Portmap translation creation failed

Answered Question
Sep 7th, 2010

I continue to get the error above on my ASA5510.  I have a dynamic NAT rule in place to translate everything coming from the inside network to the outside address of the ASA.  Pings and other traffic (i.e. DNS requests) are obviously getting through because all of the errors are returning packets.  What could be the cause of this?  Thanks.

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 3 months ago

Hi,

You have a public IP assigned to the ASA (but no default gateway).

You should add:

route outside 0 0 207.98.185.x

After this check that you can PING something on the internet from the ASA itself:

ping 4.2.2.2

If succesful, you should have internet from the computers.

Try adding this:

policy-map global_policy
class inspection_default

  inspect icmp

And try to PING from the internal machines 4.2.2.2

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Federico Coto F... Tue, 09/07/2010 - 14:06

Hi,

What does your configuration look like?

You can get fine to the Internet through the ASA and the problem are just the errors?

Federico.

charles.e.davis... Wed, 09/08/2010 - 10:31

Nothing currently is getting out to the internet nor even getting back from the DNS.  Here is the configuration.  Thanks for the help.

: Saved
:
ASA Version 8.2(2)
!
hostname Primay-FW
domain-name base.mil
enable password a7xTtrKictTgVgBn encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.255.255.2 Network-Management-WS description Network Management WS
name 10.5.0.2 Wireless-Access-Point description Wireless-Access-Point
name 10.1.0.2 Base-Server description Base-Server
name 10.1.0.0 Access-Control-Network description Access-Control-Network
name 10.255.254.2 Web-Server description Web-Server
name 10.0.0.2 Primary_3750 description Primary 3750
name 10.255.255.4 IPS description IPS
name 10.0.0.6 Backup_3750 description Backup 3750
dns-guard
!
interface Ethernet0/0
description Outside
nameif Outside
security-level 0
ip address 207.98.185.1 255.255.255.252
!
interface Ethernet0/1
description Inside
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.252
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
description Web-Server
nameif Web-Server
security-level 1
ip address 10.255.254.1 255.255.255.252
!
interface Management0/0
description Managment Port
nameif Network-Management-Interface
security-level 99
ip address 10.255.255.3 255.255.255.0
!
banner motd You are accessing a U.S. Government (USG) Information System (IS) that is
banner motd provided for USG-authorized use only. By using this IS (which includes any
banner motd device attached to this IS), you  consent to the following conditions:
banner motd -The USG routinely intercepts and monitors communications on this IS for
banner motd purposes including, but not limited to, penetration testing, COMSEC
banner motd monitoring, network operations and defense,personnel misconduct (PM), law
banner motd enforcement (LE), and counterintelligence (CI) investigations.
banner motd -At any time, the USG may inspect and seize data stored on this IS.
banner motd -Communications using, or data stored on, this IS are not private,are
banner motd subject to routine monitoring, interception, and search, and may be
banner motd disclosed or used for any USG authorized purpose.
banner motd -This IS includes security measures (e.g., authentication and access
banner motd controls) to protect USG interests--not for your personal benefit or
banner motd privacy.
banner motd -Notwithstanding the above, using this IS does not constitute consent to
banner motd PM, LE or CI investigative searching or monitoring of the content of
banner motd privileged communications, or work product, related to personal
banner motd representation or services by attorneys, psychotherapists, or clergy, and
banner motd their assistants. Such communications and work product are private and
banner motd confidential. See User Agreement for details.
banner asdm You are accessing a U.S. Government (USG) Information System (IS) that is
banner asdm provided for USG-authorized use only. By using this IS (which includes any
banner asdm device attached to this IS), you  consent to the following conditions:
banner asdm -The USG routinely intercepts and monitors communications on this IS for
banner asdm purposes including, but not limited to, penetration testing, COMSEC
banner asdm monitoring, network operations and defense,personnel misconduct (PM), law
banner asdm enforcement (LE), and counterintelligence (CI) investigations.
banner asdm -At any time, the USG may inspect and seize data stored on this IS.
banner asdm -Communications using, or data stored on, this IS are not private,are
banner asdm subject to routine monitoring, interception, and search, and may be
banner asdm disclosed or used for any USG authorized purpose.
banner asdm -This IS includes security measures (e.g., authentication and access
banner asdm controls) to protect USG interests--not for your personal benefit or
banner asdm privacy.
banner asdm -Notwithstanding the above, using this IS does not constitute consent to
banner asdm PM, LE or CI investigative searching or monitoring of the content of
banner asdm privileged communications, or work product, related to personal
banner asdm representation or services by attorneys, psychotherapists, or clergy, and
banner asdm their assistants. Such communications and work product are private and
banner asdm confidential. See User Agreement for details.
ftp mode passive
dns server-group DefaultDNS
domain-name base.mil
same-security-traffic permit intra-interface
object-group service Web-Services tcp
description Web-Services
port-object eq www
port-object eq https
access-list IPS-Management_access_in remark Network Management Control
access-list IPS-Management_access_in extended permit ip host Network-Management-WS host IPS
access-list IPS-1 extended permit ip any any
access-list IPS-2 extended permit ip any any
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in remark BGP
access-list Outside_access_in extended permit tcp any any eq bgp
access-list Wireless-Gateway_nat0_outbound extended permit ip any 10.0.0.0 255.255.255.252
pager lines 24
logging enable
logging timestamp
logging console errors
logging trap debugging
logging asdm informational
logging host Network-Management-Interface Network-Management-WS
mtu Outside 1500
mtu inside 1500
mtu Web-Server 1500
mtu Network-Management-Interface 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 207.98.185.12 netmask 255.255.255.224
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,Outside) 207.98.185.9 Primary_3750 netmask 255.255.255.255
static (inside,Outside) 207.98.185.10 Backup_3750 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
!
router ospf 1
router-id 10.0.0.1
network 10.0.0.0 255.255.255.252 area 1
area 1
log-adj-changes
!
route inside Access-Control-Network 255.255.0.0 Primary_3750 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 3
aaa authorization exec authentication-server
http server enable
http server session-timeout 10
http 0.0.0.0 0.0.0.0 Network-Management-Interface
http Network-Management-WS 255.255.255.255 Network-Management-Interface
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh scopy enable
ssh timeout 1
ssh version 2
console timeout 5
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username test1 password P4ttSyrm33SV8TYp encrypted privilege 0
username admin password HxBCn6xA8Q4mXAvc encrypted privilege 15
username charles.davis password AjT6F0Z2EfHCqfkS encrypted privilege 15
!
class-map IPS-2
match access-list IPS-2
class-map IPS-1
match access-list IPS-1
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect ip-options
policy-map IPS-2
class IPS-2
  ips promiscuous fail-open
policy-map IPS-1
class IPS-1
  ips promiscuous fail-open
!
service-policy global_policy global
service-policy IPS-1 interface Outside
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:00bb4ff12a22cede48d0161ed6e025b6
: end
asdm image disk0:/asdm-625.bin
asdm location 0.0.0.0 0.0.0.0 inside
asdm location 0.0.0.0 0.0.0.0 Network-Management-Interface
asdm location Network-Management-WS 255.255.255.255 Network-Management-Interface
asdm location Wireless-Access-Point 255.255.255.255 inside
asdm location Base-Server 255.255.255.255 inside
asdm location Access-Control-Network 255.255.0.0 inside
asdm location Web-Server 255.255.255.255 inside
asdm location Primary_3750 255.255.255.255 inside
asdm location IPS 255.255.255.255 inside
asdm location Backup_3750 255.255.255.255 inside
no asdm history enable

Correct Answer
Federico Coto F... Wed, 09/08/2010 - 10:36

Hi,

You have a public IP assigned to the ASA (but no default gateway).

You should add:

route outside 0 0 207.98.185.x

After this check that you can PING something on the internet from the ASA itself:

ping 4.2.2.2

If succesful, you should have internet from the computers.

Try adding this:

policy-map global_policy
class inspection_default

  inspect icmp

And try to PING from the internal machines 4.2.2.2

Federico.

Actions

This Discussion