Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14071
Views
0
Helpful
3
Replies

Teardown dynamic UDP translation from inside to outside

kwing01
Level 1
Level 1

‎12-06-2016 05:56 PM - edited ‎03-10-2019 06:43 AM

Hi,

I'm new to ASA and setup the inside and outside interface, but when i see the debug log, i keep getting the tear down dynamic udp translation from inside to outside. Could you let me know what i'm missing? 

Dec 06 2016 20:48:14: %ASA-6-305012: Teardown dynamic UDP translation from inside:10.108.1.2/36877 to outside:192.168.1.10/36877 duration 0:02:32
Dec 06 2016 20:48:14: %ASA-6-305012: Teardown dynamic UDP translation from inside:10.108.1.2/43175 to outside:192.168.1.10/43175 duration 0:02:32

interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.108.1.1 255.255.255.0

dhcpd auto_config outside
!
dhcpd address 10.108.1.2-10.108.1.10 inside
dhcpd enable inside
!

object network inside-server
nat (inside,outside) static interface service tcp ssh ssh
object network inside-www
nat (inside,outside) static interface service tcp www www
object network inside-subnet
nat (inside,outside) dynamic interface

access-list outside_acl extended permit tcp 192.168.1.0 255.255.255.0 host 10.108.1.2 eq ssh
access-list outside_acl extended permit tcp any host 10.108.1.2 eq www
access-list outside_acl extended permit icmp any any

access-group outside_acl in interface outside

Labels:
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎12-07-2016 05:57 PM

This could be a normal behavior or it could indicate an issue with either the application and/or FW configuration. A couple of questions:

1. Does the configuration work? Meaning, can you access the server/services from outside the network?

2. Have you tried using packet-tracer to validate the configuration?

3. Do you see other log messages in your buffer? More specifically message 302014? If yes, check this link for more info:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71871-asa-pix-troubleshooting.html#s3

I hope this helps!

Thank you for rating helpful posts!

0 Helpful

kwing01
Level 1
Level 1
In response to nspasov

‎12-09-2016 09:19 PM

Do i need to create the same NAT and Access-List for UDP? 

1. Yes, i can access outside to inside using http and ssh.

2. Yes, look working fine

3. No, just the UDP teardown from outside to inside and UDP teardown inside to outside. 

Dec 10 2016 00:11:44: %ASA-6-305012: Teardown dynamic TCP translation from inside:10.108.1.2/43686 to outside:192.168.1.10/43686 duration 0:01:01
Dec 10 2016 00:11:48: %ASA-6-305012: Teardown dynamic TCP translation from inside:10.108.1.2/34558 to outside:192.168.1.10/34558 duration 0:01:01
Dec 10 2016 00:12:35: %ASA-6-302016: Teardown UDP connection 225 for outside:192.168.1.1/53 to inside:10.108.1.2/48280 duration 0:02:01 bytes 107
Dec 10 2016 00:12:35: %ASA-6-302016: Teardown UDP connection 226 for outside:192.168.1.1/53 to inside:10.108.1.2/48686 duration 0:02:01 bytes 70
Dec 10 2016 00:12:35: %ASA-6-302016: Teardown UDP connection 227 for outside:192.168.1.1/53 to inside:10.108.1.2/38266 duration 0:02:01 bytes 194
Dec 10 2016 00:12:35: %ASA-6-302016: Teardown UDP connection 228 for outside:192.168.1.1/53 to inside:10.108.1.2/45808 duration 0:02:01 bytes 112
Dec 10 2016 00:12:37: %ASA-6-302016: Teardown UDP connection 229 for outside:192.168.1.1/53 to inside:10.108.1.2/51740 duration 0:02:01 bytes 163
Dec 10 2016 00:12:37: %ASA-6-302016: Teardown UDP connection 230 for outside:192.168.1.1/53 to inside:10.108.1.2/51025 duration 0:02:01 bytes 163
Dec 10 2016 00:12:37: %ASA-6-302016: Teardown UDP connection 231 for outside:192.168.1.1/53 to inside:10.108.1.2/59835 duration 0:02:01 bytes 163
Dec 10 2016 00:12:37: %ASA-6-302016: Teardown UDP connection 232 for outside:192.168.1.1/53 to inside:10.108.1.2/52736 duration 0:02:01 bytes 163
Dec 10 2016 00:12:37: %ASA-6-302016: Teardown UDP connection 233 for outside:192.168.1.1/53 to inside:10.108.1.2/59379 duration 0:02:01 bytes 163
Dec 10 2016 00:12:37: %ASA-6-302016: Teardown UDP connection 234 for outside:192.168.1.1/53 to inside:10.108.1.2/47927 duration 0:02:01 bytes 163
Dec 10 2016 00:12:37: %ASA-6-302016: Teardown UDP connection 235 for outside:192.168.1.1/53 to inside:10.108.1.2/59311 duration 0:02:01 bytes 163
Dec 10 2016 00:12:37: %ASA-6-302016: Teardown UDP connection 236 for outside:192.168.1.1/53 to inside:10.108.1.2/35588 duration 0:02:01 bytes 163
Dec 10 2016 00:13:06: %ASA-6-305012: Teardown dynamic UDP translation from inside:10.108.1.2/48280 to outside:192.168.1.10/48280 duration 0:02:32
Dec 10 2016 00:13:06: %ASA-6-305012: Teardown dynamic UDP translation from inside:10.108.1.2/48686 to outside:192.168.1.10/48686 duration 0:02:32
Dec 10 2016 00:13:06: %ASA-6-305012: Teardown dynamic UDP translation from inside:10.108.1.2/38266 to outside:192.168.1.10/38266 duration 0:02:32
Dec 10 2016 00:13:06: %ASA-6-305012: Teardown dynamic UDP translation from inside:10.108.1.2/45808 to outside:192.168.1.10/45808 duration 0:02:32
Dec 10 2016 00:13:08: %ASA-6-305012: Teardown dynamic UDP translation from inside:10.108.1.2/51740 to outside:192.168.1.10/51740 duration 0:02:32
Dec 10 2016 00:13:08: %ASA-6-305012: Teardown dynamic UDP translation from inside:10.108.1.2/51025 to outside:192.168.1.10/51025 duration 0:02:32
Dec 10 2016 00:13:08: %ASA-6-305012: Teardown dynamic UDP translation from inside:10.108.1.2/59835 to outside:192.168.1.10/59835 duration 0:02:32
Dec 10 2016 00:13:08: %ASA-6-305012: Teardown dynamic UDP translation from inside:10.108.1.2/52736 to outside:192.168.1.10/52736 duration 0:02:32
Dec 10 2016 00:13:08: %ASA-6-305012: Teardown dynamic UDP translation from inside:10.108.1.2/59379 to outside:192.168.1.10/59379 duration 0:02:32
Dec 10 2016 00:13:08: %ASA-6-305012: Teardown dynamic UDP translation from inside:10.108.1.2/47927 to outside:192.168.1.10/47927 duration 0:02:32
Dec 10 2016 00:13:08: %ASA-6-305012: Teardown dynamic UDP translation from inside:10.108.1.2/59311 to outside:192.168.1.10/59311 duration 0:02:32
Dec 10 2016 00:13:08: %ASA-6-305012: Teardown dynamic UDP translation from inside:10.108.1.2/35588 to outside:192.168.1.10/35588 duration 0:02:32

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to kwing01

‎12-17-2016 01:05 PM

Sorry for the delayed response. To answer your question: Yes, you need to configure both NAT and ACL for UDP as well. 

Please do that and see if the issue goes away. 

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card