Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco ASA - Port Translation Error

Posted on 2009-05-15
4
Medium Priority
?
223 Views
Last Modified: 2012-05-07
Hi All,

Not quite sure what I am doing wrong here, but clearly something.

We have had a new service installed which I have setup on a new DMZ called DMZ50.

Connected to the DMZ50 Interface is a Switch that has got Two Routers attached.

This service is to be used by a Server on the Inside Interface So I have setup the appropriate NAT Exempt Rules so this server can communicate with the Routers on DMZ50.

The servers will then send traffic to a public address on a 3rd Party Network, these will route via the Routers on DMZ50, so I have setup Static Routes for the Destination IP's to go via the Routers on DMZ50.

So far so good.

But when we try and test from the Server that will use this it doesnt work and I get errors in the ASDM Log which are:

portmap translation creation failed for tcp src inside:server01/2273 dst dmz50:xxx.xxx.xxx.xxx/23083

I am completely stumped as to what is going on here.

Can anybody please help?

Thanks

Paul
0
Comment
Question by:essexboy80
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 24402088
Hello Paul,
    Most probably, something is wrong with NAT statements. Another static statement may be overwriting your exempt, or your exempt NAT direction is wrong. Try this

access-list inside_nat0_dmz permit ip server01subnet server01subnetmask dmzroutersubnet dmzrouternetmask
nat (inside) 0 access-list inside_nat0_dmz

Regards
0
 
LVL 1

Author Comment

by:essexboy80
ID: 24409576
Hi,

Can you just explain what this access llist is doing?

I have already got some entries as per below are these wrong? :

access-list inside_outbound_nat0_acl extended permit ip LAN 255.255.252.0 DMZ 255.255.255.0
access-list inside_nat0_outbound extended permit ip LAN 255.255.252.0 DMZ 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound

Thanks
0
 
LVL 1

Author Comment

by:essexboy80
ID: 24410878
okay I have fixed it now, had to change quite a bit, but the main issue was the lack of

static (inside,dmz) LAN LAN netmask 255.255.252.0
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 2000 total points
ID: 24413541
static (inside,dmz) LAN LAN netmask 255.255.252.0  does the same job as my previous suggestion. It exempts specified traffic from NAT

Regards
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question