0 192.168.65.0 netmask 255.255.255.0 0 0
:static (inside,outside) 66.230.68.0 192.168.68.0 netmask 255.255.255.0 0 0

Your outside IPs in your global statements overlap with your first
'static' statement. The static is overriding, leaving effectively
no 'global' statements active.

IX Version 6.2(1)

You should get that updated; it has known security problems.
Updates are free even without a support contract. Search cisco's site
for PIX security advisory 6.2 and look through the advisories for
update information. See in particular

http://www.cisco.com/warp/public/707/cisco-sa-20031215-pix.shtml

 

Wow...I should no better...

thanks for spotting that out. I subnetted out that 1st static statement
into a few seprate statements that sit around those 3 global addresses
(.40,.41,.42)

static (inside,outside) 216.82.64.31 192.168.64.31 netmask 255.255.255.255 0
0
static (inside,outside) 216.82.64.32 192.168.64.32 netmask 255.255.255.248 0
0
static (inside,outside) 216.82.64.43 192.168.64.43 netmask 255.255.255.255 0
0
static (inside,outside) 216.82.64.44 192.168.64.44 netmask 255.255.255.252 0
0
static (inside,outside) 216.82.64.48 192.168.64.48 netmask 255.255.255.240 0
0
static (inside,outside) 216.82.64.64 192.168.64.64 netmask 255.255.255.192 0
0
static (inside,outside) 216.82.64.128 192.168.64.128 netmask 255.255.255.128
0 0



Worked like a charm...

once again...thank you!

Eric

 

Why did you apply two -2- ACL's to the -->outside<-- interface?

 

:thanks for spotting that out. I subnetted out that 1st static statement
:into a few seprate statements that sit around those 3 global addresses
.40,.41,.42)

:static (inside,outside) 216.82.64.31 192.168.64.31 netmask 255.255.255.255 0 0
:static (inside,outside) 216.82.64.32 192.168.64.32 netmask 255.255.255.248 0 0

Don't do that. When you static with a netmask other than 255.255.255.255
then the PIX will believe that there really is a network with that
number scheme, and will consider the first and last IP in the range
to be reserved and will not allow traffic to be sourced from those IPs.

Only use a netmask other than 255.255.255.255 on a static if the static
covers the entire subnet... or if you don't care that the first and
last IPs become unusable, and you document that thoroughly in the
configuration!!