Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Portmap translation error/PAT pool exhausted.

Posted on 2013-01-29
9
Medium Priority
?
4,657 Views
Last Modified: 2016-04-30
I keep getting the following errors in the ASA firewall.

PAT pool exhausted. Unable to create TCP connection
portmap translation creation failed for tcp src Outside (public source) dst DMZ(ASA public IP address)
I suspect this is related to my existing NAT configuration.

What I want to achieve is external connections to either Outside interface 'Outside and Outside2' be translated to DMZ interface in a secure way.

How can i achive this?
asaconfig2.txt
0
Comment
Question by:ashdennis
  • 5
  • 4
9 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38834802
As you have removed critical parts from the config rather than sanitizing it, it is difficult to suggest specific improvements, however you appear to be using dynamic NAT to go from outside and outside2 to DMZ, usually this would be done with static NAT.

To reduce the issue of NAT exhaustion and presuming that you have more than one public IP address on your external interfaces, I would suggest not using the interface address for all rules, but rather to specify an address for the inbound rules (after converting them to static rules), and split the outbound rules up to also use different addresses.
0
 

Author Comment

by:ashdennis
ID: 38835354
Ok i will re upload configs mostly domain name was removed.
I will re upload configs for further review. At this point this blocking or preventing external connections.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38835405
Run "clear xlate" as a temporary fix, but how long it lasts will depend on how much traffic you have.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 

Author Comment

by:ashdennis
ID: 38837546
New file upload clear xlate command is executed by default everytime NAT is updated or changed.

What is the Static NAT we can used.
asaconfig2.txt
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 945 total points
ID: 38837750
on outside, you have the range 72.252.249.241 to 72.252.249.246, .241 is the next hop, which leaves you with 242 to 246, 246 is the interface, which leaves you with 242 to 245 as unused addresses

on outside2 you have the range 208.131.168.81 to 208.131.168.86, 208.131.168.81 is the next hop which leaves you with 82 to 86, 82 is the router, which leaves you with 83 to 86 as unused addresses


To change the two inbound dynamic NAT rules to static rules, and move them from the interface to an unused IP address

Create the two objects for the external addresses

object network AEG-Outside
 host 72.252.249.245
object network AEJ-Outside2
 host 208.131.168.85

Open in new window

deactivate the dynamic NAT rules

nat (Outside2,DMZ) source dynamic any interface destination static interface AEJ inactive
nat (Outside,DMZ) source dynamic any interface destination static interface AEJ service AEJ_10000 AEJ_10000 inactive description AEJ DMZ Pharmacy project

Open in new window

Create the new NAT rules

nat (DMZ,Outside2) source static AEJ AEJ-Outside2
nat (DMZ,outside) source static AEJ AEG-Outside service AEJ_10000 AEJ_10000 description AEJ DMZ Pharmacy project

Open in new window

You might need to change the service description

object service AEJ_10000
 mo service tcp destination eq 10000
 tcp/10000/Default Range

Open in new window

You will need to modify your external "clients" to connect to the new addresses, presumably as you have two addresses you are using failover DNS, so you could modify one interface at a time and failover the DNS as required.
0
 

Author Comment

by:ashdennis
ID: 38838237
1.  nat (DMZ,Outside2) source static AEJ AEJ-Outside2
ERROR: Address 208.131.168.85 overlaps with Outside2 interface address.
ERROR: NAT Policy is not downloaded

Similar error for the (DMZ,Outside)


2. nat (DMZ,outside) source static AEJ AEG-Outside service AEJ_10000 AEJ_10000 description AEJ DMZ Pharmacy project

nat (DMZ,outside) source static AEJ AEJ-Outside service AEJ_$
ERROR: Address 72.252.249.245 overlaps with Outside interface address.
ERROR: NAT Policy is not downloaded

3. switched it around
nat (Outside2,DMZ) source static AEJ AEJ-Outside2
Nat was created but unable to access the device via port 10000

4. Whats the full command for
mo service tcp destination eq 10000
 tcp/10000/Default Range
0
 

Author Comment

by:ashdennis
ID: 38838782
The attached file actually works.

I want to tweak it with the static. somehow something is missing for the static.

also take a look at acess list outside_in and outside2_in
asaconfig2.txt
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38838926
there is no ACL outside_in

you might find it useful to use teh packet tracer in ASDM for "debugging" the problem that you experienced with the static NAT
0
 

Author Comment

by:ashdennis
ID: 41572988
replace putty-ASA.log.txt  with asaconfig2.txt
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question