Cisco PIX %PIX-3-305006:Regular translation creation failed for protocol src int_name:IP_addr/port dst int_name:IP_addr/port try to route to 2nd Internet IP Address

Hi All:

We have a pix that is connected to two internet providers.  One security level 1 and one security level 2.  The internet network is set at security level 100.  We are testing the setup and the security level 1 internet link works fine.  But when we put the static route in for the level 2 provider we get %PIX-3-305006.  Both interfaces are setup the same with interface PAT and I have tried to verify all of the information.  We can ping both provider's gateways fine from the pix.  Right now all access rules are default.  The exact message looks like this

%PIX-3-305006: portmap translation creation failed for tcp src 1-<internalnetwork><workstation>/2219 dst 5-<internetprovider>:<outside ip address>/80

I have found this information, not sure if it is 100% correct.

Dst IP is network/broadcast IP, translation creation failed

But this does not make sense.

Anyway, OS version is

Cisco PIX Security Appliance Software Version 7.1(1)
Device Manager Version 5.1(1)

Thanks in advance:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

This message is no harm. See below for what it is;

%PIX-3-305006: {outbound static|identity|portmap|regular) translation creation failed for protocol src interface_name:source_address/source_port dst interface_name:dest_address/dest_port
A protocol (UDP, TCP, or ICMP) failed to create a translation through the security appliance. This message appears as a fix to caveat CSCdr0063 that requested that security appliance not allow packets that are destined for network or broadcast addresses. The security appliance provides this checking for addresses that are explicitly identified with static command statements. With the change, for inbound traffic, the security appliance denies translations for a destined IP address identified as a network or broadcast address. The security appliance does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT xlate. So, when the other ICMP messages types are dropped, syslog message 305006 (on the security appliance) is generated. The security appliance utilizes the global IP and mask from configured static command statements to differ regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the security appliance does not create a translation for network or broadcast IP addresses with inbound packets. For example: static (inside,outside) netmask Global address is responded to as a network address and is responded to as the broadcast address. Without an existing translation, security appliance denies inbound packets destined for or, and logs this syslog message. When the suspected IP is a host IP, configure a separated static command statement with a host mask in front of the subnet static (first match rule for static command statements). The following static causes the security appliance to respond to as a host address: static (inside,outside) netmask static (inside,outside) netmask The translation may be created by traffic started with the inside host with the questioned IP address. Because the security appliance views a network or broadcast IP address as a host IP address with overlapped subnet static configuration, the network address translation for both static command statements must be the same.

Recommended Action: None required.

Related documents- No specific documents apply to this error message.


PS: This is taken right from Cisco 'error message decoder'.
If you are not familiar with Cisco Error Message Decoder, it is a tool at Cisco Site which will tell you what the error is. You need to have a CCO account to use this;

ort11Author Commented:
Thanks, here is what I am trying to do.  I would like an automatic failover if one of the internet providers goes down.  I have made to Policy Interface PATs, one from the inside network to vendor1 and one from the inside network to vendor two with two static routes with difference metrics.  What seems to be happening is the one vendors PAT is used even if I change the metric on the static routes (to test the failover).

So how do I get automatic Internet failover if one of the outside vendors is having a problem?  Is this possible with the pix?

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

As far as I know, you can't do it with a PIX to have 2 outside parameters. But in 7.0, I'm not sure since I've never worked on them yet.

>So how do I get automatic Internet failover if one of the outside vendors is having a problem?  Is this possible with the pix?
  Sorry, can't be done on a PIX, not even PIX 7.x.  You can't have more than 1 default gateway on a PIX.  A Cisco router will allow you to do what you want.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Okay since now Calvinetter confirms it, you probably need to redesign your network something to;


You can do the loadbalancing + failover on the router if you want.

ort11Author Commented:
Boo :-( sad face.  There is a manual workaround that is easy, but really wanted to set this up automatic.  


I am seeing that this holds true even if I bring up a static conduit to the other interface.  I thought for sure if you set your default route to one internet provider and then bring up a static conduit to the other interface, it would work, but NOOOO. (at least that I can figure out).

This means that I have to surround the pixii with 4 routers for failover?  Two virtual routers in the front for failover, two pix for failover, and then two virtual routers on the outside for failover?  nothing like selling routers ;-)

Any other advice would be appreciated.
                |--Router----|                                   | Pix master |                           |--Router 1--|                         | Internet provider 1 ------------
Inside Lan-|                 |------ Inside Pix vlan   ---|                 |--- outside Vlan ---|                 |--Internet Vlan---|
                |--Router----|                                   | Fail pix      |                           |--Router 2--|                         | Internet provider 2 ------------

Not to mention the vlans for the DMZ and other vlans for other interfaces in the pix.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.