asked on CISCO ASA 5510 - Problem with accessing network on Interface Portmap translation failed.
I have enabled an interface on the ASA 5510 but cannot get it to pass traffice through from the inside interface to the backup interface.
Confirgertation
Inside network - Assume 210.0.0.0
Outisde 217.37.180.46
Backup 192.168.28.2
I am trying to device with the ip address 192.168.28.1
When I do it fails with the message
2010-02-17 11:43:53 Local4.Debug 210.0.0.100 %ASA-7-609001: Built local-host backup:192.168.28.1
2010-02-17 11:43:53 Local4.Error 210.0.0.100 %ASA-3-305006: portmap translation creation failed for tcp src inside:ThetTSserver/3771 dst backup:192.168.28.1/80
2010-02-17 11:43:53 Local4.Debug 210.0.0.100 %ASA-7-609002: Teardown local-host backup:192.168.28.1 duration 0:00:00
2010-02-17 11:43:54 Local4.Debug 210.0.0.100 %ASA-7-609001: Built local-host backup:192.168.28.1
2010-02-17 11:43:54 Local4.Error 210.0.0.100 %ASA-3-305006: portmap translation creation failed for tcp src inside:ThetTSserver/3771 dst backup:192.168.28.1/80
2010-02-17 11:43:54 Local4.Debug 210.0.0.100 %ASA-7-609002: Teardown local-host backup:192.168.28.1 duration 0:00:00
2010-02-17 11:43:54 Local4.Debug 210.0.0.100 %ASA-7-609001: Built local-host backup:192.168.28.1
2010-02-17 11:43:54 Local4.Error 210.0.0.100 %ASA-3-305006: portmap translation creation failed for tcp src inside:ThetTSserver/3771 dst backup:192.168.28.1/80
2010-02-17 11:43:54 Local4.Debug 210.0.0.100 %ASA-7-609002: Teardown local-host backup:192.168.28.1 duration 0:00:00
If I add a stati Nat I still am unable to contact deivces on the backup interface.
It fails with
2010-02-17 12:01:18 Local4.Info 210.0.0.100 %ASA-6-302013: Built outbound TCP connection 2043 for backup:192.168.28.1/80 (192.168.28.1/80) to inside:ThetTSserver/4204 (ThetTSserver/4204)
2010-02-17 12:01:19 Local4.Info 210.0.0.100 %ASA-6-302014: Teardown TCP connection 1683 for outside:209.46.39.130/443 to inside:210.0.0.10/56351 duration 0:10:20 bytes 5357 FIN Timeout
What is going on? How do I get my inside network to communicate with the devices on the "backup" interface.
From the above From the above
a. It knows the route to 192.168.28.1
b. It does not seems to be a NAT issue
Routing table is as follows:-
Gateway of last resort is 217.37.180.41 to network 0.0.0.0
C 192.168.28.0 255.255.255.0 is directly connected, backup
C 217.37.180.40 255.255.255.248 is directly connected, outside
S Sudbury_LAN 255.255.255.0 [1/0] via 217.37.180.41, outside
C Thetford_LAN 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 217.37.180.41, outside
Config file is as follows:- (I have delted items which I o not hink are revlavnt! I have also changed ip addresses)
: Saved
:
ASA Version 7.2(2)
!
name 210.0.0.1 Thetserver description Thetford File Server
name 210.0.0.2 ThetTSserver description Thetford TS Server
name 210.0.0.0 Thetford_LAN description Thetford Local Area Network
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 219.37.180.46 255.255.255.248
ospf cost 10
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 210.0.0.100 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
nameif backup
security-level 0
ip address 192.168.28.2 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name thet.staceys.co.uk
object-group service WebAccess tcp
description Allowed protocols to Outside world
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group network MAWHome
description MAWHome
network-object 192.168.0.0 255.255.255.0
access-list inside_access_in extended permit tcp Thetford_LAN 255.255.255.0 any object-group WebAccess
access-list inside_access_in extended permit tcp host Thetserver any eq domain
access-list inside_access_in extended permit udp host Thetserver any eq domain
access-list inside_access_in extended permit tcp host Thetserver any eq smtp
access-list inside_access_in extended permit tcp host Thetserver any eq pop3
access-list inside_access_in extended permit udp host Thetserver any eq ntp
access-list inside_access_in extended permit tcp host ThetTSserver any eq pop3
access-list inside_access_in extended permit tcp host ThetTSserver any eq smtp
access-list inside_access_in extended permit tcp Thetford_LAN 255.255.255.0 any eq 465
access-list inside_access_in extended permit tcp Thetford_LAN 255.255.255.0 any eq 995
access-list inside_access_in extended permit ip Thetford_LAN 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.21.0.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip Thetford_LAN 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip Thetford_LAN 255.255.255.0 192.168.28.0 255.255.255.0
access-list outside_40_cryptomap extended permit ip Thetford_LAN 255.255.255.0 Bury_LAN 255.255.255.0
access-list outside_60_cryptomap extended permit ip Thetford_LAN 255.255.255.0 Newmarket_LAN 255.255.255.0
access-list outside_80_cryptomap extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0
access-list outside_80_cryptomap_1 extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0
access-list http-list2 extended permit tcp any host 62.189.96.209
access-list http-list2 extended permit tcp any host 213.120.81.201
access-list outside_100_cryptomap extended permit ip Thetford_LAN 255.255.255.0 192.168.0.0 255.255.255.0
!
tcp-map mss-map
exceed-mss allow
!
pager lines 24
logging enable
logging trap alerts
logging asdm informational
logging host inside Thetserver
mtu outside 1500
mtu inside 1500
mtu backup 1500
ip local pool VPNUsers 172.21.0.1-172.21.0.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Thetford_LAN 255.255.255.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 217.37.180.41 1
!
router ospf 10
network Thetford_LAN 255.255.255.0 area 0
log-adj-changes
redistribute static subnets
!
!
!
class-map http-mapl
match access-list http-list2
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map http-mapl
class http-mapl
set connection advanced-options mss-map
policy-map http-map1
!
service-policy global_policy global
service-policy http-mapl interface outside
Confirgertation
Inside network - Assume 210.0.0.0
Outisde 217.37.180.46
Backup 192.168.28.2
I am trying to device with the ip address 192.168.28.1
When I do it fails with the message
2010-02-17 11:43:53 Local4.Debug 210.0.0.100 %ASA-7-609001: Built local-host backup:192.168.28.1
2010-02-17 11:43:53 Local4.Error 210.0.0.100 %ASA-3-305006: portmap translation creation failed for tcp src inside:ThetTSserver/3771 dst backup:192.168.28.1/80
2010-02-17 11:43:53 Local4.Debug 210.0.0.100 %ASA-7-609002: Teardown local-host backup:192.168.28.1 duration 0:00:00
2010-02-17 11:43:54 Local4.Debug 210.0.0.100 %ASA-7-609001: Built local-host backup:192.168.28.1
2010-02-17 11:43:54 Local4.Error 210.0.0.100 %ASA-3-305006: portmap translation creation failed for tcp src inside:ThetTSserver/3771 dst backup:192.168.28.1/80
2010-02-17 11:43:54 Local4.Debug 210.0.0.100 %ASA-7-609002: Teardown local-host backup:192.168.28.1 duration 0:00:00
2010-02-17 11:43:54 Local4.Debug 210.0.0.100 %ASA-7-609001: Built local-host backup:192.168.28.1
2010-02-17 11:43:54 Local4.Error 210.0.0.100 %ASA-3-305006: portmap translation creation failed for tcp src inside:ThetTSserver/3771 dst backup:192.168.28.1/80
2010-02-17 11:43:54 Local4.Debug 210.0.0.100 %ASA-7-609002: Teardown local-host backup:192.168.28.1 duration 0:00:00
If I add a stati Nat I still am unable to contact deivces on the backup interface.
It fails with
2010-02-17 12:01:18 Local4.Info 210.0.0.100 %ASA-6-302013: Built outbound TCP connection 2043 for backup:192.168.28.1/80 (192.168.28.1/80) to inside:ThetTSserver/4204 (ThetTSserver/4204)
2010-02-17 12:01:19 Local4.Info 210.0.0.100 %ASA-6-302014: Teardown TCP connection 1683 for outside:209.46.39.130/443 to inside:210.0.0.10/56351 duration 0:10:20 bytes 5357 FIN Timeout
What is going on? How do I get my inside network to communicate with the devices on the "backup" interface.
From the above From the above
a. It knows the route to 192.168.28.1
b. It does not seems to be a NAT issue
Routing table is as follows:-
Gateway of last resort is 217.37.180.41 to network 0.0.0.0
C 192.168.28.0 255.255.255.0 is directly connected, backup
C 217.37.180.40 255.255.255.248 is directly connected, outside
S Sudbury_LAN 255.255.255.0 [1/0] via 217.37.180.41, outside
C Thetford_LAN 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 217.37.180.41, outside
Config file is as follows:- (I have delted items which I o not hink are revlavnt! I have also changed ip addresses)
: Saved
:
ASA Version 7.2(2)
!
name 210.0.0.1 Thetserver description Thetford File Server
name 210.0.0.2 ThetTSserver description Thetford TS Server
name 210.0.0.0 Thetford_LAN description Thetford Local Area Network
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 219.37.180.46 255.255.255.248
ospf cost 10
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 210.0.0.100 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
nameif backup
security-level 0
ip address 192.168.28.2 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name thet.staceys.co.uk
object-group service WebAccess tcp
description Allowed protocols to Outside world
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group network MAWHome
description MAWHome
network-object 192.168.0.0 255.255.255.0
access-list inside_access_in extended permit tcp Thetford_LAN 255.255.255.0 any object-group WebAccess
access-list inside_access_in extended permit tcp host Thetserver any eq domain
access-list inside_access_in extended permit udp host Thetserver any eq domain
access-list inside_access_in extended permit tcp host Thetserver any eq smtp
access-list inside_access_in extended permit tcp host Thetserver any eq pop3
access-list inside_access_in extended permit udp host Thetserver any eq ntp
access-list inside_access_in extended permit tcp host ThetTSserver any eq pop3
access-list inside_access_in extended permit tcp host ThetTSserver any eq smtp
access-list inside_access_in extended permit tcp Thetford_LAN 255.255.255.0 any eq 465
access-list inside_access_in extended permit tcp Thetford_LAN 255.255.255.0 any eq 995
access-list inside_access_in extended permit ip Thetford_LAN 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.21.0.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip Thetford_LAN 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip Thetford_LAN 255.255.255.0 192.168.28.0 255.255.255.0
access-list outside_40_cryptomap extended permit ip Thetford_LAN 255.255.255.0 Bury_LAN 255.255.255.0
access-list outside_60_cryptomap extended permit ip Thetford_LAN 255.255.255.0 Newmarket_LAN 255.255.255.0
access-list outside_80_cryptomap extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0
access-list outside_80_cryptomap_1 extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0
access-list http-list2 extended permit tcp any host 62.189.96.209
access-list http-list2 extended permit tcp any host 213.120.81.201
access-list outside_100_cryptomap extended permit ip Thetford_LAN 255.255.255.0 192.168.0.0 255.255.255.0
!
tcp-map mss-map
exceed-mss allow
!
pager lines 24
logging enable
logging trap alerts
logging asdm informational
logging host inside Thetserver
mtu outside 1500
mtu inside 1500
mtu backup 1500
ip local pool VPNUsers 172.21.0.1-172.21.0.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Thetford_LAN 255.255.255.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 217.37.180.41 1
!
router ospf 10
network Thetford_LAN 255.255.255.0 area 0
log-adj-changes
redistribute static subnets
!
!
!
class-map http-mapl
match access-list http-list2
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map http-mapl
class http-mapl
set connection advanced-options mss-map
policy-map http-map1
!
service-policy global_policy global
service-policy http-mapl interface outside
Hardware FirewallsCisco
Last Comment
Mawallace
POssibly not making it a 0 would help, What type of traffic are you trying to send accross when you are recieveing these messages and from where is it traffic from a workstation or the ASA itself.
I can see port 80 on the traffic jsut making sure its web traffic is why I asked. And maybe I am missing it but I am not seeing a rule to allow traffic outgoing on your Backup interface to port 80.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
One thing you may need to do first is change the security levels on your interfaces. 0 is the lowest or most insecure, this should be on your outside interface. 100 is the most secure and should be on the inside. There are implicit rules in the ASA about traffic frlow from secure to insecure interfaces. You can read more about this at:
http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/intparam.html
Regards,
StrifeJester