Solved

Cisco ASA - Port Translation Error

Posted on 2009-05-15
4
219 Views
Last Modified: 2012-05-07
Hi All,

Not quite sure what I am doing wrong here, but clearly something.

We have had a new service installed which I have setup on a new DMZ called DMZ50.

Connected to the DMZ50 Interface is a Switch that has got Two Routers attached.

This service is to be used by a Server on the Inside Interface So I have setup the appropriate NAT Exempt Rules so this server can communicate with the Routers on DMZ50.

The servers will then send traffic to a public address on a 3rd Party Network, these will route via the Routers on DMZ50, so I have setup Static Routes for the Destination IP's to go via the Routers on DMZ50.

So far so good.

But when we try and test from the Server that will use this it doesnt work and I get errors in the ASDM Log which are:

portmap translation creation failed for tcp src inside:server01/2273 dst dmz50:xxx.xxx.xxx.xxx/23083

I am completely stumped as to what is going on here.

Can anybody please help?

Thanks

Paul
0
Comment
Question by:essexboy80
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 24402088
Hello Paul,
    Most probably, something is wrong with NAT statements. Another static statement may be overwriting your exempt, or your exempt NAT direction is wrong. Try this

access-list inside_nat0_dmz permit ip server01subnet server01subnetmask dmzroutersubnet dmzrouternetmask
nat (inside) 0 access-list inside_nat0_dmz

Regards
0
 
LVL 1

Author Comment

by:essexboy80
ID: 24409576
Hi,

Can you just explain what this access llist is doing?

I have already got some entries as per below are these wrong? :

access-list inside_outbound_nat0_acl extended permit ip LAN 255.255.252.0 DMZ 255.255.255.0
access-list inside_nat0_outbound extended permit ip LAN 255.255.252.0 DMZ 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound

Thanks
0
 
LVL 1

Author Comment

by:essexboy80
ID: 24410878
okay I have fixed it now, had to change quite a bit, but the main issue was the lack of

static (inside,dmz) LAN LAN netmask 255.255.252.0
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 24413541
static (inside,dmz) LAN LAN netmask 255.255.252.0  does the same job as my previous suggestion. It exempts specified traffic from NAT

Regards
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question