FWSM interface access

Unanswered Question
Sep 23rd, 2009

Hi Experts,

I have two sites Site A: MNMCDEL and Site B: NNMCCNI. See the attached Diagrams of both the sites.

Both the sites are connected using MPLS. I have one interface called MPLS in both the Firewall and I am able to ping each other (192.168.1.114 in SiteA is pining to 192.168.2.114 in SiteB).

The customer requirement is, from SiteA firewall he should be able to ping SiteB DCNMS interface IP address (192.168.2.190) from SiteA and do SNMP polling.Similarly he should be able to ping SiteA DCNMS interface IP address (192.168.1.190) from SiteB and do SNMP polling.

To do this I configured site-site VPN between Site A and Site B and configured "management-access DCNMS" in both the firewall. But even though the IPSEC tunnel is formed I am not able to ping 192.168.1.190 from SiteB and 192.168.2.190 from SiteA. I am getting the following error message.

"%FWSM-3-305006: portmap translation creation failed for icmp src MPLS:192.168.1.114 dst DCNMS:192.168.2.190 (type 8, code 0)"

Which is the correct solution for this requirement

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tprendergast Thu, 09/24/2009 - 09:28

You need to make sure those addresses you are trying to ping are encapsulated over the tunnel or else you will get translation failures.

Can you provide your tunnel traffic ACLs?

The error you describe has the following description:

-----------------------------

Explanation A protocol (UDP, TCP, or ICMP) failed to create a translation through the firewall. The firewall provides this checking for addresses that are explicitly identified with static command statements. With the change, for inbound traffic, the firewall denies translations for a destined IP address identified as a network or broadcast address.

The firewall does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT xlate. So, when the other ICMP messages types are dropped, this message is generated.

-------------------------

Not a terribly helpful message without more information on your config.

Cheers,

Tim

Actions

This Discussion