Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 17145
  • Last Modified:

Portmap translation creation failed

Dear all,

i have currently got the above error message and i know it is a conflict between the newly create nat 2 and a static (prob the ftp one) but i dont know what the best way is to resolve it

normally i would test til it worked but i cannot have any downtime in the next 2 weeks and need to solve this problem yesterday

the config is posted below so any tips or advise about the above problem or in general for the config would be much appreciated

thanks

alex t

*****************************************************************
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full shutdown
interface ethernet4 100full
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 ftp security50
nameif ethernet3 int3 security6
nameif ethernet4 dmz security8
nameif ethernet5 fo security55
enable password ******************* encrypted
passwd ******************** encrypted
hostname POXYPIX
domain-name corp.*****.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.11.240 ACS_Server
name 192.168.11.4 TFTP_Server
name 192.168.10.0 HAG_Office
name 10.45.7.0 Counter_Parties
name 192.168.5.0 Failover
name 193.177.103.152 MCI
name 143.7.97.238 Statoil
name 10.4.10.1 Huberator
name 10.20.19.53 GTS
name 171.16.100.185 Electrabel
name 10.4.12.1 Essent
name 10.1.99.13 Viavera
name 192.168.222.48 EWE
name 10.165.23.13 Ruhrgas
name 192.168.10.8 HAGSRV08
access-list inside_outbound_nat0_acl permit ip HAG_Office 255.255.254.0 192.16
211.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip HAG_Office 255.255.254.0 192.16
214.0 255.255.254.0
access-list inside_outbound_nat0_acl permit ip HAG_Office 255.255.254.0 192.16
211.192 255.255.255.248
access-list inside_outbound_nat0_acl permit icmp any any
access-list outside_cryptomap_40 permit ip HAG_Office 255.255.254.0 192.168.21
0 255.255.254.0
access-list *******RemoteVPN_splitTunnelAcl permit ip HAG_Office 255.255.254.0 an
access-list ftp_access_in permit ip Counter_Parties 255.255.255.0 HAG_Office 2
.255.254.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.11.192 255.255.255
48
access-list outside_access_in permit tcp any host 193.177.103.155 eq smtp
access-list dmz_cryptomap_dyn_20 permit ip any 192.168.11.192 255.255.255.248
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.155.0.0 255.255.25
0
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.155.0.0 255.255.0.
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.156.0.0 255.255.0.
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.157.0.0 255.255.0.
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.158.0.0 255.255.0.
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.46.7.0 255.255.255

pager lines 24
logging on
logging timestamp
logging trap errors
logging host inside 192.168.11.1 format emblem
mtu outside 1500
mtu inside 1500
mtu ftp 1500
mtu int3 1500
mtu dmz 1500
mtu fo 1500
ip address outside 193.177.103.154 255.255.255.248
ip address inside 192.168.11.254 255.255.254.0
ip address ftp 10.45.7.254 255.255.255.0
ip address int3 10.11.0.254 255.255.255.0
ip address dmz 10.46.7.240 255.255.255.0
ip address fo 192.168.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool *******VPN 192.168.11.193-192.168.11.199
failover
failover timeout 0:00:00
failover poll 8
failover ip address outside 193.177.103.156
failover ip address inside 192.168.11.253
failover ip address ftp 10.45.7.253
failover ip address int3 10.11.0.253
failover ip address dmz 10.46.7.21
failover ip address fo 192.168.5.2
failover link fo
failover lan unit primary
failover lan interface fo
failover lan key ********
failover lan enable
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (dmz) 2 10.199.87.0-10.199.87.250
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 access-list parentvpn 0 0
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,ftp) HAG_Office HAG_Office netmask 255.255.254.0 0 0
static (inside,outside) 193.177.103.155 HAGSRV08 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group ftp_access_in in interface ftp
route outside 0.0.0.0 0.0.0.0 193.177.103.153 1
route ftp Huberator 255.255.255.255 10.45.7.230 1
route ftp Essent 255.255.255.255 10.45.7.240 1
route ftp Viavera 255.255.255.255 10.45.7.240 1
route ftp GTS 255.255.255.255 10.45.7.230 1
route dmz 10.155.0.0 255.255.255.0 10.46.7.240 1
route ftp Statoil 255.255.255.255 10.45.7.230 1
route ftp Electrabel 255.255.255.255 10.45.7.240 1
route ftp 192.168.222.0 255.255.255.0 10.45.7.240 1
route ftp 212.212.212.106 255.255.255.255 10.45.7.240 1
route ftp 212.212.212.122 255.255.255.255 10.45.7.230 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host ACS_Server *************** timeout 5
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host ACS_Server ************** timeout 5
aaa-server LOCAL protocol local
aaa authentication telnet console TACACS+
aaa authentication http console TACACS+
aaa authentication serial console TACACS+
aaa authentication ssh console TACACS+
http server enable
http HAG_Office 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.11.1 /hagfw01
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map dmz_dyn_map 20 match address dmz_cryptomap_dyn_20
crypto dynamic-map dmz_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 217.46.166.129
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication TACACS+
crypto map outside_map interface outside
crypto map dmz_map 65535 ipsec-isakmp dynamic dmz_dyn_map
crypto map dmz_map interface dmz
isakmp enable outside
isakmp key ******** address 213.213.213.213 netmask 255.255.255.255 no-xauth no
config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup *******RemoteVPN address-pool *******VPN
vpngroup *******RemoteVPN dns-server 192.168.10.1 192.168.10.2
vpngroup *******RemoteVPN wins-server 192.168.10.1 192.168.10.2
vpngroup *******RemoteVPN default-domain corp.*******.com
vpngroup *******RemoteVPN split-tunnel *******RemoteVPN_splitTunnelAcl
vpngroup *******RemoteVPN idle-time 1800
vpngroup *******RemoteVPN password ********
telnet HAG_Office 255.255.254.0 inside
telnet 212.212.212.106 255.255.255.255 inside
telnet 212.212.212.106 255.255.255.255 ftp
telnet 212.212.212.106 255.255.255.255 int3
telnet 212.212.212.106 255.255.255.255 dmz
telnet 212.212.212.106 255.255.255.255 fo
telnet timeout 5
ssh TFTP_Server 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd address 10.46.7.156-10.46.7.158 dmz
dhcpd dns 192.168.10.39
dhcpd wins 192.168.10.39
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain corp.*******.com
dhcpd auto_config outside
dhcpd enable dmz
terminal width 80
***********************************************************************
0
kingging
Asked:
kingging
  • 5
  • 4
1 Solution
 
lrmooreCommented:
Can you post the complete error message? It should list the source and destination for the request that failed. We need that information.
0
 
kinggingAuthor Commented:
hi lrmoore,

i thought i would make this a new case instead of posting to the one you helped with yesterday

the complete error message is

portmap translation creation failed for icmp src inside 192.168.11.213 dst dmz:Ruhrgas (type 8, code 0)

i hope this helps
0
 
lrmooreCommented:
Here's the issues. I've listed all the relevent config lines so you can see what the problem is easier..

>nat (inside) 2 access-list parentvpn 0 0
>global (dmz) 2 10.199.87.0-10.199.87.250
>name 10.165.23.13 Ruhrgas
>ip address dmz 10.46.7.240 255.255.255.0
>route outside 0.0.0.0 0.0.0.0 193.177.103.153 1
>route dmz 10.155.0.0 255.255.255.0 10.46.7.240 1

1- Nat #2 acl "parentvpn" does not include source 192.168.11.213 and/or host Ruhrgas
 try adding
    access-list parentvpn permit ip 192.168.11.0 255.255.255.0 host Ruhrgas
2- Rout dmz does not include host Ruhrgas as a destination.
 add:
    route dmz 10.165.23.0 255.255.255.0 10.46.76.xx <-- where xx = next hop pix fw
3- Pix does not know to route this destination out the dmz interface.
4 - "route dmz" statements points to yourself, not the next hop. It must point to the next hop


0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
lrmooreCommented:
I'll be out of touch the next few hours. Don't think I've given up on you....
0
 
kinggingAuthor Commented:
looks like that error has gone but still unable to ping their firewall at our side which i can from our firewall and also unable to ping their server

so in other words unable to ping anything in the DMZ, i get a deny inbound icmp src dmz which i can resolve but i was hoping you could have a look at what i do have now and see if you can see anything that is realy wrong

************************************
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 ftp security50
nameif ethernet3 int3 security6
nameif ethernet4 dmz security8
nameif ethernet5 fo security55

names
name 192.168.211.240 ACS_Server
name 192.168.211.4 TFTP_Server
name 192.168.210.0 HAG_Office
name 10.21.0.0 Counter_Parties
name 192.168.75.0 Failover
name 193.173.101.152 MCI
name 10.239.11.13 Parentcorp
name 192.168.210.8 HAGSRV08

access-list inside_outbound_nat0_acl permit ip HAG_Office 255.255.254.0 192.168.211.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip HAG_Office 255.255.254.0 192.168.214.0 255.255.254.0
access-list inside_outbound_nat0_acl permit ip HAG_Office 255.255.254.0 192.168.211.192 255.255.255.248
access-list inside_outbound_nat0_acl permit icmp any any
access-list outside_cryptomap_40 permit ip HAG_Office 255.255.254.0 192.168.214.0 255.255.254.0
access-list CorpRemoteVPN_splitTunnelAcl permit ip HAG_Office 255.255.254.0 any
access-list ftp_access_in permit ip Counter_Parties 255.255.255.0 HAG_Office 255.255.254.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.211.192 255.255.255.248
access-list outside_access_in permit tcp any host 193.173.101.155 eq smtp
access-list dmz_cryptomap_dyn_20 permit ip any 192.168.211.192 255.255.255.248
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.239.11.0 255.255.255.0 log
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.239.0.0 255.255.0.0 log
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.241.0.0 255.255.0.0 log
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.243.0.0 255.255.0.0 log
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.19.0.0 255.255.255.0 log
ip address outside 193.173.101.154 255.255.255.248
ip address inside 192.168.211.254 255.255.254.0
ip address ftp 10.21.0.254 255.255.255.0
ip address int3 10.11.0.254 255.255.255.0
ip address dmz 10.19.0.240 255.255.255.0
ip address fo 192.168.75.1 255.255.255.0

global (outside) 10 interface
global (dmz) 2 10.199.87.6

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 access-list parentvpn 0 0
nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 193.173.101.155 HAGSRV08 netmask 255.255.255.255 0 0
static (inside,ftp) HAG_Office HAG_Office netmask 255.255.254.0 0 0

access-group outside_access_in in interface outside
access-group ftp_access_in in interface ftp

route outside 0.0.0.0 0.0.0.0 193.173.101.153 1
route dmz 10.239.0.0 255.255.0.0 10.19.0.213 1
*******************************************************

ps what time zone are you in lrmoore? you always seem to be on here ;-)
0
 
lrmooreCommented:
>unable to ping their firewall at our side which i can from our firewall
You have to allow icmp in on the dmz interface with an acl

>and also unable to ping their server
What is the IP add of their server? This part could very well be their issue not yours.

>what time zone are you in
Central TZ, US
0
 
kinggingAuthor Commented:
Morning lrmoore,

on the routers you can view or debug the ip nat translations, are you able to on the firewall to to see if the nat is working as that could be a reason why i can ping the firewall but not their server

thanks
0
 
kinggingAuthor Commented:
lrmoore,

i had a brainwave, the ping should not work as we have a ISDN line as a link now and the reply is being sent back over that so we will make the changes at their end today and test it

they could see my ping's go through their firewall with the correct NAT'ted address

so for now i would like to thank you

alex t
0
 
kinggingAuthor Commented:
things get interesting now

without an access-list i get a deny icmp from pinging their server, with nothing happens :'(
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now