Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 7.2 5510 portmap translation creation failed for tcp src inside

Hi ive got a NAT problem, the asa shows up a the error: "portmap translation creation failed for tcp src inside" when trying to access a specific lan, here are the network config

INSIDE is 10.21.0.0/24

OUTSIDE is xx.xx.xx.xx

TEMPNET is 192.168.0.0 > NET behind tempnet is 172.1.1.0 /24

The Problem is i have only 2 IPs i can use in Tempnet, so i have to NAT all my internal IPs to 1 IP from the TEMPNET, TEMPNet is provided by another company and got its own router which forwards pakets into several foreign networks, to prevent routing issues (tempnet routers dont know routes into my local net) i need to nat all my local ips to lets say 192.168.1.1.

I added a route for example route tempnet 172.1.1.0 /24 192.168.1.2 (1.2 is the router from the TEMPNET).

Now here are my nat / global / statements:

access-list NAT_TEMP permit ip 10.0.21.0 255.255.255.0 172.1.1.0 255.255.255.0

access-list NAT_ANYDESTINATION permit ip 10.0.21.0 255.255.255.0 any

nat (inside) 1 access-list NAT_ANYDESTINATION

nat (inside) 2 access-list NAT_TEMP

global (inside) 1 interface

global (tempnet) 2 interface

when trying to access 172.1.1.1 i receive the errorcode: portmap translation creation failed..

when i change this:

no nat (inside) 2 access-list NAT_TEMP

no global (tempnet) 2 interface

global (tempnet) 1 interface

it works like a charm, but why isnt it working with the other config, lets say i want to split it more up and work with more then 1 nat rules based on source and destination it wont work, why do i cannot use multiple nat/global statements?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: ASA 7.2 5510 portmap translation creation failed for tcp src

Peter

This link suggests that it is the order that is important -

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694

Jon

4 REPLIES
Hall of Fame Super Blue

Re: ASA 7.2 5510 portmap translation creation failed for tcp src

Peter

Try swapping your nat statements around. I think the problem you face is that the firewall runs through the nat (inside) id access-list statements in order. And because

nat (inside) 1 access-list NAT_ANYDESTINATION

is the first statement this also matches any traffic going from 10.0.21.0 -> 172.1.1.0. So try this

nat (inside) 1 access-list NAT_TEMP

nat (inside) 2 access-list NAT_ANYDESTINATION

Jon

New Member

Re: ASA 7.2 5510 portmap translation creation failed for tcp src

Hi John,

i always thought pixOS will determine the "more specific" nat statement.

Like source host xxx to yyy nat is more specific as source subnet to any is less specific.

What do u think?

Hall of Fame Super Blue

Re: ASA 7.2 5510 portmap translation creation failed for tcp src

Peter

This link suggests that it is the order that is important -

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694

Jon

New Member

Re: ASA 7.2 5510 portmap translation creation failed for tcp src

jon u rock thx!

1091
Views
0
Helpful
4
Replies