Hello i am getting that error in port 137 for an external host and and internal host.
I believe it could be related to my inside access list
this is my inside access-list
nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0
is this tottaly wrong, should i have only 101 with all my hosts behind nat? thanks
Hi,
Can you post an example of your access-list 101 so that we can see what you are choosing not to NAT.
Thanks,
Martin
In article , wrote: :Hello i am getting that error in port 137 for an external host and and :internal host.
:I believe it could be related to my inside access list
:this is my inside access-list
:nat (inside) 0 access-list 101 :nat (inside) 1 0.0.0.0 0.0.0.0 0 0
:is this tottaly wrong, should i have only 101 with all my hosts behind :nat?
The message you are seeing is normal for the situation in which someone addresses a UDP packet to your PIX (other than snmp or one of the VPN protocols), and you do not have an IP address translation set up that would allow the packet inside.
If you do not -want- those packets to come inside (i.e., all the random attack packets), then you do not need to do anything.
If you -do- want the packets to come inside, then if you are using private IP addressing inside, you would
static (inside,outside) udp interface 137 INTERNALIPADDRESS 137 netmask
255.255.255.255 access-list outside2inside permit udp any interface outside eq 137 access-group outside2inside in interface outsideOR
static (inside,outside) udp PUBLICIP 137 INTERNALIPADDRESS 137 netmask
255.255.255.255 access-list outside2inside permit udp any host PUBLICIP eq 137 access-group outside2inside in interface outsideChances are that you should not be using nat 0 access-list unless you have a VPN -- and if you do, then you must ensure that you do not use the same access list name for your nat 0 access-list statement as you use for your ACL that is applied via the access-group command. Duplicate the contents of the ACL if you need to, but you cannot use the same ACL for both of these purposes.
There are some other ways to proceed depending on your exact needs, but I won't go into those unless you expand on your situation.
One more thing: if for some reason you do NOT want the packets to get inside, but you want a standard Deny error message to be generated instead of the "No translation group" message, then create the static as described above, but do not add the port do the access-list that is being applied to the outside interface through the access-group .
that is totally awesome, thanks. I was worried because i am getting
10,000/day but I am not going to worry about it anymore.Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.