%FWSM-3-305006: portmap translation creation failed for icmp src outside

Unanswered Question
Mar 21st, 2010

Hi ,

I have configured my FWSM with no nat-control, simple routing mode, but i am getting following error log when i ping from host residing at the outside interface of FWSM to inside interface of FWSM, I know that inside interface of FWSM cannot be pingged as per FWSM design, but i need to know why i am getting this error.

4:11:38 Local4.Error 192.168.49.11 Mar 07 2010 14:09:32: %FWSM-3-305006: portmap translation creation failed for icmp src outside:192.168.255.5 dst inside:192.168.48.225 (type 8, code 0)

interface Vlan99
nameif outside
security-level 0
ip address 192.168.49.11 255.255.255.240 standby 192.168.49.12
!
interface Vlan57
nameif FWSM

security-level 85
ip address 192.168.57.1 255.255.255.0 standby 192.168.57.2
!
interface Vlan6
nameif inside

security-level 90
ip address 192.168.48.225 255.255.255.224 standby 192.168.48.226

             
!
interface Vlan67
nameif FWSM_2
security-level 80
ip address 192.168.67.1 255.255.255.0 standby 192.168.67.2

route outside 0.0.0.0 0.0.0.0 192.168.49.1 1 (towards MSFC)

logging enable
logging timestamp
logging standby
logging emblem
logging console debugging
logging trap debugging
logging history debugging
logging asdm debugging

I would appreciate if some one can share the experince.

Regards,

Nad

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (1 ratings)
Poonguzhali Sankar Sun, 03/21/2010 - 15:31

Do you have

static (inside,outside) 192.168.48.0 192.168.48.0 net 255.255.255.0

Also, pls. enable icmp inspection under the policy-map.

-KS

Jennifer Halim Sun, 03/21/2010 - 21:41

Unfortunately there is no specific syslog messages for pinging the wrong interface of the fwsm. The syslog message that you are seeing will be the one generated for pinging the wrong interface of the firewall.

nadeem2006 Sun, 03/21/2010 - 23:30

Hi halijenn ,

I am getting this message only when i ping to inside interface while no syslog message comes with other interfaces... Is it due to the most secure interface ? while other less secure interface are not giving any syslog message.

Please suggest if any!!

Rg

nad

Jennifer Halim Sun, 03/21/2010 - 23:56

Sorry, as per design, you can't ping the opposite interface of the firewall, whether it is ping from the outside host towards the inside or FWSM interface, OR/ ping from an inside host towards the outside interface or FWSM interface of the FWSM.

You can only ping as per the following:

- Ping through the FWSM, ie: from inside host towards outside host, and vice versa. In this case, you would need to configure "inspect icmp".

- Ping the direct FWSM interface, ie: from inside host, you can only ping the inside interface, from the outside host, you can ping the outside interface, etc.

nadeem2006 Sun, 03/21/2010 - 23:27

Hi,

I have disabled the Nat-control, FWSM is working in pure routing mode..?

Also what will be the use of enabling icmp inspection in my scenario.

Thanks!

Actions

Login or Register to take actions

This Discussion

Posted March 21, 2010 at 7:18 AM
Stats:
Replies:5 Avg. Rating:
Views:4355 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,866
2 6,140
3 3,170
4 1,473
5 1,446