DMZ and NAT exemption

Unanswered Question
Jun 8th, 2009


I have a problem with 1 dmz and port translation:

%ASA-3-305006: portmap translation creation failed for tcp src INSIDE: dst DMZ2:

I'm using nat exemption, and the following line is in my config:

access-list NONAT line 2 extended permit ip (hitcnt=0) 0xb08b2a3b

From a host on the (, I can't get out. It's trying to route through that interface, but I'm getting the above error. The device in the DMZ is a special device that creates a tunnel to a remote vendor. I'm not sure if they are natting for me or not. Should I let nat happen for the subnet to the subnet?

The subnet is the private side of this device.

If so, can I include it in the NAT exemption acl like this:

permit ip x.x.x.x x.x.x.x y.y.y.y y.y.y

deny ip

permit ip

Would the above hurt anything?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion