Solved: Portmap translation creation failed on internal network.

exonetinf1nity · ‎05-22-2008

Greetings, in response to a similar post im currently suffering from the above as depicted in the attached diagram and the config below.

Now im fully aware that Cisco suggest not using the ASA for inter vlan routing but traffic between subnets is minimal and i dont have access to a L3 switch.

As you can see when i try to move traffic between subnets which are all directly connected networks i receive the above message, all sub interfaces are configured on e0/1 which is connected to a trunk port on a 2960G.

I can ping devices on all subnets from the ASA and from the switch within my own vlan, im just baffled as to why when pointing my laptop at the ASA inside interface for the particular subnet it can find a destination for the packet.

Any help would be greatly appreciated.

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address ***.**.***.** 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

no ip address

!

interface Ethernet0/1.101

vlan 101

nameif access

security-level 100

ip address 172.29.255.1 255.255.255.0

!

interface Ethernet0/1.102

vlan 102

nameif voice

security-level 100

ip address 172.28.255.1 255.255.255.0

!

interface Ethernet0/1.103

vlan 103

nameif branch

security-level 100

ip address 172.27.255.1 255.255.255.0

!

interface Ethernet0/1.104

vlan 104

nameif remote

security-level 100

ip address 172.26.255.1 255.255.255.0

!

interface Ethernet0/1.998

vlan 998

nameif guest

security-level 25

ip address 172.30.255.1 255.255.255.0

!

interface Ethernet0/1.999

vlan 999

nameif mgmt

security-level 100

ip address 172.31.255.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

same-security-traffic permit inter-interface

Regards

husycisco · ‎05-22-2008

Hi Mark,

By default in PIX and ASA firewalls, a command called nat-control is enabled, and not visible by default when you issue show run.

This command brings the obligation of defining NAT and global statements for each interface or subnet. This behaviour is unlike a router, and suprises Routing&Switching experts at first :)

Either issue no nat-control, or issue nat statements. Here is an example.

Lets say that your laptop is in VLAN 103 and want to reach VLAN 101. Then you need the following statement.

nat (branch) 1 0 0

global (access) 1 interface

This will make your laptop talk to access VLAN but source address is translated into 172.29.255.1 .

Or if you like, you can write exempt NAT rules either with NAT or static statements. Let me know how do you want your connectivity between VLANs.

A suggestion. Do not assign sec level of 100 to all interfaces, which means the most secure. You may have more important interfaces to secure from all these VLANs in future. For example make them all 80.

Regards

View solution in original post

husycisco · ‎05-22-2008

You are welcome Mark.

Now I will write some ways, choose whichever you want.

static (access,branch) 172.29.255.0 172.29.255.0 netmask 255.255.255.0

By above statement, any client in branch interface can directly connect a clients IP in 172.29.255.0/24

static (branch,access) 172.27.255.0 172.27.255.0 netmask 255.255.255.0

By above statement, any client in access interface can directly connect a clients IP in 172.27.255.0/24

If you to keep the source address the same between subnets for all interfaces, above method will be least preferred since you will have to type many static statements

here is another one

access-list exempt_nat0_outobund permit ip 172.27.255.0 255.255.255.0 172.28.255.0 255.255.255.0

access-list exempt_nat0_outobund permit ip 172.28.255.0 255.255.255.0 172.27.255.0 255.255.255.0

nat (access) 0 access-list exempt_nat0_outbound

nat (branch) 0 access-list exempt_nat0_outbound

Above also requires too much typing, maybe following works

access-list exempt_nat0_outbound permit ip 172.24.0.0 255.248.0.0 172.24.0.0 255.248.0.0

nat (access) 0 access-list exempt_nat0_outbound

nat (branch) 0 access-list exempt_nat0_outbound

nat (voice) 0 access-list exempt_nat0_outbound

nat (remote) 0 access-list exempt_nat0_outbound

Or you can simply let no nat-control issued as you mentioned. I just wanted you to inform how you can do this specifically

Regards

View solution in original post

husycisco · ‎05-22-2008

Hi Mark,

By default in PIX and ASA firewalls, a command called nat-control is enabled, and not visible by default when you issue show run.

This command brings the obligation of defining NAT and global statements for each interface or subnet. This behaviour is unlike a router, and suprises Routing&Switching experts at first :)

Either issue no nat-control, or issue nat statements. Here is an example.

Lets say that your laptop is in VLAN 103 and want to reach VLAN 101. Then you need the following statement.

nat (branch) 1 0 0

global (access) 1 interface

This will make your laptop talk to access VLAN but source address is translated into 172.29.255.1 .

Or if you like, you can write exempt NAT rules either with NAT or static statements. Let me know how do you want your connectivity between VLANs.

A suggestion. Do not assign sec level of 100 to all interfaces, which means the most secure. You may have more important interfaces to secure from all these VLANs in future. For example make them all 80.

Regards

exonetinf1nity · ‎05-22-2008

That's brilliant, thank you very much!

I would prefer to keep the source address the same between subnets though, as such the exempt statements would be required but i think just turning of nat-control would solve my problems as the internal subnets are part of a demo suite im building.

Ill take your advice in regards to the interface security levels also

Regards

husycisco · ‎05-22-2008

You are welcome Mark.

Now I will write some ways, choose whichever you want.

static (access,branch) 172.29.255.0 172.29.255.0 netmask 255.255.255.0

By above statement, any client in branch interface can directly connect a clients IP in 172.29.255.0/24

static (branch,access) 172.27.255.0 172.27.255.0 netmask 255.255.255.0

By above statement, any client in access interface can directly connect a clients IP in 172.27.255.0/24

If you to keep the source address the same between subnets for all interfaces, above method will be least preferred since you will have to type many static statements

here is another one

access-list exempt_nat0_outobund permit ip 172.27.255.0 255.255.255.0 172.28.255.0 255.255.255.0

access-list exempt_nat0_outobund permit ip 172.28.255.0 255.255.255.0 172.27.255.0 255.255.255.0

nat (access) 0 access-list exempt_nat0_outbound

nat (branch) 0 access-list exempt_nat0_outbound

Above also requires too much typing, maybe following works

access-list exempt_nat0_outbound permit ip 172.24.0.0 255.248.0.0 172.24.0.0 255.248.0.0

nat (access) 0 access-list exempt_nat0_outbound

nat (branch) 0 access-list exempt_nat0_outbound

nat (voice) 0 access-list exempt_nat0_outbound

nat (remote) 0 access-list exempt_nat0_outbound

Or you can simply let no nat-control issued as you mentioned. I just wanted you to inform how you can do this specifically

Regards

exonetinf1nity · ‎05-22-2008

Im routinely impressed by the quality and depth of replies posted on these forums and this is up there with the best of them, consider this one saved for future reference.

Thank you once again

Regards

husycisco · ‎05-22-2008

You are welcome :)