Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

DMZ and NAT exemption

All,

I have a problem with 1 dmz and port translation:

%ASA-3-305006: portmap translation creation failed for tcp src INSIDE:10.128.100.75/1577 dst DMZ2:1.1.2.1/23

I'm using nat exemption, and the following line is in my config:

access-list NONAT line 2 extended permit ip 10.128.0.0 255.255.0.0 10.45.0.0 255.255.0.0 (hitcnt=0) 0xb08b2a3b

From a host on the 10.128.0.0/16 (10.128.100.75), I can't get out. It's trying to route through that interface, but I'm getting the above error. The device in the DMZ is a special device that creates a tunnel to a remote vendor. I'm not sure if they are natting for me or not. Should I let nat happen for the 10.128.0.0 subnet to the 10.45.127.0 subnet?

The 10.45.127.0 subnet is the private side of this device.

If so, can I include it in the NAT exemption acl like this:

permit ip x.x.x.x x.x.x.x y.y.y.y y.y.y

deny ip 10.128.0.0 255.255.0.0 10.45.137.0 255.255.255.0

permit ip 10.128.0.0 255.255.0.0 10.45.0.0 255.255.0.0

Would the above hurt anything?

Thanks,

John

HTH, John *** Please rate all useful posts ***
1 REPLY

Re: DMZ and NAT exemption

Resolved :)

HTH, John *** Please rate all useful posts ***
284
Views
0
Helpful
1
Replies
CreatePlease to create content