Solved

Routing failures with portmap translation errors

Posted on 2008-10-20
4
770 Views
Last Modified: 2012-05-05
This all started with an upgrade from a no firewall situation to using a Cisco ASA 5505. Prior to the installation of the ASA this network was using simple port forwarding from the ISP. When the ASA was installed the perimeter router was put in a simple bridged mode by the ISP.

From day one the ASA displayed the attached error message about portmap translation failures for end-user devices at the remote office trying to reach the primary DNS server. Upon further investigation a general routing failure was found.

From within a network device (routers and ASA) I can get to all other network equipment. End-user equipment is visible from within their respective local network, but could not be seen across the private T-1. To make things even more interesting: the file and mail server is visible to end-user systems at the remote office but not the primary DNS server. The VoIP phones are also able to see the VoIP switch.

I just realized that the ASA config I attached doesn't show it, but I did recently upgrade from 7.2(4) to 8.0(4) in an effort to fix this issue.

Any thoughts why routing is selectively working??
Genesis-ASA-and-portmap-error--s.txt
Genesis-core.txt
Genesis-remote.txt
Basic-network-diagram.pdf
0
Comment
Question by:KeepSloanWeird
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22763084
> portmap translation creation failed for udp src inside:192.168.2.5/53 dst inside:192.168.1.45/5353
It's real simple. Both source and destination are internal. The asa simply can't do anything with it.

The answer is to use the router 192.168.2.253 as the default gateway for everything on the LAN and have *it* point to the asa with a default route.


0
 
LVL 3

Expert Comment

by:leonjs
ID: 22763245
The other answer and what I have done in the past as a way around this of coarse less commonly practice but create a object group consisting of your network and do a static nat  from the inside to the inside
0
 
LVL 1

Author Comment

by:KeepSloanWeird
ID: 22763931
So I would have DHCP hand out 192.168.2.253 as the gateway for the CORE LAN and then have that device use the ASA as it's gateway? What about the remote office's gateway?
0
 
LVL 1

Author Closing Comment

by:KeepSloanWeird
ID: 31508801
I can't say thank you enough for the input. Just a little more clarification would have been extremely helpful as I was initially hesitant to make the suggested changes without 100% understanding what was being suggested. But I took a leap of faith and it worked.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question