[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2815
  • Last Modified:

"Portmap Translation Creation Failed" on Cisco ASA Firewall

Hi,

I'm configuring a new Cisco ASA firewall and i'm receiving the following error "Portmap translation creation failed for icmp src inside:xxx:xxx:xxx:xxx dst outside:yyy:yyy:yyy:yyy (type 8 code 0)"

The ACL's are configured to permit any to any traffic on both the inside and outside interfaces for the time being. The inside interface has a security level of 100 and a mask of 255.255.255.0, outside interface has 255.255.255.240 mask and security level of 0.

I currently cant get see through to the far side at all. I think it maybe the NAT configuration but im not sure what way to set it up.

Any body have any ideas on this.
0
rigneydolphin
Asked:
rigneydolphin
  • 2
1 Solution
 
heikoCommented:
pls show us your actual config. yes it seems a wrong NAT-setup, but there are too much possible reason.
0
 
rigneydolphinAuthor Commented:
Hi heiko,

I've removed all NATs and getting an ACL error now instead when I try to do a packet trace. It seems to drop the packet due to an implicit ACL Denying Any to Any traffic on the incoming interface.

What is this implicit rule?

Here is the config  cleaned up a bit:

Saved
:
ASA Version 7.2(4)
!

names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.XXX.XXX 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.2.yyy.yyy 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_3 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_4 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_5 tcp
 port-object eq www
 port-object eq https
 port-object eq ssh
access-list outside_access_in extended permit ip any any
access-list outside_access_in
access-list outside_access_in extended permit tcp host 10.2.yyy.yyy any object-group DM_INLINE_TCP_1
access-list outside_access_in
access-list outside_access_in extended permit tcp host 10.2.xyz.xyz any eq www
access-list outside_access_in
access-list outside_access_in extended permit tcp host 10.2.xyz.xyz any object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp host 10.2.xyz.xyz any object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp host 10.2.xyz.xyz any object-group DM_INLINE_TCP_4
access-list outside_access_in extended permit ip host 10.2.xyz.xyz any
access-list outside_access_in extended permit ip host 10.2.xyz.xyz any
access-list outside_access_in extended permit tcp host 10.0.xyz.xyz host 10.0.xyz.xyz object-group DM_INLINE_TCP_5
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 any
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 10.0.xxx.yyy 255.255.255.0 10.0.xxx.yyy 1
route inside 10.0.xxx.yyy 255.255.255.0 10.0.xxx.yyy 1
route inside 10.0.xxx.yyy 255.255.255.0 10.0.xxx.yyy 1
route inside 10.0.xxx.yyy 255.255.255.0 10.0.xxx.yyy 1
route inside 10.0.xxx.yyy 255.255.255.0 10.0.xxx.yyy 1
route inside 10.0.xxx.yyy 255.255.255.0 10.0.xxx.yyy 1
route outside 0.0.0.0 0.0.0.0 10.0.xxx.yyy 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.yyy.yyy 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.0.yyy.yyy 255.255.255.0 inside
telnet timeout 5
ssh 10.0.yyy.yyy 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
asdm image disk0:/asdm-524.bin
no asdm history enable

Thanks
0
 
heikoCommented:
hi, your access-list section is a bit confused ;o)

!! permits any to any ip on outside interface
access-list outside_access_in extended permit ip any any
!! what should it do?
access-list outside_access_in
!! has no meaning because of 1. line
access-list outside_access_in extended permit tcp host 10.2.yyy.yyy any object-group DM_INLINE_TCP_1
access-list outside_access_in
access-list outside_access_in extended permit tcp host 10.2.xyz.xyz any eq www
access-list outside_access_in
access-list outside_access_in extended permit tcp host 10.2.xyz.xyz any object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp host 10.2.xyz.xyz any object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp host 10.2.xyz.xyz any object-group DM_INLINE_TCP_4
access-list outside_access_in extended permit ip host 10.2.xyz.xyz any
access-list outside_access_in extended permit ip host 10.2.xyz.xyz any

!! starting from here i assume, you would wrote inside_access_in.
!! source 10.0.x.y is on inside not on outside

access-list outside_access_in extended permit tcp host 10.0.xyz.xyz host 10.0.xyz.xyz object-group DM_INLINE_TCP_5
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 any
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz
access-list outside_access_in extended permit ip 10.0.xyz.xyz 255.255.255.0 host 10.0.xyz.xyz

!! this line enables all traffic from inside. thats why i dont understand a deny any any message on inside
access-list inside_access_in extended permit ip any any

please check your running access-lists!

at the end of each access-list is an invisible entry which denies all other traffic. this is a implizit rule.
if you dont setup any access-lists you will get traffic always from trusted (secure) interfaces to unsecure (outside) interfaces and the required answers back. this is also implizit.

if you like to access inside hosts from outside, then you need to create a access-list on outside (outside_access_in) for this. if you like to restrict outgoing traffic also from inside, then you need an access-list on inside (inside_access_in).
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now