Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5731
Views
5
Helpful
5
Replies

%FWSM-3-305006: portmap translation creation failed for icmp src outside

Nadeem ahmed Ahmed
Level 1
Level 1

‎03-21-2010 07:18 AM - edited ‎03-11-2019 10:24 AM

Hi ,

I have configured my FWSM with no nat-control, simple routing mode, but i am getting following error log when i ping from host residing at the outside interface of FWSM to inside interface of FWSM, I know that inside interface of FWSM cannot be pingged as per FWSM design, but i need to know why i am getting this error.

4:11:38 Local4.Error 192.168.49.11 Mar 07 2010 14:09:32: %FWSM-3-305006: portmap translation creation failed for icmp src outside:192.168.255.5 dst inside:192.168.48.225 (type 8, code 0)

interface Vlan99
nameif outside
security-level 0
ip address 192.168.49.11 255.255.255.240 standby 192.168.49.12
!
interface Vlan57
nameif FWSM

security-level 85
ip address 192.168.57.1 255.255.255.0 standby 192.168.57.2
!
interface Vlan6
nameif inside

security-level 90
ip address 192.168.48.225 255.255.255.224 standby 192.168.48.226

             
!
interface Vlan67
nameif FWSM_2
security-level 80
ip address 192.168.67.1 255.255.255.0 standby 192.168.67.2

route outside 0.0.0.0 0.0.0.0 192.168.49.1 1 (towards MSFC)

logging enable
logging timestamp
logging standby
logging emblem
logging console debugging
logging trap debugging
logging history debugging
logging asdm debugging

I would appreciate if some one can share the experince.

Regards,

Nad

Labels:
0 Helpful
5 Replies 5

Kureli Sankar
Cisco Employee
Cisco Employee

‎03-21-2010 03:31 PM

Do you have

static (inside,outside) 192.168.48.0 192.168.48.0 net 255.255.255.0

Also, pls. enable icmp inspection under the policy-map.

-KS

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Kureli Sankar

‎03-21-2010 09:41 PM

Unfortunately there is no specific syslog messages for pinging the wrong interface of the fwsm. The syslog message that you are seeing will be the one generated for pinging the wrong interface of the firewall.

Nadeem ahmed Ahmed
Level 1
Level 1
In response to Jennifer Halim

‎03-21-2010 11:30 PM

Hi halijenn ,

I am getting this message only when i ping to inside interface while no syslog message comes with other interfaces... Is it due to the most secure interface ? while other less secure interface are not giving any syslog message.

Please suggest if any!!

Rg

nad

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Nadeem ahmed Ahmed

‎03-21-2010 11:56 PM

Sorry, as per design, you can't ping the opposite interface of the firewall, whether it is ping from the outside host towards the inside or FWSM interface, OR/ ping from an inside host towards the outside interface or FWSM interface of the FWSM.

You can only ping as per the following:

- Ping through the FWSM, ie: from inside host towards outside host, and vice versa. In this case, you would need to configure "inspect icmp".

- Ping the direct FWSM interface, ie: from inside host, you can only ping the inside interface, from the outside host, you can ping the outside interface, etc.

0 Helpful

Nadeem ahmed Ahmed
Level 1
Level 1
In response to Kureli Sankar

‎03-21-2010 11:27 PM

Hi,

I have disabled the Nat-control, FWSM is working in pure routing mode..?

Also what will be the use of enabling icmp inspection in my scenario.

Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card