Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

NAT problems - ASA 5540

Hi everybody,

I'm getting a serious problem on my ASA 5540.

I've configure a NAT pool range (10.10.10.2-10.10.10.4) to acess a remote network.

This pool conteins 3 ip address, and only 3 hosts on my internal network can acess the remote network.

When a 4th host try to access the remote network, the ASA shows me the following error: "Err 3 - port map translation creation failed for....src LAN:x.x.x.x dst WAN:x.x.x.x (type 8, code 0)"

What should I do to solve the problem?

I got to use this range this way.

Thanks

Tauer

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: NAT problems - ASA 5540

When using a pool of addresses, it is first come first serve.

global (WAN) 8 10.10.10.2-10.10.10.4 netmask 255.255.255.0

So the first host inside will be assigned 10.10.10.2, the 2nd will be assigned 10.10.10.3, the 3rd will be assigned 10.10.10.4. When the 4th host attempts to go out there are no addresses left in the pool for them. This is your issue. So you must add addresses to the pool if you have them or you must PAT (not NAT) the other connections to another address. Or take an address from the pool and use that for PAT. Does that make sense?

6 REPLIES
Green

Re: NAT problems - ASA 5540

Typically you would create a global entry for all the other hosts that don't get an address from the nat pool.

global (outside) 1 x.x.x.x

nat (inside) 1 0 0

Community Member

Re: NAT problems - ASA 5540

Hi,

today I have the following:

global (WAN) 8 10.10.10.2-10.10.10.4 netmask 255.255.255.0

nat (LAN) 8 access-list LAN_pnat_outbound_V4

access-list LAN_pnat_outbound_V4 extended permit ip any host 10.10.20.1 (this IP is a server on the remote network)

What is wrong or what should I do to fix it?

Can you send an example?

Thanks

Tauer

Green

Re: NAT problems - ASA 5540

The nat pool is being exhausted. You need to add another address to the pool or use one of the addresses for dynamic PAT.

access-list LAN_pnat_outbound_V4 extended permit ip any host 10.10.20.1

access-list dynamic_pat_outbound extended permit ip any host 10.10.20.1

global (WAN) 8 10.10.10.2-10.10.10.3 netmask 255.255.255.255

global (WAN) 10 10.10.10.4

nat (LAN) 8 access-list LAN_pnat_outbound-V4

nat (LAN) 10 access-list dynamic_pat_outbound

Community Member

Re: NAT problems - ASA 5540

This configuration is saying to ASA to NAT all my internal host to 10.10.10.2 and 10.10.10.3 and 10.10.10.4?

If not...how will ASA work with this configuration?

Thanks and sorry...

I have many dificults with this kind of configuration.

Tauer

Green

Re: NAT problems - ASA 5540

When using a pool of addresses, it is first come first serve.

global (WAN) 8 10.10.10.2-10.10.10.4 netmask 255.255.255.0

So the first host inside will be assigned 10.10.10.2, the 2nd will be assigned 10.10.10.3, the 3rd will be assigned 10.10.10.4. When the 4th host attempts to go out there are no addresses left in the pool for them. This is your issue. So you must add addresses to the pool if you have them or you must PAT (not NAT) the other connections to another address. Or take an address from the pool and use that for PAT. Does that make sense?

Community Member

Re: NAT problems - ASA 5540

Yes, it does.

I've tested and work like you said. So I got to adapt my enviroment to this.

Thank you so much

Tauer

254
Views
0
Helpful
6
Replies
CreatePlease to create content