I have a problem with 1 dmz and port translation:
%ASA-3-305006: portmap translation creation failed for tcp src INSIDE:10.128.100.75/1577 dst DMZ2:220.127.116.11/23
I'm using nat exemption, and the following line is in my config:
access-list NONAT line 2 extended permit ip 10.128.0.0 255.255.0.0 10.45.0.0 255.255.0.0 (hitcnt=0) 0xb08b2a3b
From a host on the 10.128.0.0/16 (10.128.100.75), I can't get out. It's trying to route through that interface, but I'm getting the above error. The device in the DMZ is a special device that creates a tunnel to a remote vendor. I'm not sure if they are natting for me or not. Should I let nat happen for the 10.128.0.0 subnet to the 10.45.127.0 subnet?
The 10.45.127.0 subnet is the private side of this device.
If so, can I include it in the NAT exemption acl like this:
permit ip x.x.x.x x.x.x.x y.y.y.y y.y.y
deny ip 10.128.0.0 255.255.0.0 10.45.137.0 255.255.255.0
permit ip 10.128.0.0 255.255.0.0 10.45.0.0 255.255.0.0
Would the above hurt anything?