Solved

Cisco Pix 525: Message ID 305006 regular translation creation failed

Posted on 2008-10-23
4
968 Views
Last Modified: 2012-06-21
My Cisco Pix 525 firewall, version 6.3(3)  is letting certain computers out and blocking others. I cannot identify why. The logs show the message ID: 305006 "regular translation failed for tcp src inside:x.x.x.x/port dst outside:x.x.x.x port"

It was working about a week ago and all of a sudden it started to behave in this manner.

Is there a way to reset the firewall to factory defaults?
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
 
hostname XXXX
domain-name XXXX
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
 
name 10.0.0.6 SMTP
object-group service DNS udp
  description XXX DNS Servers
  port-object eq domain
access-list out_to_in remark banned Block #1 
access-list out_to_in deny ip host banned1 any log 
access-list out_to_in remark banned Block #2
access-list out_to_in deny ip host banned2 any log 
access-list inside_access_in remark Outgoing: BLOCKED abc.com
access-list inside_access_in deny ip any host abc.com log 
access-list inside_access_in remark Outgoing: BLOCKED abc.com
access-list inside_access_in deny ip any host abc.om log 
access-list inside_access_in permit ip any any 
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 12.xxx.yyy.146 255.255.255.240
ip address inside 10.0.0.5 255.0.0.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 10.1.6.9 255.255.255.255 inside
pdm location 10.3.1.100 255.255.255.255 inside
pdm location nortel 255.255.255.255 outside
pdm location ISPDNS1 255.255.255.255 outside
pdm location ISPDNS2 255.255.255.255 outside
pdm location 10.1.3.2 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.240 outside
pdm location 10.0.0.1 255.255.255.255 inside
pdm location 10.0.0.2 255.255.255.255 inside
pdm location 10.1.3.3 255.255.255.255 inside
pdm location SMTP 255.255.255.255 inside
pdm location 12.xxx.yyy.146 255.255.255.255 outside
pdm location 32.103.10.122 255.255.255.255 outside
pdm location 32.103.10.250 255.255.255.255 outside
pdm location 206.xxx.yyy.15 255.255.255.255 outside
pdm location abc.om 255.255.255.255 outside
pdm location abc.om255.255.255.255 outside
pdm location ntp2.xxx 255.255.255.255 outside
pdm location MetaFrameServer 255.255.255.255 outside
pdm location 10.0.0.11 255.255.255.255 inside
pdm location TheBox255.255.255.255 outside
pdm location banned2 255.255.255.255 outside
pdm location banned1 255.255.255.255 outside
pdm location abc.om255.255.255.255 outside
pdm location 10.0.0.15 255.255.255.255 inside
pdm location 10.0.0.9 255.255.255.255 inside
pdm location 10.0.0.8 255.255.255.255 inside
pdm location 12.xxx.yyy.149 255.255.255.255 outside
pdm location Mail 255.255.255.255 outside
pdm location 10.0.0.0 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 10.0.0.7 255.255.255.255 inside
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 12.xxx.yyy.145 255.255.255.255 outside
pdm location 10.1.3.6 255.255.255.255 inside
pdm location 10.1.3.16 255.255.255.255 inside
pdm location 10.1.1.1 255.255.255.255 inside
pdm location 10.1.3.4 255.255.255.255 inside
pdm location 10.0.0.0 255.0.0.0 outside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 10.1.3.55 255.255.255.255 inside
pdm location 10.1.3.52 255.255.255.255 inside
pdm location 10.1.3.60 255.255.255.255 inside
pdm location 10.1.3.1 255.255.255.255 inside
pdm logging informational 512
pdm history enable
arp timeout 14400
global (outside) 10 12.xxx.yyy.149-12.xxx.yyy.155 netmask 255.255.255.0
nat (inside) 10 10.0.0.0 255.0.0.0 0 0
access-group out_to_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 12.xxx.yyy.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
url-server (outside) vendor websense host abc.omtimeout 5 protocol TCP version 1
url-server (outside) vendor websense host abc.om timeout 5 protocol TCP version 1
ntp server ntp2.xxx source outside prefer
http server enable
http 10.1.6.9 255.255.255.255 inside
http 10.1.3.2 255.255.255.255 inside
http 10.0.0.1 255.255.255.255 inside
http 10.0.0.2 255.255.255.255 inside
http 10.1.3.1 255.255.255.255 inside
http 10.1.3.3 255.255.255.255 inside
http SMTP 255.255.255.255 inside
http 10.0.0.15 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 10.1.6.9 255.255.255.255 inside
ssh timeout 5
console timeout 0
vpdn enable outside
vpdn enable inside
: end

Open in new window

0
Comment
Question by:CompL-3
  • 3
4 Comments
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 22792871
how many clients are trying to communicate out. my guess is your out of public IPs.  by doing
global (outside) 10 12.xxx.yyy.149-12.xxx.yyy.155 netmask 255.255.255.0
nat (inside) 10 10.0.0.0 255.0.0.0 0 0

that means the first 6 clients get a public IP.  They are freed as the connections are closed.  see if this fixes it.  It adds a PAT to the list so that after the first 5 are used, the next clients do PAT with that address rather than a NAT with one of the first 5 addresses

no global (outside) 10 12.xxx.yyy.149-12.xxx.yyy.155 netmask 255.255.255.0
global (outside) 10 12.xxx.yyy.150-12.xxx.yyy.155 netmask 255.255.255.0
global (outside) 10 12.xxx.yyy.149 netmask 255.255.255.0

if it doesn't fix it use this to reverse it
no global (outside) 10 12.xxx.yyy.150-12.xxx.yyy.155 netmask 255.255.255.0
global (outside) 10 12.xxx.yyy.149-12.xxx.yyy.155 netmask 255.255.255.0
0
 

Author Comment

by:CompL-3
ID: 22794956
Currently I am accessing the Pix through the GUI. The CLI interface is still through the gui, is there a way I can access it via ssh or telnet to make this change?

Also is there a way to set it back to factory defaults?
0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 500 total points
ID: 22797095
yes, but setting back to factory defaults should be a last effort; mainly because of restoring config and not really knowing what fixed it.  i'm reasonably confident that is the global/nat config though.

unfortunately, I don't use the gui ever so I have to look where you can add ssh/telnet access in there.  btw, are you on the inside side of the pix?  will look into where that option is; can pry actually just change the global/nat in there as well, but would have to look up where that is.
0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 500 total points
ID: 22798386
look at this pic pdf:  http://www.netcraftsmen.net/welcher/papers/pdm-3.0-cap.pdf

It looks like go to Configuration button, Translation Rules tab

you're going to need to modify the current NAT range for the outside interface.  Then add the PAT.  Make sure its assigned to the 10 group.  If it doesn't allow you to modify, delete it, then add it with the proper range, and then the PAT.  Sorry can't be of more help, but since I've never used it, I'm going purely off of the pics which start on page 29 for what you need to do.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question