Re: [fw-wiz] Pix - portmap translation creation failed

From: Joe Ippolito (joe_at_joesnet.com)
Date: 02/02/04

  • Next message: Paul Robertson: "[fw-wiz] Botnets, IRC servers and firewalls?" 
    To: firewall-wizards@honor.icsalabs.com
Date: Mon, 2 Feb 2004 12:09:23 -0800

    This question is somewhat related but, on a different
    scale. I was reading "CCSP Self-Study: Cisco Secure PIX
    Firewall Advanced (CSPFA) 2nd ed." and found this
    under "FWSM and PIX Firewall Feature Comparison" (P792):

    "Virtual private network (VPN) functionality (IPSec, Point-
    to-Point Tunneling Protocol [PPTP] and Layer 2 Tunneling
    Protocol [L2TP]) packets flowing across the firewall is not
    supported."

    I questioned a Cisco SE about it prior to our implementation
    of the FWSM and he claimed that it was only for management
    of another PIX through the FWSM. This morning after last
    Friday's implementation someone complained about not being
    able to do PPTP in through the FWSM.

    Anyone have any experience trying to get RAS VPN tunnels
    through a Cisco FWSM?

    Thanks,

    ---- Original message ----
    >Date: Mon, 02 Feb 2004 17:50:21 +0100
    >From: Javier Sanchez Llera <jsanchez@myalert.com>
    >Subject: Re: [fw-wiz] Pix - portmap translation creation
    failed
    >To: "Crissup, John (MBNP is)"
    <John.Crissup@us.millwardbrown.com>
    >Cc: "'firewall-wizards@honor.icsalabs.com'" <firewall-
    wizards@honor.icsalabs.com>
    >
    >
    >
    >Hi,
    >
    >you should use the option "sysopt connection permit-ipsec"
    on your
    >config to let ipsec traffic pass through the pix. You
    should take car of
    >the nat-travsersal options that your vpn-client should have.
    >
    >
    >Cheers
    >
    >Javier Sanchez Llera
    >jsanchez@myalert.com
    >Systems Administrator
    >MyAlert.com
    >
    >
    >
    >El lun, 02-02-2004 a las 16:38, Crissup, John (MBNP is)
    escribió:
    >> OK, folks, need your help. We have a user trying to VPN
    out of our network
    >> using a Netscreen or SafeNet (??) client (Sorry, got that
    second hand and am
    >> not up on Netscreen products). I'm seeing a syslog entry
    being generated by
    >> the PIX for message %PIX-3-305006. The exact error
    follows (appropriately
    >> scrubbed)...
    >>
    >> %PIX-3-305006: portmap translation creation failed for
    protocol 50 src
    >> inside:172.20.1.1 dst outside:A.B.C.D
    >>
    >> My PIX 520 (Ver 6.3.1) is configured to use PAT for all
    Internet bound
    >> traffic. A search of Cisco's site turns up nothing about
    this particular
    >> error except a bug report that the documentation needs to
    be updated to show
    >> this error. Can anyone offer some direction on how to
    resolve this?
    >>
    >> As always, thanks in advance for any assistance you can
    offer.
    >>
    >> --
    >>
    >> John M. Crissup
    >> Network Systems Engineer
    >> Global Network Services
    >>
    >> Millward Brown
    >> 535 E. Diehl Rd.
    >> Naperville, IL 60563
    >>
    >> ====================================================
    >> This email is confidential and intended solely for the
    use of the
    >> individual or organisation to whom it is addressed. Any
    opinions or
    >> advice presented are solely those of the author and do
    not necessarily
    >> represent those of the Millward Brown Group of
    Companies. If you are
    >> not the intended recipient of this email, you should not
    copy, modify,
    >> distribute or take any action in reliance on it. If you
    have received
    >> this email in error please notify the sender and delete
    this email
    >> from your system. Although this email has been checked
    for viruses
    >> and other defects, no responsibility can be accepted for
    any loss or
    >> damage arising from its receipt or use.
    >> ====================================================
    >>
    >> _______________________________________________
    >> firewall-wizards mailing list
    >> firewall-wizards@honor.icsalabs.com
    >> http://honor.icsalabs.com/mailman/listinfo/firewall-
    wizards
    >>
    >
    >_______________________________________________
    >firewall-wizards mailing list
    >firewall-wizards@honor.icsalabs.com
    >http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul Robertson: "[fw-wiz] Botnets, IRC servers and firewalls?"

    Relevant Pages

    • Re: [fw-wiz] Cisco 2811 vs. ASA 55xx
      ... Cisco ASA units are the replacements/upgrades for the PIX. ... "Is the lack of flexibility of the ASA justified by the higher performance? ... I'm not real sure what you're trying to do security-wise with a Cisco router that a Cisco firewall appliance cannot do. ...
      (Firewall-Wizards)
    • Cisco PIX 515E vs. Fortinet Fortigate-300
      ... Firewall Evaluation ... Cisco PIX 515E vs. Fortinet Fortigate-300 ... Fortigate firewall. ...
      (comp.security.firewalls)
    • RE: Auditing Router and Firewall - Checklist and Utils
      ... seems like I missed it and will try out PLA/FWANALOG for PIX log gathering. ... Treat input configuration as a PIX/ASA/FWSM-based Cisco firewall. ... Auditing Router and Firewall - Checklist and Utils ...
      (Security-Basics)
    • Re: Vlan and Firewall
      ... PIX questions are usually better put to comp.dcom.sys.cisco. ... Do i have to change setting in PIX too for Vlans.? ... :Firewall to gain access to VPN and Internet.? ... or layer 3 switch such as a Cisco 3550 or Cisco 3750. ...
      (comp.security.firewalls)
    • Re: Cisco PIX or GN-1000
      ... > I currently have a GB-1000 from GTA as my firewall, ... > support costs etc I am looking to change from GB-1000 and get a Cisco ... I can't speak for the GB-1000, but I recently got my hands on a PIX 501. ... Haven't tried setting up IPSec yet, but I know Cisco ...
      (comp.security.firewalls)