Problems Passing Traffic outside the PIX...incoming works fine

Discussion in 'Cisco' started by Eric Elliston, Dec 22, 2004.

  1. I am having an issue where all wanted traffic can get in (Webpages, DNS,
    SMTP, etc.) but no machine from the inside can get out....even with a ping.
    I attached my config...
    When I try to ping to the outside from inside, I get this error logged...

    305006: portmap translation creation failed for icmp src inside:192.168.4.22
    dst outside:63.243.97.154 (type 8, code 0)

    I also see this for UDP as well...

    I have tried to remove the ACL on the inside interface...still a no go. I
    think its a PAT issue rather than an ACL issue...

    The devices on the inside (windows servers) have 2 IPs on the interface. One
    is 192.168.4.x the other is 192.168.64.x,192.168.65.x or 192.168.68.x.

    I do a translation to that network (one to one)...which seems to work fine.


    The problem is when I try to surf outside....the machines primary ip is the
    192.168.4.x network, which has a one to many translation (PAT). I dunno
    why...the client wanted it this way for some reason.

    Maybe that will help figure out whats up.



    Any help would be great!

    Thanks


    Config

    PIX Version 6.2(1)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security50
    enable password xxxxxxxxx. encrypted
    passwd xxxxx encrypted
    hostname xxxx
    domain-name msxxxxxxxx.com
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    fixup protocol ftp strict 21
    names
    object-group network ServerGroup01
    network-object host 216.82.64.61
    network-object host 216.82.64.62
    network-object host 216.82.64.63
    network-object 216.82.64.64 255.255.255.192
    network-object 216.82.64.128 255.255.255.128
    network-object 216.82.65.0 255.255.255.0
    network-object 66.230.68.0 255.255.255.192
    network-object 66.230.68.64 255.255.255.224
    network-object host 66.230.68.96
    network-object host 66.230.68.97
    network-object host 66.230.68.98
    network-object host 66.230.68.99
    network-object host 66.230.68.100
    object-group network ServerGroup02
    network-object host 66.230.68.100
    network-object host 66.230.68.101
    network-object host 66.230.68.103
    network-object host 66.230.68.102
    network-object 66.230.68.104 255.255.255.248
    network-object 66.230.68.112 255.255.255.240
    network-object 66.230.68.128 255.255.255.128
    object-group network DNS
    network-object host 216.82.64.20
    network-object host 216.82.64.21
    network-object host 216.82.64.22
    access-list LANIn permit tcp any object-group DNS eq domain
    access-list LANIn permit udp any object-group DNS eq domain
    access-list LANIn permit tcp any object-group ServerGroup01 eq www
    access-list LANIn permit tcp any object-group ServerGroup01 eq https
    access-list LANIn permit tcp any object-group ServerGroup01 eq ftp
    access-list LANIn permit tcp any object-group ServerGroup01 eq smtp
    access-list LANIn permit tcp any object-group ServerGroup02 eq www
    access-list LANIn permit tcp any object-group ServerGroup02 eq https
    access-list LANIn permit tcp any object-group ServerGroup02 eq ftp
    access-list LANIn permit tcp any object-group ServerGroup02 eq smtp
    access-list LANIn permit tcp any object-group ServerGroup02 eq pop3
    access-list LANIn permit icmp any any
    access-list LANOut permit ip any any
    access-list LANOut permit icmp any any
    access-list LANOut permit icmp any any echo-reply
    pager lines 24
    logging on
    logging buffered errors
    logging trap notifications
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip address outside 216.183.xxx.xxx 255.255.255.252
    ip address inside 192.168.0.1 255.255.0.0
    ip address DMZ 127.0.0.1 255.255.255.255
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 1 216.82.64.40
    global (outside) 2 216.82.64.41
    global (outside) 3 216.82.64.42
    global (outside) 4 216.82.64.1
    nat (inside) 4 192.168.0.0 255.255.255.0 0 0
    nat (inside) 1 192.168.2.0 255.255.255.0 0 0
    nat (inside) 2 192.168.3.0 255.255.255.0 0 0
    nat (inside) 3 192.168.4.0 255.255.255.0 0 0
    alias (inside) 192.168.64.0 216.82.64.0 255.255.255.0
    alias (inside) 192.168.65.0 216.82.65.0 255.255.255.0
    alias (inside) 192.168.68.0 66.230.68.0 255.255.255.0
    static (inside,outside) 216.82.64.0 192.168.64.0 netmask 255.255.255.0 0 0
    static (inside,outside) 216.82.65.0 192.168.65.0 netmask 255.255.255.0 0 0
    static (inside,outside) 66.230.68.0 192.168.68.0 netmask 255.255.255.0 0 0
    access-group LANIn in interface outside
    access-group LANOut in interface outside
    route outside 0.0.0.0 0.0.0.0 216.183.xxx.xxx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    no sysopt route dnat
    telnet 192.168.0.0 255.255.0.0 inside
    telnet 192.168.0.0 255.255.0.0 DMZ
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    terminal width 80
    Cryptochecksum:3ab4b1db810e076fd357c7b626e3e029
     
    Eric Elliston, Dec 22, 2004
    #1
    1. Advertisements

  2. :I am having an issue where all wanted traffic can get in (Webpages, DNS,
    :SMTP, etc.) but no machine from the inside can get out....even with a ping.
    :I attached my config...
    :When I try to ping to the outside from inside, I get this error logged...

    :305006: portmap translation creation failed for icmp src inside:192.168.4.22
    :dst outside:63.243.97.154 (type 8, code 0)

    :global (outside) 1 216.82.64.40
    :global (outside) 2 216.82.64.41
    :global (outside) 3 216.82.64.42
    :global (outside) 4 216.82.64.1
    :nat (inside) 4 192.168.0.0 255.255.255.0 0 0
    :nat (inside) 1 192.168.2.0 255.255.255.0 0 0
    :nat (inside) 2 192.168.3.0 255.255.255.0 0 0
    :nat (inside) 3 192.168.4.0 255.255.255.0 0 0

    :static (inside,outside) 216.82.64.0 192.168.64.0 netmask 255.255.255.0 0 0
    :static (inside,outside) 216.82.65.0 192.168.65.0 netmask 255.255.255.0 0 0
    :static (inside,outside) 66.230.68.0 192.168.68.0 netmask 255.255.255.0 0 0

    Your outside IPs in your global statements overlap with your first
    'static' statement. The static is overriding, leaving effectively
    no 'global' statements active.

    :pIX Version 6.2(1)

    You should get that updated; it has known security problems.
    Updates are free even without a support contract. Search cisco's site
    for PIX security advisory 6.2 and look through the advisories for
    update information. See in particular

    http://www.cisco.com/warp/public/707/cisco-sa-20031215-pix.shtml
     
    Walter Roberson, Dec 22, 2004
    #2
    1. Advertisements

  3. Wow...I should no better...

    thanks for spotting that out. I subnetted out that 1st static statement
    into a few seprate statements that sit around those 3 global addresses
    (.40,.41,.42)

    static (inside,outside) 216.82.64.31 192.168.64.31 netmask 255.255.255.255 0
    0
    static (inside,outside) 216.82.64.32 192.168.64.32 netmask 255.255.255.248 0
    0
    static (inside,outside) 216.82.64.43 192.168.64.43 netmask 255.255.255.255 0
    0
    static (inside,outside) 216.82.64.44 192.168.64.44 netmask 255.255.255.252 0
    0
    static (inside,outside) 216.82.64.48 192.168.64.48 netmask 255.255.255.240 0
    0
    static (inside,outside) 216.82.64.64 192.168.64.64 netmask 255.255.255.192 0
    0
    static (inside,outside) 216.82.64.128 192.168.64.128 netmask 255.255.255.128
    0 0



    Worked like a charm...

    once again...thank you!

    Eric
     
    Eric Elliston, Dec 23, 2004
    #3
  4. Eric Elliston

    Chad Guest

    Why did you apply two -2- ACL's to the -->outside<-- interface?
     
    Chad, Dec 23, 2004
    #4
  5. :thanks for spotting that out. I subnetted out that 1st static statement
    :into a few seprate statements that sit around those 3 global addresses
    :(.40,.41,.42)

    :static (inside,outside) 216.82.64.31 192.168.64.31 netmask 255.255.255.255 0 0
    :static (inside,outside) 216.82.64.32 192.168.64.32 netmask 255.255.255.248 0 0

    Don't do that. When you static with a netmask other than 255.255.255.255
    then the PIX will believe that there really is a network with that
    number scheme, and will consider the first and last IP in the range
    to be reserved and will not allow traffic to be sourced from those IPs.

    Only use a netmask other than 255.255.255.255 on a static if the static
    covers the entire subnet... or if you don't care that the first and
    last IPs become unusable, and you document that thoroughly in the
    configuration!!
     
    Walter Roberson, Dec 23, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.