Cisco PIX 515e

I am new to the firewall and switch world, my background mainly lies in Process Control. But, in the past month everyone that knew anything about our network system has quit.

I tried to console into our process control network firewall and this is what I get. I can't do anything because these error messages continuously scroll. Please help........
I can't post the running config cause I can't get to it.

305005: No translation group found for tcp src inside:167.147.147.211/1380 dst o
utside:147.23.228.18/445
305005: No translation group found for tcp src inside:167.147.147.211/1382 dst o
utside:68.90.1.60/445
305005: No translation group found for tcp src inside:167.147.147.211/1381 dst o
utside:102.20.131.112/445
305005: No translation group found for tcp src inside:167.147.147.211/1417 dst o
utside:58.110.8.119/445
110001: No route to 167.147.147.254 from 167.147.146.1
305005: No translation group found for tcp src inside:167.147.147.68/1849 dst ou
tside:33.84.120.54/445
305005: No translation group found for tcp src inside:167.147.147.68/1850 dst ou
tside:50.79.115.13/445
305005: No translation group found for tcp src inside:167.147.147.68/1851 dst ou
tside:63.82.250.119/445
305005: No translation group found for tcp src inside:167.147.147.68/1852 dst ou
tside:186.107.18.101/445
313001: Denied ICMP type=5, code=0 from 167.147.146.3 on interface 1
305005: No translation group found for tcp src inside:167.147.147.211/1468 dst o
utside:103.52.186.41/445
305005: No translation group found for tcp src inside:167.147.147.211/1466 dst o
utside:50.3.200.33/445
305005: No translation group found for tcp src inside:167.147.147.211/1441 dst o
utside:38.5.92.60/445
305005: No translation group found for tcp src inside:167.147.147.211/1442 dst o
utside:41.88.144.57/445
305005: No translation group found for tcp src inside:167.147.147.211/1468 dst o
utside:103.52.186.41/445
305005: No translation group found for tcp src inside:167.147.147.211/1483 dst o
utside:56.86.215.35/445
305005: No translation group found for tcp src inside:167.147.147.211/1466 dst o
utside:50.3.200.33/445
305005: No translation group found for tcp src inside:167.147.147.211/1482 dst o
utside:113.17.199.4/445
305005: No translation group found for tcp src inside:167.147.147.211/1484 dst o
utside:109.37.48.124/445
313001: Denied ICMP type=5, code=0 from 167.147.146.3 on interface 1

Does anyone have any idea how to get past this? I tried to telnet into the firewall and it won't connect. I tried via the DMZ and it gives message that host rejected connection.

If you have ssh set up the messages should not appear unless the terminal monitor command has been used. If you know the passwords for the ssh connections use those. Then input the no logging command.


www.cisco.com/en/US/docs/security/pix/pi...emint.html#wp1022084

Good luck.

Also try ctrl+z and ctrl+shift+6.

Honesty my firewall troubleshooting knowlgege is a bit less then many of the people here but I've been in that spot before so I'm giving you the advice that I would attempt.


edit: upon further review it appears you do not have nat/pat setup correctly and your getting that spam because hosts on your network error out when trying to get out of the network. When everyone goes home unplug the traffic generating units from the security device it should knock down the number of error messages to zero and you should be able to work with a prompt. If the network your working with is a highly important network with crucial uptime I suggest looking to a local firm to consult in. The disadvantage is the consultant is likely to be charging 1 arm and 1 leg the advantages are however you will likely make the difference up in the cost of the rest of the staff who are being paid to do nothing with the difference in downtime spent by you and the consultant and you will likely take less stress from your manager for something that has more or less been thrown into your lap. Additionally check around and see if there are any backup config files for the ASA. It's quite possible the ex-employee intentionally removed the nat configuration or changed it. If there is a backup laying around or on a tftp server somewhere use it. But only after copying the current startup and running configs to a tftpserver.


EDIT Summary: get someone from outside to do it you don't want to take shit for someone elses mess
Try to copy the current running and startup configs to a tftp server.
If possible try to work on it when nobody else is there (assuming you can't get a consultant) and remove sources of traffic.

Note: more then likely you won't have to disconnect any wires just shut off the device that connects the hosts to the ASA.

Thanks for the replies. I have tried all suggestions to no avail. Looks like the best advice I can use is wait till a down and unplug the DMZ from the firewall so I can get a command prompt.

Control+z is the best option looking into your current scenario. OR go to telnet and try ur luck from there.