?
Solved

Portmap translation creation failed

Posted on 2005-03-14
9
Medium Priority
?
17,137 Views
Last Modified: 2011-08-18
Dear all,

i have currently got the above error message and i know it is a conflict between the newly create nat 2 and a static (prob the ftp one) but i dont know what the best way is to resolve it

normally i would test til it worked but i cannot have any downtime in the next 2 weeks and need to solve this problem yesterday

the config is posted below so any tips or advise about the above problem or in general for the config would be much appreciated

thanks

alex t

*****************************************************************
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full shutdown
interface ethernet4 100full
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 ftp security50
nameif ethernet3 int3 security6
nameif ethernet4 dmz security8
nameif ethernet5 fo security55
enable password ******************* encrypted
passwd ******************** encrypted
hostname POXYPIX
domain-name corp.*****.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.11.240 ACS_Server
name 192.168.11.4 TFTP_Server
name 192.168.10.0 HAG_Office
name 10.45.7.0 Counter_Parties
name 192.168.5.0 Failover
name 193.177.103.152 MCI
name 143.7.97.238 Statoil
name 10.4.10.1 Huberator
name 10.20.19.53 GTS
name 171.16.100.185 Electrabel
name 10.4.12.1 Essent
name 10.1.99.13 Viavera
name 192.168.222.48 EWE
name 10.165.23.13 Ruhrgas
name 192.168.10.8 HAGSRV08
access-list inside_outbound_nat0_acl permit ip HAG_Office 255.255.254.0 192.16
211.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip HAG_Office 255.255.254.0 192.16
214.0 255.255.254.0
access-list inside_outbound_nat0_acl permit ip HAG_Office 255.255.254.0 192.16
211.192 255.255.255.248
access-list inside_outbound_nat0_acl permit icmp any any
access-list outside_cryptomap_40 permit ip HAG_Office 255.255.254.0 192.168.21
0 255.255.254.0
access-list *******RemoteVPN_splitTunnelAcl permit ip HAG_Office 255.255.254.0 an
access-list ftp_access_in permit ip Counter_Parties 255.255.255.0 HAG_Office 2
.255.254.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.11.192 255.255.255
48
access-list outside_access_in permit tcp any host 193.177.103.155 eq smtp
access-list dmz_cryptomap_dyn_20 permit ip any 192.168.11.192 255.255.255.248
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.155.0.0 255.255.25
0
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.155.0.0 255.255.0.
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.156.0.0 255.255.0.
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.157.0.0 255.255.0.
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.158.0.0 255.255.0.
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.46.7.0 255.255.255

pager lines 24
logging on
logging timestamp
logging trap errors
logging host inside 192.168.11.1 format emblem
mtu outside 1500
mtu inside 1500
mtu ftp 1500
mtu int3 1500
mtu dmz 1500
mtu fo 1500
ip address outside 193.177.103.154 255.255.255.248
ip address inside 192.168.11.254 255.255.254.0
ip address ftp 10.45.7.254 255.255.255.0
ip address int3 10.11.0.254 255.255.255.0
ip address dmz 10.46.7.240 255.255.255.0
ip address fo 192.168.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool *******VPN 192.168.11.193-192.168.11.199
failover
failover timeout 0:00:00
failover poll 8
failover ip address outside 193.177.103.156
failover ip address inside 192.168.11.253
failover ip address ftp 10.45.7.253
failover ip address int3 10.11.0.253
failover ip address dmz 10.46.7.21
failover ip address fo 192.168.5.2
failover link fo
failover lan unit primary
failover lan interface fo
failover lan key ********
failover lan enable
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (dmz) 2 10.199.87.0-10.199.87.250
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 access-list parentvpn 0 0
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,ftp) HAG_Office HAG_Office netmask 255.255.254.0 0 0
static (inside,outside) 193.177.103.155 HAGSRV08 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group ftp_access_in in interface ftp
route outside 0.0.0.0 0.0.0.0 193.177.103.153 1
route ftp Huberator 255.255.255.255 10.45.7.230 1
route ftp Essent 255.255.255.255 10.45.7.240 1
route ftp Viavera 255.255.255.255 10.45.7.240 1
route ftp GTS 255.255.255.255 10.45.7.230 1
route dmz 10.155.0.0 255.255.255.0 10.46.7.240 1
route ftp Statoil 255.255.255.255 10.45.7.230 1
route ftp Electrabel 255.255.255.255 10.45.7.240 1
route ftp 192.168.222.0 255.255.255.0 10.45.7.240 1
route ftp 212.212.212.106 255.255.255.255 10.45.7.240 1
route ftp 212.212.212.122 255.255.255.255 10.45.7.230 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host ACS_Server *************** timeout 5
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host ACS_Server ************** timeout 5
aaa-server LOCAL protocol local
aaa authentication telnet console TACACS+
aaa authentication http console TACACS+
aaa authentication serial console TACACS+
aaa authentication ssh console TACACS+
http server enable
http HAG_Office 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.11.1 /hagfw01
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map dmz_dyn_map 20 match address dmz_cryptomap_dyn_20
crypto dynamic-map dmz_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 217.46.166.129
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication TACACS+
crypto map outside_map interface outside
crypto map dmz_map 65535 ipsec-isakmp dynamic dmz_dyn_map
crypto map dmz_map interface dmz
isakmp enable outside
isakmp key ******** address 213.213.213.213 netmask 255.255.255.255 no-xauth no
config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup *******RemoteVPN address-pool *******VPN
vpngroup *******RemoteVPN dns-server 192.168.10.1 192.168.10.2
vpngroup *******RemoteVPN wins-server 192.168.10.1 192.168.10.2
vpngroup *******RemoteVPN default-domain corp.*******.com
vpngroup *******RemoteVPN split-tunnel *******RemoteVPN_splitTunnelAcl
vpngroup *******RemoteVPN idle-time 1800
vpngroup *******RemoteVPN password ********
telnet HAG_Office 255.255.254.0 inside
telnet 212.212.212.106 255.255.255.255 inside
telnet 212.212.212.106 255.255.255.255 ftp
telnet 212.212.212.106 255.255.255.255 int3
telnet 212.212.212.106 255.255.255.255 dmz
telnet 212.212.212.106 255.255.255.255 fo
telnet timeout 5
ssh TFTP_Server 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd address 10.46.7.156-10.46.7.158 dmz
dhcpd dns 192.168.10.39
dhcpd wins 192.168.10.39
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain corp.*******.com
dhcpd auto_config outside
dhcpd enable dmz
terminal width 80
***********************************************************************
0
Comment
Question by:kingging
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13534397
Can you post the complete error message? It should list the source and destination for the request that failed. We need that information.
0
 

Author Comment

by:kingging
ID: 13534703
hi lrmoore,

i thought i would make this a new case instead of posting to the one you helped with yesterday

the complete error message is

portmap translation creation failed for icmp src inside 192.168.11.213 dst dmz:Ruhrgas (type 8, code 0)

i hope this helps
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13534836
Here's the issues. I've listed all the relevent config lines so you can see what the problem is easier..

>nat (inside) 2 access-list parentvpn 0 0
>global (dmz) 2 10.199.87.0-10.199.87.250
>name 10.165.23.13 Ruhrgas
>ip address dmz 10.46.7.240 255.255.255.0
>route outside 0.0.0.0 0.0.0.0 193.177.103.153 1
>route dmz 10.155.0.0 255.255.255.0 10.46.7.240 1

1- Nat #2 acl "parentvpn" does not include source 192.168.11.213 and/or host Ruhrgas
 try adding
    access-list parentvpn permit ip 192.168.11.0 255.255.255.0 host Ruhrgas
2- Rout dmz does not include host Ruhrgas as a destination.
 add:
    route dmz 10.165.23.0 255.255.255.0 10.46.76.xx <-- where xx = next hop pix fw
3- Pix does not know to route this destination out the dmz interface.
4 - "route dmz" statements points to yourself, not the next hop. It must point to the next hop


0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 
LVL 79

Expert Comment

by:lrmoore
ID: 13534839
I'll be out of touch the next few hours. Don't think I've given up on you....
0
 

Author Comment

by:kingging
ID: 13536746
looks like that error has gone but still unable to ping their firewall at our side which i can from our firewall and also unable to ping their server

so in other words unable to ping anything in the DMZ, i get a deny inbound icmp src dmz which i can resolve but i was hoping you could have a look at what i do have now and see if you can see anything that is realy wrong

************************************
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 ftp security50
nameif ethernet3 int3 security6
nameif ethernet4 dmz security8
nameif ethernet5 fo security55

names
name 192.168.211.240 ACS_Server
name 192.168.211.4 TFTP_Server
name 192.168.210.0 HAG_Office
name 10.21.0.0 Counter_Parties
name 192.168.75.0 Failover
name 193.173.101.152 MCI
name 10.239.11.13 Parentcorp
name 192.168.210.8 HAGSRV08

access-list inside_outbound_nat0_acl permit ip HAG_Office 255.255.254.0 192.168.211.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip HAG_Office 255.255.254.0 192.168.214.0 255.255.254.0
access-list inside_outbound_nat0_acl permit ip HAG_Office 255.255.254.0 192.168.211.192 255.255.255.248
access-list inside_outbound_nat0_acl permit icmp any any
access-list outside_cryptomap_40 permit ip HAG_Office 255.255.254.0 192.168.214.0 255.255.254.0
access-list CorpRemoteVPN_splitTunnelAcl permit ip HAG_Office 255.255.254.0 any
access-list ftp_access_in permit ip Counter_Parties 255.255.255.0 HAG_Office 255.255.254.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.211.192 255.255.255.248
access-list outside_access_in permit tcp any host 193.173.101.155 eq smtp
access-list dmz_cryptomap_dyn_20 permit ip any 192.168.211.192 255.255.255.248
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.239.11.0 255.255.255.0 log
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.239.0.0 255.255.0.0 log
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.241.0.0 255.255.0.0 log
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.243.0.0 255.255.0.0 log
access-list parentvpn permit ip HAG_Office 255.255.254.0 10.19.0.0 255.255.255.0 log
ip address outside 193.173.101.154 255.255.255.248
ip address inside 192.168.211.254 255.255.254.0
ip address ftp 10.21.0.254 255.255.255.0
ip address int3 10.11.0.254 255.255.255.0
ip address dmz 10.19.0.240 255.255.255.0
ip address fo 192.168.75.1 255.255.255.0

global (outside) 10 interface
global (dmz) 2 10.199.87.6

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 access-list parentvpn 0 0
nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 193.173.101.155 HAGSRV08 netmask 255.255.255.255 0 0
static (inside,ftp) HAG_Office HAG_Office netmask 255.255.254.0 0 0

access-group outside_access_in in interface outside
access-group ftp_access_in in interface ftp

route outside 0.0.0.0 0.0.0.0 193.173.101.153 1
route dmz 10.239.0.0 255.255.0.0 10.19.0.213 1
*******************************************************

ps what time zone are you in lrmoore? you always seem to be on here ;-)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13537330
>unable to ping their firewall at our side which i can from our firewall
You have to allow icmp in on the dmz interface with an acl

>and also unable to ping their server
What is the IP add of their server? This part could very well be their issue not yours.

>what time zone are you in
Central TZ, US
0
 

Author Comment

by:kingging
ID: 13542290
Morning lrmoore,

on the routers you can view or debug the ip nat translations, are you able to on the firewall to to see if the nat is working as that could be a reason why i can ping the firewall but not their server

thanks
0
 

Author Comment

by:kingging
ID: 13542789
lrmoore,

i had a brainwave, the ping should not work as we have a ISDN line as a link now and the reply is being sent back over that so we will make the changes at their end today and test it

they could see my ping's go through their firewall with the correct NAT'ted address

so for now i would like to thank you

alex t
0
 

Author Comment

by:kingging
ID: 13545471
things get interesting now

without an access-list i get a deny icmp from pinging their server, with nothing happens :'(
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses
Course of the Month13 days, 16 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question