Routing failures with portmap translation errors

This all started with an upgrade from a no firewall situation to using a Cisco ASA 5505. Prior to the installation of the ASA this network was using simple port forwarding from the ISP. When the ASA was installed the perimeter router was put in a simple bridged mode by the ISP.

From day one the ASA displayed the attached error message about portmap translation failures for end-user devices at the remote office trying to reach the primary DNS server. Upon further investigation a general routing failure was found.

From within a network device (routers and ASA) I can get to all other network equipment. End-user equipment is visible from within their respective local network, but could not be seen across the private T-1. To make things even more interesting: the file and mail server is visible to end-user systems at the remote office but not the primary DNS server. The VoIP phones are also able to see the VoIP switch.

I just realized that the ASA config I attached doesn't show it, but I did recently upgrade from 7.2(4) to 8.0(4) in an effort to fix this issue.

Any thoughts why routing is selectively working??
Genesis-ASA-and-portmap-error--s.txt
Genesis-core.txt
Genesis-remote.txt
Basic-network-diagram.pdf
LVL 1
KeepSloanWeirdAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
> portmap translation creation failed for udp src inside:192.168.2.5/53 dst inside:192.168.1.45/5353
It's real simple. Both source and destination are internal. The asa simply can't do anything with it.

The answer is to use the router 192.168.2.253 as the default gateway for everything on the LAN and have *it* point to the asa with a default route.


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
leonjsCommented:
The other answer and what I have done in the past as a way around this of coarse less commonly practice but create a object group consisting of your network and do a static nat  from the inside to the inside
0
KeepSloanWeirdAuthor Commented:
So I would have DHCP hand out 192.168.2.253 as the gateway for the CORE LAN and then have that device use the ASA as it's gateway? What about the remote office's gateway?
0
KeepSloanWeirdAuthor Commented:
I can't say thank you enough for the input. Just a little more clarification would have been extremely helpful as I was initially hesitant to make the suggested changes without 100% understanding what was being suggested. But I took a leap of faith and it worked.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.