ASA 5510 - Portmap Creation Translation Failed

Answered Question
Apr 21st, 2010

I have created a new VLAN (VLAN 2) in addition to an existing VLAN 1. Both Vlans have interface addresses on a Catalyst 3560. All of the network devices can see one another including talk but when I try and access a device in one VLAN from a pc in another VLAN I get an error in the ASA log to the effect that "portmap creation translation failed".

I have looked at the other discussions on the subject but none of the suggestions have solved my specific problem. The ASA configuration is attached. Any help would be greatly appreciated.

Thanks.

Attachment: 
I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 7 months ago

From VLAN 1 hosts, can you ping 10.52.100.254? If you can, that means that VLAN 2 hosts might be blocking inbound traffic (check the VLAN 2 hosts if there is any personal firewall, as it can block inbound traffic).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Wed, 04/21/2010 - 03:32

Which subnet is trying to communicate with which subnet? From the attached ASA configuration, there is only 1 inside interface.

dolson1157 Wed, 04/21/2010 - 03:45

The inside interface is part of the previously existing subnet  - 192.168.90.0/24 - which is Vlan1. The new subnet is 10.52.100.0/24 is Vlan 2. The route to between the two is on the 3560 switch at 192.168.90.4. I am trying to communicate between the two.

Jennifer Halim Wed, 04/21/2010 - 03:52

If you are trying to communicate between the 2 internal VLANs, it shouldn't even go through the ASA.

You would need to set default gateway for VLAN 1 to be 192.168.90.4 (switch ip address) instead of ASA ip address. The switch should then be configured with default gateway pointing towards the ASA (192.168.90.1).

dolson1157 Wed, 04/21/2010 - 05:49

The Vlans are configured on the layer 3 switch as follows (which I think is what you were suggesting in your prior post):

!
interface Vlan1
ip address 192.168.90.4 255.255.255.0
!
interface Vlan2
ip address 10.52.100.254 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.90.1
ip http server
!

With the ASA configuration as originally posted a host attached to Vlan2 is able to talk to the Vlan1 address on the layer 3 switch (192.168.90.4) and the ASA, whic is also attached to Vlan1 via the switch (192.168.90.1) as well as the layer 2 switches in Vlan1. It can also access the internet on the outside interface. That host cannot, however, talk to any hosts in Vlan1.

Hosts attached to Vlan1 can talk to the network devices in Vlan1 but can't access the Vlan2 interface address on the layer3 switch (10.52.100.254) nor can they talk to any hosts in Vlan2.

When I remove the "route inside 10.52.100.0 255.255.255.0 192.168.90.4 1" statement from the ASA the only thing that changes is the Vlan2 host can no longer talk to the ASA or the outside world.

It makes me think that the problem is with the NAT statements but I can't figure out what.

dolson1157 Wed, 04/21/2010 - 06:31

The hosts on Vlan1 are using the VLAN1 interface address on the switch as their gateway (192.168.90.4)

The host on VLAN2 is using the VLAN2 interface address on the switch as its gateway (10.52.100.254)

dolson1157 Wed, 04/21/2010 - 09:47

You're suggestion provided me with some progress. I went back and double checked and sure enough the gateways for the VLAN1 hosts I was trying to talk to were pointing to the ASA (192.168.90.1). As a result of the change I can now talk to VLAN1 hosts from the VLAN2 host but I still cannot reach the VLAN2 host from the VLAN1 hosts. There are no messages in the ASA log so I'm assuming it is a problem with Inter-VLAN routing at the switch ???

I don't see anything in the log s for the switch but I'm not very adept with switches so I'm not really sure what I'm looking for.

Correct Answer
Jennifer Halim Wed, 04/21/2010 - 14:41

From VLAN 1 hosts, can you ping 10.52.100.254? If you can, that means that VLAN 2 hosts might be blocking inbound traffic (check the VLAN 2 hosts if there is any personal firewall, as it can block inbound traffic).

dolson1157 Wed, 04/21/2010 - 23:11

Yes that seems to have gotten it then. Thanks so much for your assistance.

Actions

This Discussion