[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10444
  • Last Modified:

Cisco PIX %PIX-3-305006:Regular translation creation failed for protocol src int_name:IP_addr/port dst int_name:IP_addr/port try to route to 2nd Internet IP Address

Hi All:

We have a pix that is connected to two internet providers.  One security level 1 and one security level 2.  The internet network is set at security level 100.  We are testing the setup and the security level 1 internet link works fine.  But when we put the static route in for the level 2 provider we get %PIX-3-305006.  Both interfaces are setup the same with interface PAT and I have tried to verify all of the information.  We can ping both provider's gateways fine from the pix.  Right now all access rules are default.  The exact message looks like this

%PIX-3-305006: portmap translation creation failed for tcp src 1-<internalnetwork><workstation>/2219 dst 5-<internetprovider>:<outside ip address>/80

I have found this information, not sure if it is 100% correct.

Dst IP is network/broadcast IP, translation creation failed

But this does not make sense.

Anyway, OS version is

-----------------
Cisco PIX Security Appliance Software Version 7.1(1)
Device Manager Version 5.1(1)

Thanks in advance:
0
ort11
Asked:
ort11
  • 4
  • 2
2 Solutions
 
rsivanandanCommented:
This message is no harm. See below for what it is;

%PIX-3-305006: {outbound static|identity|portmap|regular) translation creation failed for protocol src interface_name:source_address/source_port dst interface_name:dest_address/dest_port
A protocol (UDP, TCP, or ICMP) failed to create a translation through the security appliance. This message appears as a fix to caveat CSCdr0063 that requested that security appliance not allow packets that are destined for network or broadcast addresses. The security appliance provides this checking for addresses that are explicitly identified with static command statements. With the change, for inbound traffic, the security appliance denies translations for a destined IP address identified as a network or broadcast address. The security appliance does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT xlate. So, when the other ICMP messages types are dropped, syslog message 305006 (on the security appliance) is generated. The security appliance utilizes the global IP and mask from configured static command statements to differ regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the security appliance does not create a translation for network or broadcast IP addresses with inbound packets. For example: static (inside,outside) 10.2.2.128 10.1.1.128 netmask 255.255.255.128 Global address 10.2.2.128 is responded to as a network address and 10.2.2.255 is responded to as the broadcast address. Without an existing translation, security appliance denies inbound packets destined for 10.2.2.128 or 10.2.2.255, and logs this syslog message. When the suspected IP is a host IP, configure a separated static command statement with a host mask in front of the subnet static (first match rule for static command statements). The following static causes the security appliance to respond to 10.2.2.128 as a host address: static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.255 static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.128 The translation may be created by traffic started with the inside host with the questioned IP address. Because the security appliance views a network or broadcast IP address as a host IP address with overlapped subnet static configuration, the network address translation for both static command statements must be the same.

Recommended Action: None required.

Related documents- No specific documents apply to this error message.



Cheers,
Rajesh

PS: This is taken right from Cisco 'error message decoder'.
0
 
rsivanandanCommented:
If you are not familiar with Cisco Error Message Decoder, it is a tool at Cisco Site which will tell you what the error is. You need to have a CCO account to use this;

http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi

Cheers,
Rajesh
0
 
ort11Author Commented:
Thanks, here is what I am trying to do.  I would like an automatic failover if one of the internet providers goes down.  I have made to Policy Interface PATs, one from the inside network to vendor1 and one from the inside network to vendor two with two static routes with difference metrics.  What seems to be happening is the one vendors PAT is used even if I change the metric on the static routes (to test the failover).

So how do I get automatic Internet failover if one of the outside vendors is having a problem?  Is this possible with the pix?

Thanks
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
rsivanandanCommented:
As far as I know, you can't do it with a PIX to have 2 outside parameters. But in 7.0, I'm not sure since I've never worked on them yet.

Cheers,
Rajesh
0
 
calvinetterCommented:
>So how do I get automatic Internet failover if one of the outside vendors is having a problem?  Is this possible with the pix?
  Sorry, can't be done on a PIX, not even PIX 7.x.  You can't have more than 1 default gateway on a PIX.  A Cisco router will allow you to do what you want.

cheers
0
 
rsivanandanCommented:
Okay since now Calvinetter confirms it, you probably need to redesign your network something to;

PIX---------Router-----------------Vendor1
                  |
                   ----------------------Vendor2

You can do the loadbalancing + failover on the router if you want.

Cheers,
Rajesh
0
 
ort11Author Commented:
Boo :-( sad face.  There is a manual workaround that is easy, but really wanted to set this up automatic.  

Also:

I am seeing that this holds true even if I bring up a static conduit to the other interface.  I thought for sure if you set your default route to one internet provider and then bring up a static conduit to the other interface, it would work, but NOOOO. (at least that I can figure out).

This means that I have to surround the pixii with 4 routers for failover?  Two virtual routers in the front for failover, two pix for failover, and then two virtual routers on the outside for failover?  nothing like selling routers ;-)

Any other advice would be appreciated.
 
                |--Router----|                                   | Pix master |                           |--Router 1--|                         | Internet provider 1 ------------
Inside Lan-|                 |------ Inside Pix vlan   ---|                 |--- outside Vlan ---|                 |--Internet Vlan---|
                |--Router----|                                   | Fail pix      |                           |--Router 2--|                         | Internet provider 2 ------------

Not to mention the vlans for the DMZ and other vlans for other interfaces in the pix.


0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now