We help IT Professionals succeed at work.
Get Started

CISCO ASA 5510 - Problem with accessing network on Interface Portmap translation failed.

Mawallace
Mawallace asked
on
1,428 Views
Last Modified: 2012-08-13
I have enabled an interface on the ASA 5510 but cannot get it to pass traffice through from the inside interface to the backup interface.

Confirgertation

Inside network - Assume 210.0.0.0

Outisde 217.37.180.46

Backup 192.168.28.2

I am trying to device with the ip address 192.168.28.1

When I do it fails with the message
2010-02-17 11:43:53      Local4.Debug      210.0.0.100      %ASA-7-609001: Built local-host backup:192.168.28.1
2010-02-17 11:43:53      Local4.Error      210.0.0.100      %ASA-3-305006: portmap translation creation failed for tcp src inside:ThetTSserver/3771 dst backup:192.168.28.1/80
2010-02-17 11:43:53      Local4.Debug      210.0.0.100      %ASA-7-609002: Teardown local-host backup:192.168.28.1 duration 0:00:00
2010-02-17 11:43:54      Local4.Debug      210.0.0.100      %ASA-7-609001: Built local-host backup:192.168.28.1
2010-02-17 11:43:54      Local4.Error      210.0.0.100      %ASA-3-305006: portmap translation creation failed for tcp src inside:ThetTSserver/3771 dst backup:192.168.28.1/80
2010-02-17 11:43:54      Local4.Debug      210.0.0.100      %ASA-7-609002: Teardown local-host backup:192.168.28.1 duration 0:00:00
2010-02-17 11:43:54      Local4.Debug      210.0.0.100      %ASA-7-609001: Built local-host backup:192.168.28.1
2010-02-17 11:43:54      Local4.Error      210.0.0.100      %ASA-3-305006: portmap translation creation failed for tcp src inside:ThetTSserver/3771 dst backup:192.168.28.1/80
2010-02-17 11:43:54      Local4.Debug      210.0.0.100      %ASA-7-609002: Teardown local-host backup:192.168.28.1 duration 0:00:00

If I add a stati Nat I still am unable to contact deivces on the backup interface.

It fails with
2010-02-17 12:01:18      Local4.Info      210.0.0.100      %ASA-6-302013: Built outbound TCP connection 2043 for backup:192.168.28.1/80 (192.168.28.1/80) to inside:ThetTSserver/4204 (ThetTSserver/4204)
2010-02-17 12:01:19      Local4.Info      210.0.0.100      %ASA-6-302014: Teardown TCP connection 1683 for outside:209.46.39.130/443 to inside:210.0.0.10/56351 duration 0:10:20 bytes 5357 FIN Timeout

What is going on? How do I get my inside network to communicate with the devices on the "backup" interface.

From the above From the above

a. It knows the route to 192.168.28.1
b. It does not seems to be a NAT issue

Routing table is as follows:-

Gateway of last resort is 217.37.180.41 to network 0.0.0.0

C    192.168.28.0 255.255.255.0 is directly connected, backup
C    217.37.180.40 255.255.255.248 is directly connected, outside
S    Sudbury_LAN 255.255.255.0 [1/0] via 217.37.180.41, outside
C    Thetford_LAN 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 217.37.180.41, outside

Config file is as follows:- (I have delted items which I o not hink are revlavnt! I have also changed ip addresses)
: Saved
:
ASA Version 7.2(2)
!

name 210.0.0.1 Thetserver description Thetford File Server
name 210.0.0.2 ThetTSserver description Thetford TS Server
name 210.0.0.0 Thetford_LAN description Thetford Local Area Network
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 219.37.180.46 255.255.255.248
 ospf cost 10
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 210.0.0.100 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 nameif backup
 security-level 0
 ip address 192.168.28.2 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!

ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name thet.staceys.co.uk
object-group service WebAccess tcp
 description Allowed protocols to Outside world
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
object-group network MAWHome
 description MAWHome
 network-object 192.168.0.0 255.255.255.0
access-list inside_access_in extended permit tcp Thetford_LAN 255.255.255.0 any object-group WebAccess
access-list inside_access_in extended permit tcp host Thetserver any eq domain
access-list inside_access_in extended permit udp host Thetserver any eq domain
access-list inside_access_in extended permit tcp host Thetserver any eq smtp
access-list inside_access_in extended permit tcp host Thetserver any eq pop3
access-list inside_access_in extended permit udp host Thetserver any eq ntp
access-list inside_access_in extended permit tcp host ThetTSserver any eq pop3
access-list inside_access_in extended permit tcp host ThetTSserver any eq smtp
access-list inside_access_in extended permit tcp Thetford_LAN 255.255.255.0 any eq 465
access-list inside_access_in extended permit tcp Thetford_LAN 255.255.255.0 any eq 995
access-list inside_access_in extended permit ip Thetford_LAN 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.21.0.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip Thetford_LAN 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip Thetford_LAN 255.255.255.0 192.168.28.0 255.255.255.0
access-list outside_40_cryptomap extended permit ip Thetford_LAN 255.255.255.0 Bury_LAN 255.255.255.0
access-list outside_60_cryptomap extended permit ip Thetford_LAN 255.255.255.0 Newmarket_LAN 255.255.255.0
access-list outside_80_cryptomap extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0
access-list outside_80_cryptomap_1 extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0
access-list http-list2 extended permit tcp any host 62.189.96.209
access-list http-list2 extended permit tcp any host 213.120.81.201
access-list outside_100_cryptomap extended permit ip Thetford_LAN 255.255.255.0 192.168.0.0 255.255.255.0
!
tcp-map mss-map
  exceed-mss allow
!
pager lines 24
logging enable
logging trap alerts
logging asdm informational
logging host inside Thetserver
mtu outside 1500
mtu inside 1500
mtu backup 1500
ip local pool VPNUsers 172.21.0.1-172.21.0.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Thetford_LAN 255.255.255.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 217.37.180.41 1
!
router ospf 10
 network Thetford_LAN 255.255.255.0 area 0
 log-adj-changes
 redistribute static subnets
!




 

 
 


!
!
class-map http-mapl
 match access-list http-list2
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map http-mapl
 class http-mapl
  set connection advanced-options mss-map
policy-map http-map1
!
service-policy global_policy global
service-policy http-mapl interface outside








Comment
Watch Question
This problem has been solved!
Unlock 1 Answer and 4 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE