FWSM-3-305006: portmap translation creation failed

Unanswered Question
Oct 9th, 2008


I have just installed a pair of FWSM in two different Catalys 6509 in HA mode.

I left every access-list completely opened for test purposes. The stations connected to any inside interface can communicate with any other inside or outside station.

The problem is that from any station located outside is not possible to ping any FWSM inside interface. Every time a ping fails, the FWSM log is appended with a message like this:

Oct 09 2008 12:26:21: %FWSM-3-305006: portmap translation creation failed for icmp src outside: dst Subnet198: (type 8, code 0)

Unlike FWSM interfaces, when the outside station pings any inside station, it works.

I thik that I have all these items well defined:

- Static routing at both the FWSM and the Catalysts.

- Icmp permit any for every interface.

- The command same-security-traffic permit inter-interface is present.

- Access-lists completely opened and applyied to every interface.

The documentation states that the 305006 could be related to some static translations. But i was unable to overcome the problem by modifying the translations repeteadly.

I would be very grateful to anyone that could give any clue about this.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
albert_coll Thu, 10/09/2008 - 08:54

I post a sample of the configuration. (Names and ip numbers are different for privacy):

FWSM-SF/FWSM-1023# show run

: Saved


FWSM Version 3.2(5)


hostname FWSM-1023

enable password xxxxxxxxxxxxxx encrypted



interface Vlan225


nameif Subnet197

security-level 95

ip address standby


interface Vlan405

nameif Subnet201

security-level 95

ip address standby


interface Vlan445

nameif outside

security-level 0

ip address standby


passwd xxxxxxxxxxxxxxx encrypted

same-security-traffic permit inter-interface

access-list Subnet197_in extended permit icmp any any

access-list Subnet197_in extended permit ip any any

access-list Subnet201_in extended permit icmp any any

access-list Subnet201_in extended permit ip any any

access-list outside_in extended permit icmp any any

access-list outside_in extended permit ip any any

no pager

logging enable

logging timestamp

logging buffered informational

logging trap informational

logging history warnings

logging asdm debugging

mtu Subnet197 1500

mtu Subnet201 1500

mtu outside 1500

icmp permit any Subnet197

icmp permit any Subnet201

icmp permit any outside

no asdm history enable

arp timeout 14400


static (Subnet197,outside) netmask

static (Subnet201,outside) netmask

access-group Subnet197_in in interface Subnet197

access-group Subnet201_in in interface Subnet201

access-group outside_in in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

snmp-server location

snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5


class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect skinny

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp


service-policy global_policy global


: end

Syed Iftekhar Ahmed Thu, 10/09/2008 - 10:32

What you are trying to achieve (to ping the inside interface for an FWSM

context from the outside) is not possible by design.

You can use the managment-access command and ping the inside interface from the outside only if you are coming across an IPSEC tunnel.

Syed Iftekhar Ahmed

albert_coll Thu, 10/09/2008 - 11:09

Thank you for your reply.

I was not aware of the unability to ping from an outside station to any inside FSWM interface, even with the access-lists completely opened.

Kind regards.


This Discussion