CISCO ASA 5510 - Problem with accessing network on Interface Portmap translation failed.

Unanswered Question
Feb 17th, 2010

I have enabled an interface on the ASA 5510 but cannot get it to pass traffice through from the inside interface to the backup interface.


Confirgertation


Inside network - Assume 210.0.0.0


Outisde 217.37.180.46


Backup 192.168.28.2


I am trying to device with the ip address 192.168.28.1


When I do it fails with the message
2010-02-17 11:43:53    Local4.Debug    210.0.0.100    %ASA-7-609001: Built local-host backup:192.168.28.1
2010-02-17 11:43:53    Local4.Error    210.0.0.100    %ASA-3-305006: portmap translation creation failed for tcp src inside:ThetTSserver/3771 dst backup:192.168.28.1/80
2010-02-17 11:43:53    Local4.Debug    210.0.0.100    %ASA-7-609002: Teardown local-host backup:192.168.28.1 duration 0:00:00
2010-02-17 11:43:54    Local4.Debug    210.0.0.100    %ASA-7-609001: Built local-host backup:192.168.28.1
2010-02-17 11:43:54    Local4.Error    210.0.0.100    %ASA-3-305006: portmap translation creation failed for tcp src inside:ThetTSserver/3771 dst backup:192.168.28.1/80
2010-02-17 11:43:54    Local4.Debug    210.0.0.100    %ASA-7-609002: Teardown local-host backup:192.168.28.1 duration 0:00:00
2010-02-17 11:43:54    Local4.Debug    210.0.0.100    %ASA-7-609001: Built local-host backup:192.168.28.1
2010-02-17 11:43:54    Local4.Error    210.0.0.100    %ASA-3-305006: portmap translation creation failed for tcp src inside:ThetTSserver/3771 dst backup:192.168.28.1/80
2010-02-17 11:43:54    Local4.Debug    210.0.0.100    %ASA-7-609002: Teardown local-host backup:192.168.28.1 duration 0:00:00


If I add a stati Nat I still am unable to contact deivces on the backup interface.


It fails with
2010-02-17 12:01:18    Local4.Info    210.0.0.100    %ASA-6-302013: Built outbound TCP connection 2043 for backup:192.168.28.1/80 (192.168.28.1/80) to inside:ThetTSserver/4204 (ThetTSserver/4204)
2010-02-17 12:01:19    Local4.Info    210.0.0.100    %ASA-6-302014: Teardown TCP connection 1683 for outside:209.46.39.130/443 to inside:210.0.0.10/56351 duration 0:10:20 bytes 5357 FIN Timeout


What is going on? How do I get my inside network to communicate with the devices on the "backup" interface.


From the above From the above


a. It knows the route to 192.168.28.1
b. It does not seems to be a NAT issue


Routing table is as follows:-


Gateway of last resort is 217.37.180.41 to network 0.0.0.0


C    192.168.28.0 255.255.255.0 is directly connected, backup
C    217.37.180.40 255.255.255.248 is directly connected, outside
S    Sudbury_LAN 255.255.255.0 [1/0] via 217.37.180.41, outside
C    Thetford_LAN 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 217.37.180.41, outside


Config file is as follows:- (I have delted items which I o not hink are revlavnt! I have also changed ip addresses)
: Saved
:
ASA Version 7.2(2)
!


name 210.0.0.1 Thetserver description Thetford File Server
name 210.0.0.2 ThetTSserver description Thetford TS Server
name 210.0.0.0 Thetford_LAN description Thetford Local Area Network
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 219.37.180.46 255.255.255.248
ospf cost 10
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 210.0.0.100 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
nameif backup
security-level 0
ip address 192.168.28.2 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!


ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name thet.staceys.co.uk
object-group service WebAccess tcp
description Allowed protocols to Outside world
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group network MAWHome
description MAWHome
network-object 192.168.0.0 255.255.255.0
access-list inside_access_in extended permit tcp Thetford_LAN 255.255.255.0 any object-group WebAccess
access-list inside_access_in extended permit tcp host Thetserver any eq domain
access-list inside_access_in extended permit udp host Thetserver any eq domain
access-list inside_access_in extended permit tcp host Thetserver any eq smtp
access-list inside_access_in extended permit tcp host Thetserver any eq pop3
access-list inside_access_in extended permit udp host Thetserver any eq ntp
access-list inside_access_in extended permit tcp host ThetTSserver any eq pop3
access-list inside_access_in extended permit tcp host ThetTSserver any eq smtp
access-list inside_access_in extended permit tcp Thetford_LAN 255.255.255.0 any eq 465
access-list inside_access_in extended permit tcp Thetford_LAN 255.255.255.0 any eq 995
access-list inside_access_in extended permit ip Thetford_LAN 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.21.0.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip Thetford_LAN 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip Thetford_LAN 255.255.255.0 192.168.28.0 255.255.255.0
access-list outside_40_cryptomap extended permit ip Thetford_LAN 255.255.255.0 Bury_LAN 255.255.255.0
access-list outside_60_cryptomap extended permit ip Thetford_LAN 255.255.255.0 Newmarket_LAN 255.255.255.0
access-list outside_80_cryptomap extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0
access-list outside_80_cryptomap_1 extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0
access-list http-list2 extended permit tcp any host 62.189.96.209
access-list http-list2 extended permit tcp any host 213.120.81.201
access-list outside_100_cryptomap extended permit ip Thetford_LAN 255.255.255.0 192.168.0.0 255.255.255.0
!
tcp-map mss-map
  exceed-mss allow
!
pager lines 24
logging enable
logging trap alerts
logging asdm informational
logging host inside Thetserver
mtu outside 1500
mtu inside 1500
mtu backup 1500
ip local pool VPNUsers 172.21.0.1-172.21.0.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Thetford_LAN 255.255.255.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 217.37.180.41 1
!
router ospf 10
network Thetford_LAN 255.255.255.0 area 0
log-adj-changes
redistribute static subnets
!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion