Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7061
Views
5
Helpful
7
Replies

ASA-3-305006 Portmap translation ceration failed.....

highmiles2
Level 1
Level 1

‎11-21-2008 02:00 PM - edited ‎03-11-2019 07:16 AM

Hello and thank you in advance for any assistance you may provide.

My logs register error message ASA-3-305006:

portmap translation creation failed for icmp src Insdie:Netmon dst CCIB-DMZ:10.66.65.100 (type8,code0).

I also receive similar message when i attempt to HTTP to same destination. Simply, the ASA is not attempting to NAT.

My pool ID is 4. I orignial had pool ID 20 but later changed it to 4. I currently have other active pool (5) and is working perfect! I am unable to figure out why this one is failing.

My config:

name 10.66.0.0 CCIB_Apps

name 172.16.50.11 Netmon

object-group network CitrixUser

description Citrix User

network-object 172.16.50.0 255.255.255.0

!

interface GigabitEthernet0/2.10

description CCIB/Techcom DMZ

vlan 60

nameif CCIB-DMZ

security-level 75

ip address 10.200.60.1 255.255.255.252

interface GigabitEthernet0/3

description Inside Networks

speed 1000

duplex full

nameif Inside

security-level 100

ip address 10.30.4.10 255.255.255.0 standby 10.30.4.11

!

access-list Inside_nat_static extended permit ip host David_Bagarozza host CCIL

access-list Inside_nat_static_1 extended permit ip host Lee host CCIL

access-list Inside_nat_static_2 extended permit ip host Sohail_PC host PersonVUE_CMS

access-list Inside_nat_static_3 extended permit ip host Stephen_Blair host CCIL

access-list Inside_nat_static_4 extended permit ip host Stephen_Blair host CCIL

access-list Inside_nat_outbound extended permit ip object-group CitrixUser CCIB_Apps 255.255.0.0

access-list Inside_nat_outbound_2 extended permit ip 172.16.0.0 255.255.0.0 any

access-list CCIB-DMZ_access_in extended permit ip CCIB_Apps 255.255.0.0 host 10.200.60.1 inactive

nat-control

global (Outside) 20 10.200.50.1-10.200.50.254 netmask 255.255.255.0

global (Outside) 10 216.13.12.34 netmask 255.255.255.0

global (ACSR-DMZ) 5 interface

global (CCIB-DMZ) 4 interface

nat (Outside) 0 access-list Outside_nat0_outbound

nat (Guest-DMZ) 10 access-list Guest-DMZ_nat_outbound

nat (Webserv-DMZ) 0 access-list Webserv-DMZ_nat0_outbound

nat (Webserv-DMZ) 10 0.0.0.0 0.0.0.0

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 5 access-list Inside_nat_outbound_2

nat (Inside) 4 access-list Inside_nat_outbound

nat (Inside) 20 172.16.50.0 255.255.255.0

static (Inside,Outside) NAT_CMS access-list Inside_nat_static_2

static (Inside,Outside) 10.200.51.1 access-list Inside_nat_static

static (Inside,Outside) 10.200.51.2 access-list Inside_nat_static_1

static (Inside,Outside) 10.200.51.3 access-list Inside_nat_static_4

access-group Outside_access_in in interface Outside

access-group Webserv-DMZ_access_in in interface Webserv-DMZ

access-group ACSR-DMZ_access_in in interface ACSR-DMZ

access-group Inside_access_in in interface Inside

access-group CCIB-DMZ_access_in in interface CCIB-DMZ

access-group Inside_access_in in interface Inside

access-group CCIB-DMZ_access_in in interface CCIB-DMZ

route CCIB-DMZ CCIB_Apps 255.255.0.0 10.200.60.2 1

Thanks again.

Labels:
0 Helpful
7 Replies 7

Farrukh Haroon
VIP Alumni
VIP Alumni

‎11-22-2008 04:56 AM

The problem could be related to the order in selecting the real IPs in Dynamic NAT, are you sure this traffic is matching nat-id 4 and not 5?

Even tough technically it should match 4 (as its acl is more specific).

You can try running the packet-tracer command to see the exact flow and error.

Regards

Farrukh

0 Helpful

highmiles2
Level 1
Level 1
In response to Farrukh Haroon

‎11-22-2008 08:35 PM

Hi Farrukh,

This is interesting! I ran the packet tracer and packet was droped. Here is the trace from Inside to CCIB-DMZ:

FLOW-LOOKUP - Allow

ROUTE-LOOKUP - Allow

ACCESS-LIST - Allow

IP-OPTIONS - Allow

IDS - Allow

FOVER - Allow

VPN - ALLOW

NAT - DROP

RESULT - The packet is dropped

The "Show rule in NAT Rules table" show:

nat (insdie) 5 access-list Inside_nat_outbound_2

nat control

match ip inside 172.16.0.0 255.255.0.0 CCIB-DMZ any

dynamic translation to pool 5 (no matching global)

translate_hits=2541, untraslated_hits=0

So, you are correct. It is not matching nat id #4...but why? I suspected it had something to do with the order....that is why i moved the nat id from 20 to 4 but was still getting the same results....

How do I fix it?

Do I apply a "global (CCIB-DMZ) 5 interface"?

or fix the nat (inside) 5 172.16.0.0 any to make it more specfic? (something like 172.16.50.0/24 205.144.0.0/16).

I've created additional nat entries (2,& 3) but traffic never matched those pool IDs. Do you think thre is something related to the order in selecting the real IPs? How is that taking place. I appologize if i am asking too many questions.

Regards,

Suhail Alhaj

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to highmiles2

‎11-23-2008 01:26 AM

Yes most probably it has something to do with the 'most specific' match NAT rule. Even tough technically nat-id 4 is more specific.

You can fix it using both of the methods you mentioned. However the following solution is simpler:

global (CCIB-DMZ) 5 interface

Regards

Farrukh

0 Helpful

highmiles2
Level 1
Level 1
In response to Farrukh Haroon

‎11-24-2008 08:08 AM

Great, thanks. I will try it out on Wednesday and let you know the results.

Thanks,

Suhail

0 Helpful

highmiles2
Level 1
Level 1
In response to Farrukh Haroon

‎11-25-2008 10:33 AM

Farrukh,

See attached for a before and after screen shots of the ASDM. I found that pool id#5 is entry #37 as seen in the ASDM. Pool id# 3 and 5 are entries #38 & 39 respectivily. The ASA was Exempting and applying NAT according to entries as seen by the ASDM. When i removed entry#37, everythin worked fine. I re-applied entry #37 after adjusting the source and destination (..it is entry #36 in 2nd screen shot).

In a dynamic NAT, a lower id pool id number does not neccessary mean it is being processed first. It is actually being proceed according to when it was intially created. In my case, pool id #5 was created earlier this year before i created subsequent new pool IDs.

Thanks for your help.

0 Helpful

highmiles2
Level 1
Level 1
In response to Farrukh Haroon

‎11-25-2008 10:36 AM

Farrukh,

See attached for a before and after screen shots of the ASDM. I found that pool id#5 is entry #37 as seen in the ASDM. Pool id# 3 and 4 are entries #38 & 39 respectivily. The ASA was Exempting and applying NAT according to entries as seen by the ASDM. When i removed entry#37, everything worked fine. I re-applied entry #37 after adjusting the source and destination (..it is entry #36 in 2nd screen shot).

My conclusion, In a dynamic NAT, a lower pool id number does not neccessary mean it is being processed first. It is actually being proceed according to when it was intially created and applied. In my case, pool id #5 was created 3 months ago before creating subsequent new pool IDs.

Thanks for your help.

Sohail

Preview file
864 KB
0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to highmiles2

‎11-25-2008 10:03 PM

The best selection alogorithm you describe is correct. I mentioned this earlier (best-match).

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042696

"Regular dynamic NAT (nat)-Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used"

Please rate if helpful.

Regards

Farrukh

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card