Solved: NAT problems - ASA 5540

Tauer Drumond · ‎09-24-2008

Hi everybody,

I'm getting a serious problem on my ASA 5540.

I've configure a NAT pool range (10.10.10.2-10.10.10.4) to acess a remote network.

This pool conteins 3 ip address, and only 3 hosts on my internal network can acess the remote network.

When a 4th host try to access the remote network, the ASA shows me the following error: "Err 3 - port map translation creation failed for....src LAN:x.x.x.x dst WAN:x.x.x.x (type 8, code 0)"

What should I do to solve the problem?

I got to use this range this way.

Thanks

Tauer

acomiskey · ‎09-24-2008

When using a pool of addresses, it is first come first serve.

global (WAN) 8 10.10.10.2-10.10.10.4 netmask 255.255.255.0

So the first host inside will be assigned 10.10.10.2, the 2nd will be assigned 10.10.10.3, the 3rd will be assigned 10.10.10.4. When the 4th host attempts to go out there are no addresses left in the pool for them. This is your issue. So you must add addresses to the pool if you have them or you must PAT (not NAT) the other connections to another address. Or take an address from the pool and use that for PAT. Does that make sense?

View solution in original post

acomiskey · ‎09-24-2008

Typically you would create a global entry for all the other hosts that don't get an address from the nat pool.

global (outside) 1 x.x.x.x

nat (inside) 1 0 0

Tauer Drumond · ‎09-24-2008

Hi,

today I have the following:

global (WAN) 8 10.10.10.2-10.10.10.4 netmask 255.255.255.0

nat (LAN) 8 access-list LAN_pnat_outbound_V4

access-list LAN_pnat_outbound_V4 extended permit ip any host 10.10.20.1 (this IP is a server on the remote network)

What is wrong or what should I do to fix it?

Can you send an example?

Thanks

Tauer

acomiskey · ‎09-24-2008

The nat pool is being exhausted. You need to add another address to the pool or use one of the addresses for dynamic PAT.

access-list LAN_pnat_outbound_V4 extended permit ip any host 10.10.20.1

access-list dynamic_pat_outbound extended permit ip any host 10.10.20.1

global (WAN) 8 10.10.10.2-10.10.10.3 netmask 255.255.255.255

global (WAN) 10 10.10.10.4

nat (LAN) 8 access-list LAN_pnat_outbound-V4

nat (LAN) 10 access-list dynamic_pat_outbound

Tauer Drumond · ‎09-24-2008

This configuration is saying to ASA to NAT all my internal host to 10.10.10.2 and 10.10.10.3 and 10.10.10.4?

If not...how will ASA work with this configuration?

Thanks and sorry...

I have many dificults with this kind of configuration.

Tauer

acomiskey · ‎09-24-2008

When using a pool of addresses, it is first come first serve.

global (WAN) 8 10.10.10.2-10.10.10.4 netmask 255.255.255.0

So the first host inside will be assigned 10.10.10.2, the 2nd will be assigned 10.10.10.3, the 3rd will be assigned 10.10.10.4. When the 4th host attempts to go out there are no addresses left in the pool for them. This is your issue. So you must add addresses to the pool if you have them or you must PAT (not NAT) the other connections to another address. Or take an address from the pool and use that for PAT. Does that make sense?

Tauer Drumond · ‎09-24-2008

Yes, it does.

I've tested and work like you said. So I got to adapt my enviroment to this.

Thank you so much

Tauer