I had a similar 'self-inflicted wound' a while back. Seems some dope (that would be me) had retired some public IP ranges on the inside and needed to (temporarily) route those to null from his inside router. Otherwise, the hapless administrator saw these udps denied with the dreaded 'xlate' error, as his router was cheerfully sending the packets out the default gateway --- the PIX inside interface. Note the PIX does not, as aforementioned, route.
Sooo, I'd look at that outside router, and maybe any inside route tables you might have. Best, G. VP OGC > -----Original Message----- > From: Wilton White [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 25, 2002 8:14 PM > To: [EMAIL PROTECTED] > Subject: RE: how to deal with this message on pix? [7:39497] > > > PIX should not see that traffic in the first place. PIX only routes > traffic between interfaces and can't make "u-turns" - only routes > traffic from inside to outside or from outside to inside, but not from > inside to inside or outside to outside. PIX considers this a security > violation. > I would check outside router and see why is it forwarding this traffic > to the PIX. > > -- Lidiya White > CCIE #8155 > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of > Roy > Sent: Monday, March 25, 2002 8:20 PM > To: [EMAIL PROTECTED] > Subject: how to deal with this message on pix? [7:39497] > > > hi all > > i notice the message shown as bellow on my pix, and how can i > deal with > it? > > 106011: Deny inbound (No xlate) udp src outside:61.156.7.187/16372 dst > outside:202.96.137.40/6970 > 106011: Deny inbound (No xlate) udp src outside:61.156.7.187/16372 dst > outside:202.96.137.40/6970 > 106011: Deny inbound (No xlate) udp src outside:61.156.7.187/16372 dst > outside:202.96.137.40/6970 > 106011: Deny inbound (No xlate) tcp src > outside:202.109.106.130/8893 dst > outside:202.96.137.40/59478 > 106011: Deny inbound (No xlate) udp src > outside:202.96.136.201/49202 dst > outside:202.96.137.40/53 > 106011: Deny inbound (No xlate) tcp src outside:162.105.69.121/21 dst > outside:202.96.137.40/60090 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39577&t=39497 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
