Solved

Portmap translation error/PAT pool exhausted.

Posted on 2013-01-29
9
4,200 Views
Last Modified: 2016-04-30
I keep getting the following errors in the ASA firewall.

PAT pool exhausted. Unable to create TCP connection
portmap translation creation failed for tcp src Outside (public source) dst DMZ(ASA public IP address)
I suspect this is related to my existing NAT configuration.

What I want to achieve is external connections to either Outside interface 'Outside and Outside2' be translated to DMZ interface in a secure way.

How can i achive this?
asaconfig2.txt
0
Comment
Question by:ashdennis
  • 5
  • 4
9 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38834802
As you have removed critical parts from the config rather than sanitizing it, it is difficult to suggest specific improvements, however you appear to be using dynamic NAT to go from outside and outside2 to DMZ, usually this would be done with static NAT.

To reduce the issue of NAT exhaustion and presuming that you have more than one public IP address on your external interfaces, I would suggest not using the interface address for all rules, but rather to specify an address for the inbound rules (after converting them to static rules), and split the outbound rules up to also use different addresses.
0
 

Author Comment

by:ashdennis
ID: 38835354
Ok i will re upload configs mostly domain name was removed.
I will re upload configs for further review. At this point this blocking or preventing external connections.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38835405
Run "clear xlate" as a temporary fix, but how long it lasts will depend on how much traffic you have.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:ashdennis
ID: 38837546
New file upload clear xlate command is executed by default everytime NAT is updated or changed.

What is the Static NAT we can used.
asaconfig2.txt
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 315 total points
ID: 38837750
on outside, you have the range 72.252.249.241 to 72.252.249.246, .241 is the next hop, which leaves you with 242 to 246, 246 is the interface, which leaves you with 242 to 245 as unused addresses

on outside2 you have the range 208.131.168.81 to 208.131.168.86, 208.131.168.81 is the next hop which leaves you with 82 to 86, 82 is the router, which leaves you with 83 to 86 as unused addresses


To change the two inbound dynamic NAT rules to static rules, and move them from the interface to an unused IP address

Create the two objects for the external addresses

object network AEG-Outside
 host 72.252.249.245
object network AEJ-Outside2
 host 208.131.168.85

Open in new window

deactivate the dynamic NAT rules

nat (Outside2,DMZ) source dynamic any interface destination static interface AEJ inactive
nat (Outside,DMZ) source dynamic any interface destination static interface AEJ service AEJ_10000 AEJ_10000 inactive description AEJ DMZ Pharmacy project

Open in new window

Create the new NAT rules

nat (DMZ,Outside2) source static AEJ AEJ-Outside2
nat (DMZ,outside) source static AEJ AEG-Outside service AEJ_10000 AEJ_10000 description AEJ DMZ Pharmacy project

Open in new window

You might need to change the service description

object service AEJ_10000
 mo service tcp destination eq 10000
 tcp/10000/Default Range

Open in new window

You will need to modify your external "clients" to connect to the new addresses, presumably as you have two addresses you are using failover DNS, so you could modify one interface at a time and failover the DNS as required.
0
 

Author Comment

by:ashdennis
ID: 38838237
1.  nat (DMZ,Outside2) source static AEJ AEJ-Outside2
ERROR: Address 208.131.168.85 overlaps with Outside2 interface address.
ERROR: NAT Policy is not downloaded

Similar error for the (DMZ,Outside)


2. nat (DMZ,outside) source static AEJ AEG-Outside service AEJ_10000 AEJ_10000 description AEJ DMZ Pharmacy project

nat (DMZ,outside) source static AEJ AEJ-Outside service AEJ_$
ERROR: Address 72.252.249.245 overlaps with Outside interface address.
ERROR: NAT Policy is not downloaded

3. switched it around
nat (Outside2,DMZ) source static AEJ AEJ-Outside2
Nat was created but unable to access the device via port 10000

4. Whats the full command for
mo service tcp destination eq 10000
 tcp/10000/Default Range
0
 

Author Comment

by:ashdennis
ID: 38838782
The attached file actually works.

I want to tweak it with the static. somehow something is missing for the static.

also take a look at acess list outside_in and outside2_in
asaconfig2.txt
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38838926
there is no ACL outside_in

you might find it useful to use teh packet tracer in ASDM for "debugging" the problem that you experienced with the static NAT
0
 

Author Comment

by:ashdennis
ID: 41572988
replace putty-ASA.log.txt  with asaconfig2.txt
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Configuring routing and ACL for Cisco 891 router 15 59
By pass website on ASA for Websense 4 72
WLC 5508 controller configuration 4 77
PCI compliance 16 33
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question