Fun with NAT on ASA

Unanswered Question
Jan 23rd, 2010

If  a host on 192.168.1.x, the inside interface tries to ping a host on 192.168.10.x (a network behind a router which is connected 6.1)

The ASA returns:

Jan 23 2010 10:17:58: %ASA-3-305006: portmap translation creation failed for icmp src inside: dst inside: (type 8, code 0)

and the ping fails.

If you try to ping directly from the ASA you get a similar result:

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Jan 23 2010 10:20:35: %ASA-4-313004: Denied ICMP type=0, from laddr on interface inside to no matching session

Seems to me this should work right out of the box, suggestions?

<config snip>

name Cowacella description named after thomas J's Monticello with a cow twist

access-list inside_access_in_1 extended permit ip any any

global (outside) 1 interface
nat (inside) 1

access-group inside_access_in_1 in interface inside
route inside Cowacella 1

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
spollock Sat, 01/23/2010 - 10:25

I failed to mention, I have "same-security-traffic permit intra-interface" enabled as well.

vilaxmi Sat, 01/23/2010 - 21:06


You are running into assymetric routing scenario over here.

Either you can set the default gateway of hosts on all subnets to be the 6.1 (router) & have its default gateway set to the ASA inside ifc OR if you real,ly wanna keep the ASA as everybody's default gateway, then you can use the tcp-state-bypass feature introduced in 8.2 release of code for ASA, so that assymetric situation here can be handled correctly by ASA.

Check it out at the release notes :



vilaxmi Sun, 01/24/2010 - 09:09


Making the firewall inside ifc proxy arp for inside hosts using global (inside) 1 ifc statement along with the Identity static translation for destination

command was a workaround we used PRE 8.2 era.. Anyways, I would  suggest the usage of solution  (tcp-state-bypass feature) in the 8.2 + codes.




This Discussion

Related Content