ASA problem - portmap translation

Tauer Drumond · ‎10-06-2008

Hi all,

I have the following configuration:

!

interface GigabitEthernet0/3.11

vlan 2

nameif CLIENT

security-level 0

ip address 172.18.0.1 255.255.255.0

!

access-list LAN_pnat_outbound_V15 extended permit ip any host 192.168.0.10

!

global (LAN-NETSERVICES) 2 interface

!

nat (LAN) 11 access-list LAN_pnat_outbound_V15

When I try to access the ip 192.168.0.10, the ASA shows me the message: "portmap translation creation failed for tcp src LAN:10.10.10.50/3684 CLIENT: 192.168.0.10/80"

I think its all configured properly, and I dont know whats is happening.

I dont know what to do anymore...

Please help me

Thanks

Tauer

suschoud · ‎10-06-2008

The error tells me that 192.168.0.10 lie on " CLIENT " interface.

Put a global for client interface.

global (CLIENT) interface.

Should work.

Do rate helpful posts.

Regards,

Sushil

acomiskey · ‎10-06-2008

Don't forget the '11'.

global (CLIENT) 11 interface

Tauer Drumond · ‎10-06-2008

interface GigabitEthernet0/3.11

vlan 2

nameif CLIENT

security-level 0

ip address 172.18.0.1 255.255.255.0

!

access-list LAN_pnat_outbound_V15 extended permit ip any host 192.168.0.10

!

global (CLIENT) 11 interface

!

nat (LAN) 11 access-list LAN_pnat_outbound_V15

and its NOT working...

please help

Tauer Drumond · ‎10-06-2008

I can NAT on others interfaces, with anothers pools....

I think i got to clear somethings, or restart any services, because, everything is right....

i did a lot of things and nothing solve this...

Thanks

suschoud · ‎10-06-2008

Issue :

cl xlate

cl local

Regards,

Sushil

Tauer Drumond · ‎10-06-2008

Hi,

I put the command cl xlate, but its still not working.

I'm afraid to issue the command "cl local". What will this command do? Will it to erase some configuration?

Thanks

Tauer

Tauer Drumond · ‎10-06-2008

Hi...

I would some clarify, if its possible.

I have the configuration:

interface GigabitEthernet0/3.12

vlan 3

nameif PARTNER

security-level 0

ip address 172.16.0.1 255.255.255.0

!

access-list LAN_pnat_outbound_V13 extended permit ip 172.18.0.0 255.255.255.0 any

!

global (PARTNER) 3 interface

!

nat (LAN) 3 access-list LAN_pnat_outbound_V13

With this configuration, I NAT all IP within network 172.18.0.0 255.255.255.0, to any address on interface PARTNER. This is working fine

########################################

but...

I have the configuration:

interface GigabitEthernet0/3.11

vlan 2

nameif CLIENT

security-level 0

ip address 172.20.0.1 255.255.255.0

!

access-list LAN_pnat_outbound_V15 extended permit ip 172.18.0.0 255.255.255.0 any

!

global (CLIENT) 11 interface

!

nat (LAN) 11 access-list LAN_pnat_outbound_V15

This suppose to NAT all address on network 172.20.0.0 255.255.255.0 to any address on interface CLIENT.

This is not working.

###########################################

The questio is:

When I "show runn" the ASA shows me:

nat (LAN) 3 access-list LAN_pnat_outbound_V13

nat (LAN) 11 access-list LAN_pnat_outbound_V15

So...I tried to change the order and put:

nat (LAN) 11 access-list LAN_pnat_outbound_V15

nat (LAN) 3 access-list LAN_pnat_outbound_V13

AND it WORKED...i just do that.

I just change the order

Now please, tell me: WHY? WHY?

Why when I chenge the order the NAT works properly?

Thanks

Tauer