Solved

Cisco ASA - Port Translation Error

Posted on 2009-05-15
4
217 Views
Last Modified: 2012-05-07
Hi All,

Not quite sure what I am doing wrong here, but clearly something.

We have had a new service installed which I have setup on a new DMZ called DMZ50.

Connected to the DMZ50 Interface is a Switch that has got Two Routers attached.

This service is to be used by a Server on the Inside Interface So I have setup the appropriate NAT Exempt Rules so this server can communicate with the Routers on DMZ50.

The servers will then send traffic to a public address on a 3rd Party Network, these will route via the Routers on DMZ50, so I have setup Static Routes for the Destination IP's to go via the Routers on DMZ50.

So far so good.

But when we try and test from the Server that will use this it doesnt work and I get errors in the ASDM Log which are:

portmap translation creation failed for tcp src inside:server01/2273 dst dmz50:xxx.xxx.xxx.xxx/23083

I am completely stumped as to what is going on here.

Can anybody please help?

Thanks

Paul
0
Comment
Question by:essexboy80
  • 2
  • 2
4 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 24402088
Hello Paul,
    Most probably, something is wrong with NAT statements. Another static statement may be overwriting your exempt, or your exempt NAT direction is wrong. Try this

access-list inside_nat0_dmz permit ip server01subnet server01subnetmask dmzroutersubnet dmzrouternetmask
nat (inside) 0 access-list inside_nat0_dmz

Regards
0
 
LVL 1

Author Comment

by:essexboy80
ID: 24409576
Hi,

Can you just explain what this access llist is doing?

I have already got some entries as per below are these wrong? :

access-list inside_outbound_nat0_acl extended permit ip LAN 255.255.252.0 DMZ 255.255.255.0
access-list inside_nat0_outbound extended permit ip LAN 255.255.252.0 DMZ 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound

Thanks
0
 
LVL 1

Author Comment

by:essexboy80
ID: 24410878
okay I have fixed it now, had to change quite a bit, but the main issue was the lack of

static (inside,dmz) LAN LAN netmask 255.255.252.0
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 24413541
static (inside,dmz) LAN LAN netmask 255.255.252.0  does the same job as my previous suggestion. It exempts specified traffic from NAT

Regards
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now