Solved

Cisco Pix 525: Message ID 305006 regular translation creation failed

Posted on 2008-10-23
4
960 Views
Last Modified: 2012-06-21
My Cisco Pix 525 firewall, version 6.3(3)  is letting certain computers out and blocking others. I cannot identify why. The logs show the message ID: 305006 "regular translation failed for tcp src inside:x.x.x.x/port dst outside:x.x.x.x port"

It was working about a week ago and all of a sudden it started to behave in this manner.

Is there a way to reset the firewall to factory defaults?
PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

 

hostname XXXX

domain-name XXXX

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

 

name 10.0.0.6 SMTP

object-group service DNS udp

  description XXX DNS Servers

  port-object eq domain

access-list out_to_in remark banned Block #1 

access-list out_to_in deny ip host banned1 any log 

access-list out_to_in remark banned Block #2

access-list out_to_in deny ip host banned2 any log 

access-list inside_access_in remark Outgoing: BLOCKED abc.com

access-list inside_access_in deny ip any host abc.com log 

access-list inside_access_in remark Outgoing: BLOCKED abc.com

access-list inside_access_in deny ip any host abc.om log 

access-list inside_access_in permit ip any any 

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

ip address outside 12.xxx.yyy.146 255.255.255.240

ip address inside 10.0.0.5 255.0.0.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

pdm location 10.1.6.9 255.255.255.255 inside

pdm location 10.3.1.100 255.255.255.255 inside

pdm location nortel 255.255.255.255 outside

pdm location ISPDNS1 255.255.255.255 outside

pdm location ISPDNS2 255.255.255.255 outside

pdm location 10.1.3.2 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.240 outside

pdm location 10.0.0.1 255.255.255.255 inside

pdm location 10.0.0.2 255.255.255.255 inside

pdm location 10.1.3.3 255.255.255.255 inside

pdm location SMTP 255.255.255.255 inside

pdm location 12.xxx.yyy.146 255.255.255.255 outside

pdm location 32.103.10.122 255.255.255.255 outside

pdm location 32.103.10.250 255.255.255.255 outside

pdm location 206.xxx.yyy.15 255.255.255.255 outside

pdm location abc.om 255.255.255.255 outside

pdm location abc.om255.255.255.255 outside

pdm location ntp2.xxx 255.255.255.255 outside

pdm location MetaFrameServer 255.255.255.255 outside

pdm location 10.0.0.11 255.255.255.255 inside

pdm location TheBox255.255.255.255 outside

pdm location banned2 255.255.255.255 outside

pdm location banned1 255.255.255.255 outside

pdm location abc.om255.255.255.255 outside

pdm location 10.0.0.15 255.255.255.255 inside

pdm location 10.0.0.9 255.255.255.255 inside

pdm location 10.0.0.8 255.255.255.255 inside

pdm location 12.xxx.yyy.149 255.255.255.255 outside

pdm location Mail 255.255.255.255 outside

pdm location 10.0.0.0 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.255 outside

pdm location 10.0.0.7 255.255.255.255 inside

pdm location 10.0.0.0 255.255.255.0 inside

pdm location 12.xxx.yyy.145 255.255.255.255 outside

pdm location 10.1.3.6 255.255.255.255 inside

pdm location 10.1.3.16 255.255.255.255 inside

pdm location 10.1.1.1 255.255.255.255 inside

pdm location 10.1.3.4 255.255.255.255 inside

pdm location 10.0.0.0 255.0.0.0 outside

pdm location 0.0.0.0 255.255.255.255 inside

pdm location 10.1.3.55 255.255.255.255 inside

pdm location 10.1.3.52 255.255.255.255 inside

pdm location 10.1.3.60 255.255.255.255 inside

pdm location 10.1.3.1 255.255.255.255 inside

pdm logging informational 512

pdm history enable

arp timeout 14400

global (outside) 10 12.xxx.yyy.149-12.xxx.yyy.155 netmask 255.255.255.0

nat (inside) 10 10.0.0.0 255.0.0.0 0 0

access-group out_to_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 12.xxx.yyy.145 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server RADIUS protocol radius 

aaa-server LOCAL protocol local 

url-server (outside) vendor websense host abc.omtimeout 5 protocol TCP version 1

url-server (outside) vendor websense host abc.om timeout 5 protocol TCP version 1

ntp server ntp2.xxx source outside prefer

http server enable

http 10.1.6.9 255.255.255.255 inside

http 10.1.3.2 255.255.255.255 inside

http 10.0.0.1 255.255.255.255 inside

http 10.0.0.2 255.255.255.255 inside

http 10.1.3.1 255.255.255.255 inside

http 10.1.3.3 255.255.255.255 inside

http SMTP 255.255.255.255 inside

http 10.0.0.15 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh 10.1.6.9 255.255.255.255 inside

ssh timeout 5

console timeout 0

vpdn enable outside

vpdn enable inside

: end

Open in new window

0
Comment
Question by:CompL-3
  • 3
4 Comments
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
Comment Utility
how many clients are trying to communicate out. my guess is your out of public IPs.  by doing
global (outside) 10 12.xxx.yyy.149-12.xxx.yyy.155 netmask 255.255.255.0
nat (inside) 10 10.0.0.0 255.0.0.0 0 0

that means the first 6 clients get a public IP.  They are freed as the connections are closed.  see if this fixes it.  It adds a PAT to the list so that after the first 5 are used, the next clients do PAT with that address rather than a NAT with one of the first 5 addresses

no global (outside) 10 12.xxx.yyy.149-12.xxx.yyy.155 netmask 255.255.255.0
global (outside) 10 12.xxx.yyy.150-12.xxx.yyy.155 netmask 255.255.255.0
global (outside) 10 12.xxx.yyy.149 netmask 255.255.255.0

if it doesn't fix it use this to reverse it
no global (outside) 10 12.xxx.yyy.150-12.xxx.yyy.155 netmask 255.255.255.0
global (outside) 10 12.xxx.yyy.149-12.xxx.yyy.155 netmask 255.255.255.0
0
 

Author Comment

by:CompL-3
Comment Utility
Currently I am accessing the Pix through the GUI. The CLI interface is still through the gui, is there a way I can access it via ssh or telnet to make this change?

Also is there a way to set it back to factory defaults?
0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 500 total points
Comment Utility
yes, but setting back to factory defaults should be a last effort; mainly because of restoring config and not really knowing what fixed it.  i'm reasonably confident that is the global/nat config though.

unfortunately, I don't use the gui ever so I have to look where you can add ssh/telnet access in there.  btw, are you on the inside side of the pix?  will look into where that option is; can pry actually just change the global/nat in there as well, but would have to look up where that is.
0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 500 total points
Comment Utility
look at this pic pdf:  http://www.netcraftsmen.net/welcher/papers/pdm-3.0-cap.pdf

It looks like go to Configuration button, Translation Rules tab

you're going to need to modify the current NAT range for the outside interface.  Then add the PAT.  Make sure its assigned to the 10 group.  If it doesn't allow you to modify, delete it, then add it with the proper range, and then the PAT.  Sorry can't be of more help, but since I've never used it, I'm going purely off of the pics which start on page 29 for what you need to do.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5500 Series Site-to-Site Azure 6 43
Hardening ScreenOS 8 64
redistribute default route to EIGRP? 2 26
Cisco iWAN 8 45
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now