Links

• Cisco Feature Navigator: http://www.cisco.com/go/fn
  
• Tools & Resources: http://www.cisco.com/en/US/support/tsd_most_requested_tools.html
• Solution Finder for Modular Routers: http://www.cisco.com/pcgi-bin/finder/msbsearch.pl

PIX глючит?

После просадки напряжения в одной из серверных "заглючил" пикс. Не спрашивайте, где был УПС. Он сломался и, как водится, на ремонте.
Во-первых, что самое странное, пикс не перезагрузился вместе со всем оборудованием, а продолжил работать. Аптайм уверенно показывал 18 дней. Во-вторых, по какой-то только ему ведомой причине он периодически дропал пакеты, резюмируя

Nov 03 2008 09:50:54: %PIX-3-305006: portmap translation creation failed for udp src adsl_inet:192.168.249.10/50149 dst internet:193.xxx.248.2/53

Описание проблемы и рекомендации на cisco.com

305006
Error Message %PIXASA-3-305006: {outbound
static identity portmap regular)
translation creation failed for protocol src
interface_name:source_address/source_port
dst
interface_name:dest_address/dest_port

Explanation A protocol (UDP, TCP,
or ICMP) failed to create a translation through the security appliance. This
message appears as a fix to caveat CSCdr00663 that requested that security
appliance not allow packets that are destined for network or broadcast
addresses. The security appliance provides this checking for addresses that are
explicitly identified with static command statements. With the change, for
inbound traffic, the security appliance denies translations for a destined IP
address identified as a network or broadcast address.

The security
appliance does not apply PAT to all ICMP message types; it only applies PAT ICMP
echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or
echo-reply packets create a PAT xlate. So, when the other ICMP messages types
are dropped, system log message 305006 (on the security appliance) is generated.

The security appliance utilizes the global IP and mask from configured
static command statements to differ regular IP addresses from network or
broadcast IP addresses. If the global IP address is a valid network address with
a matching network mask, then the security appliance does not create a
translation for network or broadcast IP addresses with inbound packets.

For example:

static (inside,outside) 10.2.2.128 10.1.1.128
netmask 255.255.255.128


Global address 10.2.2.128 is responded to as
a network address and 10.2.2.255 is responded to as the broadcast address.
Without an existing translation, security appliance denies inbound packets
destined for 10.2.2.128 or 10.2.2.255, and logs this system log message.

When the suspected IP is a host IP, configure a separated static command
statement with a host mask in front of the subnet static (first match rule for
static command statements). The following static causes the security appliance
to respond to 10.2.2.128 as a host address:

static (inside,outside)
10.2.2.128 10.2.2.128 netmask 255.255.255.255
static (inside,outside)
10.2.2.128 10.2.2.128 netmask 255.255.255.128


The translation may be
created by traffic started with the inside host with the questioned IP address.
Because the security appliance views a network or broadcast IP address as a host
IP address with overlapped subnet static configuration, the network address
translation for both static command statements must be the same.

Recommended Action None.

Мне помого создание правила для NAT по новой.

no nat (adsl_inet) 5 192.168.249.0 255.255.255.0
no global (adsl_inet) 5 interface
global (adsl_inet) 5 interface
nat (adsl_inet) 5 192.168.249.0 255.255.255.0

После все заработало как надо и никаких сообщений в syslog не сыпалось. И как это понимать? Глюки оборудования? примечательно еще и то, что пикс выдержал серьезную просадку напряжения при переключении АВР и не перезагрузился. Циско, все-таки...