Hi All,
I have two servers behind my pix 501. One is a web server, the other a mail server. They can be accessed for web pages and email respectively. However, neither can see out -- all outbound requests (dns, pop3, http) are blocked, and the log shows the following error:
No translation group found for udp src inside:mailServer/1100 dst outside:69.xxx.xxx.xxx/53
can anyone tell me what's happening?
Here is the config:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *************** encrypted
passwd *************** encrypted
hostname ******
domain-name ********************
fixup protocol http 80
no fixup protocol rsh 514
no fixup protocol sip 5060
no fixup protocol skinny 2000
no fixup protocol sqlnet 1521
no fixup protocol rtsp 554
no fixup protocol h323 1720
no fixup protocol ftp 21
fixup protocol smtp 25
names
name 192.168.1.29 webServer
name 69.xxx.xxx.0 extRouteToRouter
name 192.168.1.36 mailServer
access-list ALLOWED_TRAFFIC permit tcp any host 69.xxx.xxx.xxx eq smtp
access-list ALLOWED_TRAFFIC permit tcp any host 69.xxx.xxx.xxx eq www
access-list ALLOWED_TRAFFIC permit udp any host 69.xxx.xxx.xxx eq domain
access-list ALLOWED_TRAFFIC permit tcp any host 69.xxx.xxx.xxx eq domain
access-list ALLOWED_TRAFFIC permit tcp any host 69.xxx.xxx.xxx eq pop3
pager lines 24
logging on
logging buffered warnings
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 69.xxx.xxx.xxx 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location webServer 255.255.255.255 inside
pdm location 192.168.55.36 255.255.255.255 inside
pdm location 192.168.55.0 255.255.255.0 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface smtp mailServer smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 mailServer pop3 netmask 255.255.255.255 0 0
access-group ALLOWED_TRAFFIC in interface outside
route outside 0.0.0.0 0.0.0.0 69.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt security fragguard
sysopt nodnsalias inbound
sysopt nodnsalias outbound
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.10-192.168.1.15 inside
dhcpd dns 69.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Thanks in advance!
I have two servers behind my pix 501. One is a web server, the other a mail server. They can be accessed for web pages and email respectively. However, neither can see out -- all outbound requests (dns, pop3, http) are blocked, and the log shows the following error:
No translation group found for udp src inside:mailServer/1100 dst outside:69.xxx.xxx.xxx/53
can anyone tell me what's happening?
Here is the config:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *************** encrypted
passwd *************** encrypted
hostname ******
domain-name ********************
fixup protocol http 80
no fixup protocol rsh 514
no fixup protocol sip 5060
no fixup protocol skinny 2000
no fixup protocol sqlnet 1521
no fixup protocol rtsp 554
no fixup protocol h323 1720
no fixup protocol ftp 21
fixup protocol smtp 25
names
name 192.168.1.29 webServer
name 69.xxx.xxx.0 extRouteToRouter
name 192.168.1.36 mailServer
access-list ALLOWED_TRAFFIC permit tcp any host 69.xxx.xxx.xxx eq smtp
access-list ALLOWED_TRAFFIC permit tcp any host 69.xxx.xxx.xxx eq www
access-list ALLOWED_TRAFFIC permit udp any host 69.xxx.xxx.xxx eq domain
access-list ALLOWED_TRAFFIC permit tcp any host 69.xxx.xxx.xxx eq domain
access-list ALLOWED_TRAFFIC permit tcp any host 69.xxx.xxx.xxx eq pop3
pager lines 24
logging on
logging buffered warnings
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 69.xxx.xxx.xxx 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location webServer 255.255.255.255 inside
pdm location 192.168.55.36 255.255.255.255 inside
pdm location 192.168.55.0 255.255.255.0 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface smtp mailServer smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 mailServer pop3 netmask 255.255.255.255 0 0
access-group ALLOWED_TRAFFIC in interface outside
route outside 0.0.0.0 0.0.0.0 69.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt security fragguard
sysopt nodnsalias inbound
sysopt nodnsalias outbound
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.10-192.168.1.15 inside
dhcpd dns 69.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Thanks in advance!