Solved

Portmap translation error/PAT pool exhausted.

Posted on 2013-01-29
9
4,432 Views
Last Modified: 2016-04-30
I keep getting the following errors in the ASA firewall.

PAT pool exhausted. Unable to create TCP connection
portmap translation creation failed for tcp src Outside (public source) dst DMZ(ASA public IP address)
I suspect this is related to my existing NAT configuration.

What I want to achieve is external connections to either Outside interface 'Outside and Outside2' be translated to DMZ interface in a secure way.

How can i achive this?
asaconfig2.txt
0
Comment
Question by:ashdennis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38834802
As you have removed critical parts from the config rather than sanitizing it, it is difficult to suggest specific improvements, however you appear to be using dynamic NAT to go from outside and outside2 to DMZ, usually this would be done with static NAT.

To reduce the issue of NAT exhaustion and presuming that you have more than one public IP address on your external interfaces, I would suggest not using the interface address for all rules, but rather to specify an address for the inbound rules (after converting them to static rules), and split the outbound rules up to also use different addresses.
0
 

Author Comment

by:ashdennis
ID: 38835354
Ok i will re upload configs mostly domain name was removed.
I will re upload configs for further review. At this point this blocking or preventing external connections.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38835405
Run "clear xlate" as a temporary fix, but how long it lasts will depend on how much traffic you have.
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 

Author Comment

by:ashdennis
ID: 38837546
New file upload clear xlate command is executed by default everytime NAT is updated or changed.

What is the Static NAT we can used.
asaconfig2.txt
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 315 total points
ID: 38837750
on outside, you have the range 72.252.249.241 to 72.252.249.246, .241 is the next hop, which leaves you with 242 to 246, 246 is the interface, which leaves you with 242 to 245 as unused addresses

on outside2 you have the range 208.131.168.81 to 208.131.168.86, 208.131.168.81 is the next hop which leaves you with 82 to 86, 82 is the router, which leaves you with 83 to 86 as unused addresses


To change the two inbound dynamic NAT rules to static rules, and move them from the interface to an unused IP address

Create the two objects for the external addresses

object network AEG-Outside
 host 72.252.249.245
object network AEJ-Outside2
 host 208.131.168.85

Open in new window

deactivate the dynamic NAT rules

nat (Outside2,DMZ) source dynamic any interface destination static interface AEJ inactive
nat (Outside,DMZ) source dynamic any interface destination static interface AEJ service AEJ_10000 AEJ_10000 inactive description AEJ DMZ Pharmacy project

Open in new window

Create the new NAT rules

nat (DMZ,Outside2) source static AEJ AEJ-Outside2
nat (DMZ,outside) source static AEJ AEG-Outside service AEJ_10000 AEJ_10000 description AEJ DMZ Pharmacy project

Open in new window

You might need to change the service description

object service AEJ_10000
 mo service tcp destination eq 10000
 tcp/10000/Default Range

Open in new window

You will need to modify your external "clients" to connect to the new addresses, presumably as you have two addresses you are using failover DNS, so you could modify one interface at a time and failover the DNS as required.
0
 

Author Comment

by:ashdennis
ID: 38838237
1.  nat (DMZ,Outside2) source static AEJ AEJ-Outside2
ERROR: Address 208.131.168.85 overlaps with Outside2 interface address.
ERROR: NAT Policy is not downloaded

Similar error for the (DMZ,Outside)


2. nat (DMZ,outside) source static AEJ AEG-Outside service AEJ_10000 AEJ_10000 description AEJ DMZ Pharmacy project

nat (DMZ,outside) source static AEJ AEJ-Outside service AEJ_$
ERROR: Address 72.252.249.245 overlaps with Outside interface address.
ERROR: NAT Policy is not downloaded

3. switched it around
nat (Outside2,DMZ) source static AEJ AEJ-Outside2
Nat was created but unable to access the device via port 10000

4. Whats the full command for
mo service tcp destination eq 10000
 tcp/10000/Default Range
0
 

Author Comment

by:ashdennis
ID: 38838782
The attached file actually works.

I want to tweak it with the static. somehow something is missing for the static.

also take a look at acess list outside_in and outside2_in
asaconfig2.txt
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38838926
there is no ACL outside_in

you might find it useful to use teh packet tracer in ASDM for "debugging" the problem that you experienced with the static NAT
0
 

Author Comment

by:ashdennis
ID: 41572988
replace putty-ASA.log.txt  with asaconfig2.txt
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question