| Message Code | PIX-3-305006 |
| Severity | Error |
| Description | "{outbound static|identity|portmap|regular) translation creation failed for protocol src interface_name:source_address/source_port dst interface_name:dest_address/dest_port" |
| Explanation | "A protocol (UDP, TCP, or ICMP) failed to create a translation through the Cisco ASA . This message appears as a fix to caveat CSCdr0063 that requested that Cisco ASA not allow packets that are destined for network or broadcast addresses. The Cisco ASA provides this checking for
addresses that are explicitly identified with static command statements. With the change, for inbound traffic, the Cisco ASA denies translations for a destined IP address identified as a network or broadcast address. The Cisco ASA does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT xlate. So, when the other ICMP messages types are dropped, system log message 305006 (on the Cisco ASA ) is generated. The Cisco ASA utilizes the global IP and mask from configured static command statements to differ regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the Cisco ASA does not create a translation for network or broadcast IP addresses with inbound packets. For example: static (inside,outside) 10.2.2.128 10.1.1.128 netmask 255.255.255.128 Global address 10.2.2.128 is responded to as a network address and 10.2.2.255 is responded to as the broadcast address. Without an existing translation, Cisco ASA denies inbound packets destined for 10.2.2.128 or 10.2.2.255, and logs this system log message. When the suspected IP is a host IP, configure a separated static command statement with a host mask in front of the subnet static (first match rule for static command statements). The following static causes the Cisco ASA to respond to 10.2.2.128 as a host address: static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.255 static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.128 The translation may be created by traffic started with the inside host with the questioned IP address. Because the Cisco ASA views a network or broadcast IP address as a host IP address with overlapped subnet static configuration, the network address translation for both static command statements must be the same." |
| User Action | None required. |
| Reference Links |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.