PAT pool exhaustion / Portmap translation creation failures
I'm getting some very strange (to me) logs from my ASA, and I'm out of ideas on how to figure it out.
Flash: 256 MB
Memory: 2048 MB
Mode: Routed / Single
License: VPN Plus
My Tunnels interface has address 192.168.6.1/24 and has restricted access to my internal network (named ATMS): a handful of servers are NATted from ATMS to Tunnels with no translation and access from Tunnels to these servers on ATMS is allowed for the services they provide. All other traffic across the Tunnels interface is outbound and initiated from some host on the ATMS interface (which isn't all that much).
In the syslogs (see attached screen cap) I see plethora dynamic UDP xlates being built from ATMS:192.168.6.1 to Tunnels:192.168.6.1 (first, I don't understand why this IP address is the same on both interfaces, as the ATMS interface is on a different subnet). Each mapping is chained with the previous with each successive source port being the destination port from the previous map. An excerpt from the attachment:
192.168.6.1:134 -> 192.168.6.1:149
192.168.6.1:149 -> 192.168.6.1:151
192.168.6.1:151 -> 192.168.6.1:271
192.168.6.1:271 -> 192.168.6.1:272
192.168.6.1:272 -> 192.168.6.1:281
and so on. Then I get ID 305006 messages saying portmap translation creation failed and I get an ID 202010 message saying the NAT/PAT pool is exhausted (ID 202010 is not shown in the screen capture due to my display filter settings).
Why are there so many chained xlates? Why are they being chained in the first place? How do I keep this from occurring?
Some relevant config excerpts follow. In fact, this is every line related to the Tunnels interface and the 192.168.6.0/24 subnet with the exception of the details of the object or service groups being used:
ip address 192.168.6.1 255.255.255.0
nat (ATMS,Tunnels) source static Domain-Controllers Domain-Controllers description AMMS computers at tunnels are domain computers
PAT pool exhaustion / Portmap translation creation failures
Just some guessing on my part but heres some thoughts. Hopefully they help even abit.
Can you include the full configurations of the object-groups / objects used in the NAT configurations.
Is the IP address 192.168.6.1 included in any of the groups?
I'm not totally sure about why you are seeing the same IP address on the src/dst fields but I'd guess its related to the static NAT configurations you have. As every statement has the same object twice it should mean that the address stays the same even when passing the interfaces mentioned in the configurations.
The red "portmap" translation failing is probably due to the fact that the destination address is a network broadcast address.
I can't really say anything about the ports you are seeing in the messages. To my understanding the src/dst port should be the same in the sort of NATs you have configured.
Is there some actual problem with traffic passing through the ASA or are you just wondering why you are seeing the mentioned log messages?
Is there any need to do any translations between ATMS and Tunnels interfaces? I mean if you just removed the NAT configurations alltogether ASA would pass traffic between those interfaces without NATing the traffic.
In problem situations I usually use ASAs "packet-tracer" command to check how the NAT configurations are behaving though I'm not sure if that would help you in this situation.
I have a feeling that theres somekind of overlap in your NAT configurations that might be causing this but thats just a guess at this point with the information provided.
Re: PAT pool exhaustion / Portmap translation creation failures
I'm hesitant to post too much config info, because at some point the risk of posting too much of my security configuration becomes unacceptable... I don't know what best practice really is for forums like this with the exception of changing IP addresses. Nevertheless, you can't help if I don't tell you at least some stuff. I've attached a text file of all object nat and nat statements as requested. AFAIK, this is every statement directly related to NAT.
The IP address 192.168.6.1 is only included in the NAT process in translating access from the higher security iface ATMS to the Tunnels iface:
nat (ATMS,Tunnels) after-auto source dynamic any interface
I haven't noticed that this particular issue is causing any problems. I've had a few connectivity issues with clients on the Tunnels network, but as best as I've been able to determine they've all been issues on the client PCs. I'm mainly concerned that this will become a problem or that it will indirectly lead to other problems (memory exhaustion, excessive CPU utilization, etc.) and be difficult to track later.
The specific NAT translations were added because clients on the Tunnels network are domain members, so seeing the domain controllers (who live on the ATMS network) with their real IPs instead of translated IPs is necessary. I don't completely trust this network and don't have control over physical security of the network segment, so I opted for putting it on a separate interface and VLAN on the ASA and translating addresses except where this is not possible. I'm open to suggestions for better ways of handling this if anyone has any to offer. Maybe I ought to just use ACLs to restrict traffic and ignore translation altogether?
I've never used the packet tracer function of the ASA, so I'll do some research on that and see if it can be of aid to me.
Thank you very much for your time and questions/expertise. I appreciate it.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :