Solved

Cisco ASA - Port Translation Error

Posted on 2009-05-15
4
216 Views
Last Modified: 2012-05-07
Hi All,

Not quite sure what I am doing wrong here, but clearly something.

We have had a new service installed which I have setup on a new DMZ called DMZ50.

Connected to the DMZ50 Interface is a Switch that has got Two Routers attached.

This service is to be used by a Server on the Inside Interface So I have setup the appropriate NAT Exempt Rules so this server can communicate with the Routers on DMZ50.

The servers will then send traffic to a public address on a 3rd Party Network, these will route via the Routers on DMZ50, so I have setup Static Routes for the Destination IP's to go via the Routers on DMZ50.

So far so good.

But when we try and test from the Server that will use this it doesnt work and I get errors in the ASDM Log which are:

portmap translation creation failed for tcp src inside:server01/2273 dst dmz50:xxx.xxx.xxx.xxx/23083

I am completely stumped as to what is going on here.

Can anybody please help?

Thanks

Paul
0
Comment
Question by:essexboy80
  • 2
  • 2
4 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 24402088
Hello Paul,
    Most probably, something is wrong with NAT statements. Another static statement may be overwriting your exempt, or your exempt NAT direction is wrong. Try this

access-list inside_nat0_dmz permit ip server01subnet server01subnetmask dmzroutersubnet dmzrouternetmask
nat (inside) 0 access-list inside_nat0_dmz

Regards
0
 
LVL 1

Author Comment

by:essexboy80
ID: 24409576
Hi,

Can you just explain what this access llist is doing?

I have already got some entries as per below are these wrong? :

access-list inside_outbound_nat0_acl extended permit ip LAN 255.255.252.0 DMZ 255.255.255.0
access-list inside_nat0_outbound extended permit ip LAN 255.255.252.0 DMZ 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound

Thanks
0
 
LVL 1

Author Comment

by:essexboy80
ID: 24410878
okay I have fixed it now, had to change quite a bit, but the main issue was the lack of

static (inside,dmz) LAN LAN netmask 255.255.252.0
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 24413541
static (inside,dmz) LAN LAN netmask 255.255.252.0  does the same job as my previous suggestion. It exempts specified traffic from NAT

Regards
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco ASA two factor VPN 3 39
Cisco switch SVI 17 42
Route Summarization 2 33
Cisco IOS from ipbase to ipservices 10 31
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now