Avatar of Mawallace
Mawallace
Flag for United Kingdom of Great Britain and Northern Ireland asked on

CISCO ASA 5510 - Problem with accessing network on Interface Portmap translation failed.

I have enabled an interface on the ASA 5510 but cannot get it to pass traffice through from the inside interface to the backup interface.

Confirgertation

Inside network - Assume 210.0.0.0

Outisde 217.37.180.46

Backup 192.168.28.2

I am trying to device with the ip address 192.168.28.1

When I do it fails with the message
2010-02-17 11:43:53      Local4.Debug      210.0.0.100      %ASA-7-609001: Built local-host backup:192.168.28.1
2010-02-17 11:43:53      Local4.Error      210.0.0.100      %ASA-3-305006: portmap translation creation failed for tcp src inside:ThetTSserver/3771 dst backup:192.168.28.1/80
2010-02-17 11:43:53      Local4.Debug      210.0.0.100      %ASA-7-609002: Teardown local-host backup:192.168.28.1 duration 0:00:00
2010-02-17 11:43:54      Local4.Debug      210.0.0.100      %ASA-7-609001: Built local-host backup:192.168.28.1
2010-02-17 11:43:54      Local4.Error      210.0.0.100      %ASA-3-305006: portmap translation creation failed for tcp src inside:ThetTSserver/3771 dst backup:192.168.28.1/80
2010-02-17 11:43:54      Local4.Debug      210.0.0.100      %ASA-7-609002: Teardown local-host backup:192.168.28.1 duration 0:00:00
2010-02-17 11:43:54      Local4.Debug      210.0.0.100      %ASA-7-609001: Built local-host backup:192.168.28.1
2010-02-17 11:43:54      Local4.Error      210.0.0.100      %ASA-3-305006: portmap translation creation failed for tcp src inside:ThetTSserver/3771 dst backup:192.168.28.1/80
2010-02-17 11:43:54      Local4.Debug      210.0.0.100      %ASA-7-609002: Teardown local-host backup:192.168.28.1 duration 0:00:00

If I add a stati Nat I still am unable to contact deivces on the backup interface.

It fails with
2010-02-17 12:01:18      Local4.Info      210.0.0.100      %ASA-6-302013: Built outbound TCP connection 2043 for backup:192.168.28.1/80 (192.168.28.1/80) to inside:ThetTSserver/4204 (ThetTSserver/4204)
2010-02-17 12:01:19      Local4.Info      210.0.0.100      %ASA-6-302014: Teardown TCP connection 1683 for outside:209.46.39.130/443 to inside:210.0.0.10/56351 duration 0:10:20 bytes 5357 FIN Timeout

What is going on? How do I get my inside network to communicate with the devices on the "backup" interface.

From the above From the above

a. It knows the route to 192.168.28.1
b. It does not seems to be a NAT issue

Routing table is as follows:-

Gateway of last resort is 217.37.180.41 to network 0.0.0.0

C    192.168.28.0 255.255.255.0 is directly connected, backup
C    217.37.180.40 255.255.255.248 is directly connected, outside
S    Sudbury_LAN 255.255.255.0 [1/0] via 217.37.180.41, outside
C    Thetford_LAN 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 217.37.180.41, outside

Config file is as follows:- (I have delted items which I o not hink are revlavnt! I have also changed ip addresses)
: Saved
:
ASA Version 7.2(2)
!

name 210.0.0.1 Thetserver description Thetford File Server
name 210.0.0.2 ThetTSserver description Thetford TS Server
name 210.0.0.0 Thetford_LAN description Thetford Local Area Network
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 219.37.180.46 255.255.255.248
 ospf cost 10
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 210.0.0.100 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 nameif backup
 security-level 0
 ip address 192.168.28.2 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!

ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name thet.staceys.co.uk
object-group service WebAccess tcp
 description Allowed protocols to Outside world
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
object-group network MAWHome
 description MAWHome
 network-object 192.168.0.0 255.255.255.0
access-list inside_access_in extended permit tcp Thetford_LAN 255.255.255.0 any object-group WebAccess
access-list inside_access_in extended permit tcp host Thetserver any eq domain
access-list inside_access_in extended permit udp host Thetserver any eq domain
access-list inside_access_in extended permit tcp host Thetserver any eq smtp
access-list inside_access_in extended permit tcp host Thetserver any eq pop3
access-list inside_access_in extended permit udp host Thetserver any eq ntp
access-list inside_access_in extended permit tcp host ThetTSserver any eq pop3
access-list inside_access_in extended permit tcp host ThetTSserver any eq smtp
access-list inside_access_in extended permit tcp Thetford_LAN 255.255.255.0 any eq 465
access-list inside_access_in extended permit tcp Thetford_LAN 255.255.255.0 any eq 995
access-list inside_access_in extended permit ip Thetford_LAN 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.21.0.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip Thetford_LAN 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip Thetford_LAN 255.255.255.0 192.168.28.0 255.255.255.0
access-list outside_40_cryptomap extended permit ip Thetford_LAN 255.255.255.0 Bury_LAN 255.255.255.0
access-list outside_60_cryptomap extended permit ip Thetford_LAN 255.255.255.0 Newmarket_LAN 255.255.255.0
access-list outside_80_cryptomap extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0
access-list outside_80_cryptomap_1 extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0
access-list http-list2 extended permit tcp any host 62.189.96.209
access-list http-list2 extended permit tcp any host 213.120.81.201
access-list outside_100_cryptomap extended permit ip Thetford_LAN 255.255.255.0 192.168.0.0 255.255.255.0
!
tcp-map mss-map
  exceed-mss allow
!
pager lines 24
logging enable
logging trap alerts
logging asdm informational
logging host inside Thetserver
mtu outside 1500
mtu inside 1500
mtu backup 1500
ip local pool VPNUsers 172.21.0.1-172.21.0.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Thetford_LAN 255.255.255.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 217.37.180.41 1
!
router ospf 10
 network Thetford_LAN 255.255.255.0 area 0
 log-adj-changes
 redistribute static subnets
!




 

 
 


!
!
class-map http-mapl
 match access-list http-list2
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map http-mapl
 class http-mapl
  set connection advanced-options mss-map
policy-map http-map1
!
service-policy global_policy global
service-policy http-mapl interface outside








Hardware FirewallsCisco

Avatar of undefined
Last Comment
Mawallace

8/22/2022 - Mon
Justin Ellenbecker

Hello Mawallace,

One thing you may need to do first is change the security levels on your interfaces.  0 is the lowest or most insecure,  this should be on your outside interface.  100 is the most secure and should be on the inside.  There are implicit rules in the ASA about traffic frlow from secure to insecure interfaces.  You can read more about this at:

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/intparam.html

Regards,

StrifeJester
Justin Ellenbecker

POssibly not making it a 0 would help, What type of traffic are you trying to send accross when you are recieveing these messages and from where is it traffic from a workstation or the ASA itself.
Justin Ellenbecker

I can see port 80 on the traffic jsut making sure its web traffic is why I asked.  And maybe I am missing it but I am not seeing a rule to allow traffic outgoing on your Backup interface to port 80.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER CERTIFIED SOLUTION
Mawallace

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.