PAT Failing for hosts on inside LAN - Shouldn't be hitting ASA at all...

Unanswered Question
Oct 17th, 2008

We have a very simple network, which is done the following way:

ASA 5505 > Cisco 3550 > End-User PC's AND One Windows Server

The on-site users constantly access the server for apps such as Exchange. Creating these connections should NEVER involve the ASA (it should stay strictly layer 2, we only have one vlan).

For the past couple months, we have gotten complaints that users are constantly getting disconnected from Outlook, and having problems logging on in the mornings (establishing network connections taking upwards of 30 seconds).

We couldn't see ANYTHING odd happening, until we began looking at syslog this morning:

%ASA-3-305006: portmap translation creation failed for tcp src inside: dst inside:

Apparently inside hosts are somehow hitting the ASA and its trying to PAT them? Anyone have any insight into this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tylerlucas Fri, 10/17/2008 - 13:07

As a side note, this seems to be happening for multiple users on this network. The thing I find the most odd is that this traffic is even hitting the firewall, shouldn't the switch have passed it off prior to it making it to the ASA?

Jon Marshall Fri, 10/17/2008 - 14:37


First most obvious thing to check are the subnet masks on the client devices. Do they all have consistent subnet masks and are they using the same subnet mask as the server ?


tylerlucas Fri, 10/17/2008 - 15:22

Thanks for the reply, Jon.

We have DHCP enabled on the server,, and it hands out information to all host PC's.

I have checked several, and they all have the same mask (/24).

I will be happy to answer any other questions you may have to get this resolved :)

Thanks again,


Marwan ALshawi Fri, 10/17/2008 - 16:49

as long as u use only local networking between users and server

then u need to narrow the problem between them

try to check if u can ping the server

if port 25 for example reachable from the clients

then check the outlook setting if the server IP and port are setted correctly

because generally when the client see an ip in in diifrent network it will send the packet to its defualt gateway which in ur case should be the ASA

good luck


This Discussion