Re: Pix - portmap translation creation failed

[Joe Ippolito <joe () joesnet com>]

This question is somewhat related but, on a different 
scale.  I was reading "CCSP Self-Study: Cisco Secure PIX 
Firewall Advanced (CSPFA) 2nd ed." and found this 
under "FWSM and PIX Firewall Feature Comparison" (P792):

"Virtual private network (VPN) functionality (IPSec, Point-
to-Point Tunneling Protocol [PPTP] and Layer 2 Tunneling 
Protocol [L2TP]) packets flowing across the firewall is not 
supported."

I questioned a Cisco SE about it prior to our implementation 
of the FWSM and he claimed that it was only for management 
of another PIX through the FWSM.  This morning after last 
Friday's implementation someone complained about not being 
able to do PPTP in through the FWSM.

Anyone have any experience trying to get RAS VPN tunnels 
through a Cisco FWSM?

Thanks,

---- Original message ----
> Date: Mon, 02 Feb 2004 17:50:21 +0100
> From: Javier Sanchez Llera <jsanchez () myalert com>  
> Subject: Re: [fw-wiz] Pix - portmap translation creation 
failed  
> To: "Crissup, John (MBNP is)" 
<John.Crissup () us millwardbrown com>
> Cc: "'firewall-wizards () honor icsalabs com'" <firewall-
wizards () honor icsalabs com>
> Hi,
>
> you should use the option "sysopt connection permit-ipsec" 
on your
> config to let ipsec traffic pass through the pix. You 
should take car of
> the nat-travsersal options that your vpn-client should have.
>
>
> Cheers
>
> Javier Sanchez Llera
> jsanchez () myalert com
> Systems Administrator
> MyAlert.com
>
>
>
> El lun, 02-02-2004 a las 16:38, Crissup, John (MBNP is) 
escribió:
> > OK, folks, need your help. We have a user trying to VPN 
out of our network
> > using a Netscreen or SafeNet (??) client (Sorry, got that 
second hand and am
> > not up on Netscreen products). I'm seeing a syslog entry 
being generated by
> > the PIX for message %PIX-3-305006. The exact error 
follows (appropriately
> > scrubbed)...
> >
> > %PIX-3-305006: portmap translation creation failed for 
protocol 50 src
> > inside:172.20.1.1 dst outside:A.B.C.D
> >
> > My PIX 520 (Ver 6.3.1) is configured to use PAT for all 
Internet bound
> > traffic. A search of Cisco's site turns up nothing about 
this particular
> > error except a bug report that the documentation needs to 
be updated to show
> > this error. Can anyone offer some direction on how to 
resolve this?
> > As always, thanks in advance for any assistance you can 
offer. 
> > --
> >
> > John M. Crissup
> > Network Systems Engineer
> > Global Network Services
> >
> > Millward Brown
> > 535 E. Diehl Rd.
> > Naperville, IL 60563
> >
> > ==================================================== 
> > This email is confidential and intended solely for the 
use of the 
> > individual or organisation to whom it is addressed. Any 
opinions or 
> > advice presented are solely those of the author and do 
not necessarily 
> > represent those of the Millward Brown Group of 
Companies.  If you are 
> > not the intended recipient of this email, you should not 
copy, modify, 
> > distribute or take any action in reliance on it. If you 
have received 
> > this email in error please notify the sender and delete 
this email 
> > from your system. Although this email has been checked 
for viruses 
> >  and other defects, no responsibility can be accepted for 
any loss or 
> > damage arising from its receipt or use. 
> > ==================================================== 
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () honor icsalabs com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-
wizards
> >
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards