Syslog Error - portmap translation creation failed

[sohtnax]

Can anyone tell me what if anything I should do about the following error I am receiving in my syslog from my PIX Firewall:

%PIX-3-305006: portmap translation creation failed for udp src inside:10.5.X.X/137 dst public:172.16.X.X/137

The 10.5.X.X addres represents my PDC and 172.16.X.X is an IIS server in my DMZ zone.

 

[routerman]

I had a look at the Cisco error message decoder for this one, they state the following:

1. %PIX-3-305006: Regular translation creation failed for protocol src int_name:IP_addr/port dst int_name:IP_addr/port
A protocol (UDP, TCP, or ICMP) failed to create a translation through the PIX Firewall. This message appears as a fix to caveat CSCdr0063 that requested that PIX Firewall not allow packets destined to network or broadcast addresse s. PIX Firewall provides this checking for addresses that are explicitly identified with static command statements. With the change, for inbound traffic, PIX Firewall denies translations for a destined IP address identified as a netw ork or broadcast address.

The addresses in question, is the inside address a broadcast? I see its to port 137 which is the NetBIos name server port.

 

[N0ktar]

I've also seen this happen when you run out of licences on pix.

 

[sohtnax]

What kind of licenses? PLease explain

 

[yizhar]

HI.

> The 10.5.X.X addres represents my PDC and 172.16.X.X is an IIS server in my DMZ zone
Does the IIS server in DMZ have access to the PDC?
Is the IIS server using the PDC as WINS server?
Please provide more details, and the rules (nat, global, static and access-list) for DMZ-inside traffic.

Anyway - I can also report that I see some strange UDP 137 packets dropped on firewalls, without knowing the exact reason.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar