rigneydolphin
asked on
"Portmap Translation Creation Failed" on Cisco ASA Firewall
Hi,
I'm configuring a new Cisco ASA firewall and i'm receiving the following error "Portmap translation creation failed for icmp src inside:xxx:xxx:xxx:xxx dst outside:yyy:yyy:yyy:yyy (type 8 code 0)"
The ACL's are configured to permit any to any traffic on both the inside and outside interfaces for the time being. The inside interface has a security level of 100 and a mask of 255.255.255.0, outside interface has 255.255.255.240 mask and security level of 0.
I currently cant get see through to the far side at all. I think it maybe the NAT configuration but im not sure what way to set it up.
Any body have any ideas on this.
I'm configuring a new Cisco ASA firewall and i'm receiving the following error "Portmap translation creation failed for icmp src inside:xxx:xxx:xxx:xxx dst outside:yyy:yyy:yyy:yyy (type 8 code 0)"
The ACL's are configured to permit any to any traffic on both the inside and outside interfaces for the time being. The inside interface has a security level of 100 and a mask of 255.255.255.0, outside interface has 255.255.255.240 mask and security level of 0.
I currently cant get see through to the far side at all. I think it maybe the NAT configuration but im not sure what way to set it up.
Any body have any ideas on this.
Heiko Bialozyt
pls show us your actual config. yes it seems a wrong NAT-setup, but there are too much possible reason.
ASKER
Hi heiko,
I've removed all NATs and getting an ACL error now instead when I try to do a packet trace. It seems to drop the packet due to an implicit ACL Denying Any to Any traffic on the incoming interface.
What is this implicit rule?
Here is the config cleaned up a bit:
Saved
:
ASA Version 7.2(4)
!
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.XXX.XXX 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.2.yyy.yyy 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
port-object eq ssh
access-list outside_access_in extended permit ip any any
access-list outside_access_in
access-list outside_access_in extended permit tcp host 10.2.yyy.yyy any object-group DM_INLINE_TCP_1
access-list outside_access_in
access-list outside_access_in extended permit tcp host 10.2.xyz.xyz any eq www
access-list outside_access_in
access-list outside_access_in extended permit tcp host 10.2.xyz.xyz any object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp host 10.2.xyz.xyz any object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp host 10.2.xyz.xyz any object-group DM_INLINE_TCP_4
access-list outside_access_in extended permit ip host 10.2.xyz.xyz any
access-list outside_access_in extended permit ip host 10.2.xyz.xyz any
access-list outside_access_in extended permit tcp host 10.0.xyz.xyz host 10.0.xyz.xyz object-group DM_INLINE_TCP_5
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 any
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 10.0.xxx.yyy 255.255.255.0 10.0.xxx.yyy 1
route inside 10.0.xxx.yyy 255.255.255.0 10.0.xxx.yyy 1
route inside 10.0.xxx.yyy 255.255.255.0 10.0.xxx.yyy 1
route inside 10.0.xxx.yyy 255.255.255.0 10.0.xxx.yyy 1
route inside 10.0.xxx.yyy 255.255.255.0 10.0.xxx.yyy 1
route inside 10.0.xxx.yyy 255.255.255.0 10.0.xxx.yyy 1
route outside 0.0.0.0 0.0.0.0 10.0.xxx.yyy 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.yyy.yyy 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.0.yyy.yyy 255.255.255.0 inside
telnet timeout 5
ssh 10.0.yyy.yyy 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
asdm image disk0:/asdm-524.bin
no asdm history enable
Thanks
I've removed all NATs and getting an ACL error now instead when I try to do a packet trace. It seems to drop the packet due to an implicit ACL Denying Any to Any traffic on the incoming interface.
What is this implicit rule?
Here is the config cleaned up a bit:
Saved
:
ASA Version 7.2(4)
!
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.XXX.XXX 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.2.yyy.yyy 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
port-object eq ssh
access-list outside_access_in extended permit ip any any
access-list outside_access_in
access-list outside_access_in extended permit tcp host 10.2.yyy.yyy any object-group DM_INLINE_TCP_1
access-list outside_access_in
access-list outside_access_in extended permit tcp host 10.2.xyz.xyz any eq www
access-list outside_access_in
access-list outside_access_in extended permit tcp host 10.2.xyz.xyz any object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp host 10.2.xyz.xyz any object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp host 10.2.xyz.xyz any object-group DM_INLINE_TCP_4
access-list outside_access_in extended permit ip host 10.2.xyz.xyz any
access-list outside_access_in extended permit ip host 10.2.xyz.xyz any
access-list outside_access_in extended permit tcp host 10.0.xyz.xyz host 10.0.xyz.xyz object-group DM_INLINE_TCP_5
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 any
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 10.0.xxx.yyy 255.255.255.0 10.0.xxx.yyy 1
route inside 10.0.xxx.yyy 255.255.255.0 10.0.xxx.yyy 1
route inside 10.0.xxx.yyy 255.255.255.0 10.0.xxx.yyy 1
route inside 10.0.xxx.yyy 255.255.255.0 10.0.xxx.yyy 1
route inside 10.0.xxx.yyy 255.255.255.0 10.0.xxx.yyy 1
route inside 10.0.xxx.yyy 255.255.255.0 10.0.xxx.yyy 1
route outside 0.0.0.0 0.0.0.0 10.0.xxx.yyy 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.yyy.yyy 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.0.yyy.yyy 255.255.255.0 inside
telnet timeout 5
ssh 10.0.yyy.yyy 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
asdm image disk0:/asdm-524.bin
no asdm history enable
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.