Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Fun with NAT on ASA

If  a host on 192.168.1.x, the inside interface tries to ping a host on 192.168.10.x (a network behind a router which is connected 6.1)

The ASA returns:

Jan 23 2010 10:17:58: %ASA-3-305006: portmap translation creation failed for icmp src inside: dst inside: (type 8, code 0)

and the ping fails.

If you try to ping directly from the ASA you get a similar result:

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Jan 23 2010 10:20:35: %ASA-4-313004: Denied ICMP type=0, from laddr on interface inside to no matching session

Seems to me this should work right out of the box, suggestions?

<config snip>

name Cowacella description named after thomas J's Monticello with a cow twist

access-list inside_access_in_1 extended permit ip any any

global (outside) 1 interface
nat (inside) 1

access-group inside_access_in_1 in interface inside
route inside Cowacella 1

Everyone's tags (2)
Community Member

Re: Fun with NAT on ASA

I failed to mention, I have "same-security-traffic permit intra-interface" enabled as well.

Cisco Employee

Re: Fun with NAT on ASA


You are running into assymetric routing scenario over here.

Either you can set the default gateway of hosts on all subnets to be the 6.1 (router) & have its default gateway set to the ASA inside ifc OR if you real,ly wanna keep the ASA as everybody's default gateway, then you can use the tcp-state-bypass feature introduced in 8.2 release of code for ASA, so that assymetric situation here can be handled correctly by ASA.

Check it out at the release notes :



Community Member

Re: Fun with NAT on ASA

It is really simple my firend,

all you need to do is to put a static command

static (inside,inside) 192.168.1.x 192.168.1.x

have a look on the attached file to understand the scenario in a better way..........:)


Sachin Vaish

Cisco Employee

Re: Fun with NAT on ASA


Making the firewall inside ifc proxy arp for inside hosts using global (inside) 1 ifc statement along with the Identity static translation for destination

command was a workaround we used PRE 8.2 era.. Anyways, I would  suggest the usage of solution  (tcp-state-bypass feature) in the 8.2 + codes.



CreatePlease to create content