Portmap translation failed

kwillacey · ‎07-14-2009

I have a client that has an ASA that has routes to remote locations that point to another firewall on the LAN. So the clients default to the ASA and then the ASA should route traffic for the remote locations to the other firewall.

This creates the hair pinning issue which is remedied by the 'same-security-traffic permit intra-interface' command.

However the traffic is getting no where and the logs keep giving the portmap translation creation failed message. I have tried a no nat on the inside interface but that does nothing. Does anyone know how to fix this issue.

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.40 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.252

!

interface Ethernet0/0

description Flow Internet Connection

switchport access vlan 2

!

interface Ethernet0/1

description LAN Connection

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit intra-interface

access-list outside_access_in extended permit tcp any host x.x.x.x eq www

access-list outside_access_in extended permit tcp any host x.x.x.x eq 65100

access-list outside_access_in extended permit tcp any host x.x.x.x eq ftp-data

access-list outside_access_in extended permit tcp any host x.x.x.x eq ftp

access-list outside_access_in extended permit tcp any host x.x.x.x eq www

access-list outside_access_in extended permit tcp any host x.x.x.x eq 800

pager lines 24

logging enable

logging timestamp

logging buffered warnings

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www 192.168.1.35 www netmask 255.255.255.255

static (inside,outside) tcp interface 65100 192.168.1.35 65100 netmask 255.255.255.255

static (inside,outside) tcp interface ftp-data 192.168.1.9 ftp-data netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.1.9 ftp netmask 255.255.255.255

static (inside,outside) x.x.x.x 192.168.1.34 netmask 255.255.255.255

access-group outside_access_in in interface outside

route inside 10.10.3.0 255.255.255.0 10.10.1.4 1

route inside 10.10.4.0 255.255.255.0 10.10.1.4 1

route inside 10.10.7.0 255.255.255.0 10.10.1.4 1

route inside 192.168.2.0 255.255.255.0 10.10.1.6 1

route inside 192.168.10.0 255.255.255.0 10.10.1.6 1

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

kwillacey · ‎07-14-2009

I searched the forum before I posted and I'm still searching to find an answer but I get the feeling that there is no way to fix this problem, no matter which nat rules are used. I'm gonna be red faced at the client tomorrow.

is there a fix???

kwillacey · ‎07-14-2009

pasted the wrong routes

route inside 10.10.3.0 255.255.255.0 192.168.1.10 1

route inside 10.10.4.0 255.255.255.0 192.168.1.10 1

route inside 10.10.7.0 255.255.255.0 192.168.1.10 1

route inside 192.168.2.0 255.255.255.0 192.168.1.10 1

route inside 192.168.10.0 255.255.255.0 192.168.1.10 1

kwillacey · ‎07-14-2009

Finally got the following commands to fix the problem, i am no ASA expert but I think it had something to do with return traffic going directly to the host instead of through the ASA so when the client replies the ASA was unable to find a translation.

global (inside) 1 interface

static (inside,inside) 10.10.3.0 10.10.3.0 netmask 255.255.255.0

static (inside,inside) 10.10.4.0 10.10.4.0 netmask 255.255.255.0

static (inside,inside) 10.10.7.0 10.10.7.0 netmask 255.255.255.0

Hope this helps someone in the future.

kwillacey · ‎07-16-2009

Sorry guys spoke too soon traffic only works in one direction and I got the following error and it makes sense.

%ASA-6-106015: Deny TCP (no connection) from 10.10.1.19/3389 to 10.10.3.2/49159 flags SYN ACK on interface inside

If a client from the head office initiates a connection to a remote location the traffic has to go through the firewall and based on the configuration the firewall would send the request using it's IP address so the return traffic would have to be sent back to the firewall.

However if the traffic is initiated from the remote location (which it should be), it will go directly to the host because the router is on the same LAN as the host and would not need to send that traffic to the firewall so when the hosts responds and sends the traffic to the firewall it will deny it because it had no prior connection built. This is the default behaviour of the firewall and as far as I am concerned there is no way around it.

A layer 3 switch or making the router the gateway or connecting the router to the ASA on a different VLAN are the only ways to alleviate this problem in my opinion. Any ASA expert care to weigh in?