Solved

Cisco ASA - Port Translation Error

Posted on 2009-05-15
4
220 Views
Last Modified: 2012-05-07
Hi All,

Not quite sure what I am doing wrong here, but clearly something.

We have had a new service installed which I have setup on a new DMZ called DMZ50.

Connected to the DMZ50 Interface is a Switch that has got Two Routers attached.

This service is to be used by a Server on the Inside Interface So I have setup the appropriate NAT Exempt Rules so this server can communicate with the Routers on DMZ50.

The servers will then send traffic to a public address on a 3rd Party Network, these will route via the Routers on DMZ50, so I have setup Static Routes for the Destination IP's to go via the Routers on DMZ50.

So far so good.

But when we try and test from the Server that will use this it doesnt work and I get errors in the ASDM Log which are:

portmap translation creation failed for tcp src inside:server01/2273 dst dmz50:xxx.xxx.xxx.xxx/23083

I am completely stumped as to what is going on here.

Can anybody please help?

Thanks

Paul
0
Comment
Question by:essexboy80
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 24402088
Hello Paul,
    Most probably, something is wrong with NAT statements. Another static statement may be overwriting your exempt, or your exempt NAT direction is wrong. Try this

access-list inside_nat0_dmz permit ip server01subnet server01subnetmask dmzroutersubnet dmzrouternetmask
nat (inside) 0 access-list inside_nat0_dmz

Regards
0
 
LVL 1

Author Comment

by:essexboy80
ID: 24409576
Hi,

Can you just explain what this access llist is doing?

I have already got some entries as per below are these wrong? :

access-list inside_outbound_nat0_acl extended permit ip LAN 255.255.252.0 DMZ 255.255.255.0
access-list inside_nat0_outbound extended permit ip LAN 255.255.252.0 DMZ 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound

Thanks
0
 
LVL 1

Author Comment

by:essexboy80
ID: 24410878
okay I have fixed it now, had to change quite a bit, but the main issue was the lack of

static (inside,dmz) LAN LAN netmask 255.255.252.0
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 24413541
static (inside,dmz) LAN LAN netmask 255.255.252.0  does the same job as my previous suggestion. It exempts specified traffic from NAT

Regards
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question