Solved: portmap translation creation failed for udp src inside dst insid

lukaszzyla · ‎09-06-2013

Hi!

I have a problem with allowing traffic to UC500 subnets on ASA 5505 inside interface.

My asa is a main router with addres 192.168.1.1

UC500 voip box is connected to ASA's inside interface through UC500 WAN port with UC500 with 192.168.1.2 address.

Firewall and NAT on UC500 is disable

UC500 sip traffic works fine. voipbox creates its subnets for data and voip - 192.168.10.0 and 10.1.1.0. another important address is 10.1.10.1 which is UC500 CUE.

My problem is that from within ASA local network (192.168.1.0) i cannot reach UC500 subnets, neither can I reach ASA's local network from the UC subnets.

the log says

3

Sep 07 2013

00:21:49

DC

53

PBXCUE

32901

portmap translation creation failed for udp src inside:DC/53 dst inside:PBXCUE/32901

I tried exempting uc500 subnets on ASA but that didn;t work.

Funny thing is that I CAN reach the UC500 subnets when connecting with VPN to ASA...

Please help! I am not familiar with CLI.

I configured static route to 10.1.10.0 and since then I was able to ping 10.1.10.1 thorugh ASA;s VPN.

I would be grateful for ideas.

Lukasz

global (inside) 1 interface

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface https IIS https netmask 255.255.255.255 dns tcp 200 200 udp 200

static (inside,outside) tcp interface www IIS www netmask 255.255.255.255 dns tcp 200 200 udp 200

static (inside,outside) tcp interface smtp IIS smtp netmask 255.255.255.255 dns

static (inside,outside) tcp interface pop3 IIS pop3 netmask 255.255.255.255 dns

static (inside,outside) udp interface domain RenBetPBX domain netmask 255.255.255.255 dns

static (inside,outside) udp interface 5061 RenBetPBX 5061 netmask 255.255.255.255 dns

static (inside,outside) udp interface sip RenBetPBX sip netmask 255.255.255.255 dns

static (inside,outside) tcp interface 13000 SQL 13000 netmask 255.255.255.255 dns

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x

route inside PBXCUE-network 255.255.255.0 RenBetPBX 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

Julio Carvajal · ‎09-10-2013

Hello Lukas,

Way better description.

The problem is asymetric routing.

So my recommendation would be:

Configure Idendity NAT from inside to inside for this subnets
Create a tcp state bypass policy for this traffic

And let us know how it goes.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎09-06-2013

Hello Lukasz,

In this scenarios what we usually see is that the ASA is not seeing the full exchange of packets. (Asymetric routing)

In this case we have not even reach that part as we are handeling with the NAT at this point

Before any change on the configuration, what's the requirement?

Do the 192.168.10.0 needs to talk to the 10.1.0.0 but do the 10.1.0.0 have to talk to the 192??

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

lukaszzyla · ‎09-10-2013

Hi Julio!

Thank you for interest and your reply.

I might have not been very clear in describing what I would like to achieve after spending a weekend trying to configure my UC540 device and ASA5505...

The network topology looks like this:

i. ASA5505 (192.168.1.0 as my main network, ASA ip 192.168.1.1)

ii. UC540 (WAN connection, WAN ip: 192.168.1.2) UC540 creates 2 subnets: 192.168.10.0 - data subnet and 10.1.1.0 - voice subnet. UC540 is connected to 192.168.1.0 network through WAN port and is given static ip of 192.168.1.2/255.255.255.0 with default gateway set to ASA (192.168.1.1). Firewall and NAT on UC540 are both disabled.

UC540 creates another network with CUCM(E) service module at 10.1.10.1 and also creates loopback interface with ip 10.1.10.2 which is being used as CUCM(E) gateway.

UC540 has its radio device (2SSID - one for 192.168.10.0 and second for 10.1.1.0).

What I am trying to achieve:

1. to be able to reach 10.1.1.0 and 10.1.10.0 from within ASA main network (192.168.1.0) - and also to be able to reach 192.168.1.0 from both 10.x.x.x networks. I need that for attaching another IP phones from within a switch that only operates on 192.168.1.0 network.I also need that for configuring SMTP notification service on CUCME (10.1.10.1) which would communicate with my exchange on 192,168.1.0 network.

2. Be able to configure UC540 radios to allow access to 192.168.1.0 ASA's network and not 192.168.10.0 UCdata network which it does in its current configuration. at the moment UC540 wifi clients can only access 192.168.10.0 network which means they do not have access to my main 192.168.1.0 network.

I hope this explanation sounds more reasobable ;-)

Once again thank you for your interest and I am looking forward to hearing from you.

I was working on my CLI skills recently and I am getting more used to it - I hope that with your help I will be able to reach my goals.

Regards

Lukasz

Julio Carvajal · ‎09-10-2013

Hello Lukas,

Way better description.

The problem is asymetric routing.

So my recommendation would be:

Configure Idendity NAT from inside to inside for this subnets
Create a tcp state bypass policy for this traffic

And let us know how it goes.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

lukaszzyla · ‎09-12-2013

Hello Julio!

Thank you for your advice.

I have managed to solve my main problem by reconfiguring my switches vlans - enabling trunk port configs for required ports and allowing them access to both vlans.

Now I can see everything from all of my inside networks.

I continue my ASA adventures - I have managed to configure L2TP client access for my windows users, RADIUS authentication for domain users and yesterday night I have managed to configure site to site VPN with my RV120W router.

I am only an enthusiast but my recent successes have given me apetite for more...

I keep reading forums and trying to solve most of my problems myself but I have faced another one now and thought that maybe you could give me another tip on where to look for the issue:

I still have one problem with my L2TP VPN config - I have configured split tunnel on the group policy to tunnel only 192.168.1.0 network requests.

access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

My network at home is 192.168.2.0 but it still tunnels everything (when I check my ip after connecting to VPN my home laptop still identifies with ASA gateway(!) address .

access-list outside_access_in extended permit icmp any interface outside object-group DM_INLINE_ICMP_1

access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any interface outside eq 8080

access-list outside_access_in extended permit tcp any interface outside eq 23456

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 any

access-list outside_access_in extended permit tcp any interface outside eq 13000

access-list outside_access_in extended permit tcp any interface outside range 8001 8016

access-list outside_access_in extended permit tcp x.x.x.x 255.255.255.0 interface outside eq ssh

access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.255.240

access-list inside_nat0_outbound extended permit ip any PBXVOIP-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip any PBXCUE-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 igolomska-network 255.255.255.0

access-list inside_access_in extended permit udp object-group DM_INLINE_NETWORK_2 any object-group DM_INLINE_UDP_1

access-list inside_access_in extended permit ip host IIS any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit ip host RBSTORE_NAS any

access-list inside_access_in extended deny udp any any object-group DM_INLINE_UDP_2

access-list inside_access_in extended permit tcp any any eq 5432

access-list inside_access_in extended permit tcp any host PBXCUE eq www

access-list inside_access_in extended permit tcp host PBXCUE any eq www

access-list inside_access_in extended permit tcp host RBCAMSTORE_NAS host EXCH-MBX eq smtp

access-list inside_access_in extended permit tcp host RBSTORE_NAS host EXCH-MBX eq smtp

access-list inside_access_in extended permit tcp host RENBETUPS host EXCH-MBX eq smtp

access-list inside_access_in extended permit tcp host RenBetPBX host EXCH-MBX eq smtp

access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 igolomska-network 255.255.255.0

route print shows:

and 192.168.1.240 is my VPN IP - its metric has higher priority than the local gateway.

How do I change it?

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.126 4250

0.0.0.0 0.0.0.0 On-link 192.168.1.240 21

80.51.24.22 255.255.255.255 192.168.2.1 192.168.2.126 4251

127.0.0.0 255.0.0.0 On-link 127.0.0.1 4531

127.0.0.1 255.255.255.255 On-link 127.0.0.1 4531

127.255.255.255 255.255.255.255 On-link 127.0.0.1 4531

169.254.0.0 255.255.0.0 On-link 192.168.2.126 4506

169.254.104.126 255.255.255.255 On-link 192.168.2.126 4506

169.254.255.255 255.255.255.255 On-link 192.168.2.126 4506

192.168.1.240 255.255.255.255 On-link 192.168.1.240 276

192.168.2.0 255.255.255.0 On-link 192.168.2.126 4506

192.168.2.126 255.255.255.255 On-link 192.168.2.126 4506

192.168.2.255 255.255.255.255 On-link 192.168.2.126 4506

224.0.0.0 240.0.0.0 On-link 127.0.0.1 4531

224.0.0.0 240.0.0.0 On-link 192.168.2.126 4506

224.0.0.0 240.0.0.0 On-link 192.168.1.240 21

255.255.255.255 255.255.255.255 On-link 127.0.0.1 4531

255.255.255.255 255.255.255.255 On-link 192.168.2.126 4506

255.255.255.255 255.255.255.255 On-link 192.168.1.240 276

===========================================================================

I am starting to feel like I am using a bit too much of your friendliness ...

Best Regards and have a great day!

Lukasz

Julio Carvajal · ‎09-12-2013

Hello Lukasz,

No problem It's always a pleasure to help.

I always recommend using a different address range on the other side of the connection for routing/arp weird issues.

The Split tunnel access-list looks good

access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

Can you share the group-policy and tunnel-group setup cause at the moment you should only have that route to the internal subnet.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

lukaszzyla · ‎09-12-2013

This is the group policy I use for L2TP:

group-policy DefaultRAGroup_1 internal

group-policy DefaultRAGroup_1 attributes

dns-server value 192.168.1.10 8.8.8.8

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

default-domain value BETONOWA.local

and tunnel group settings:

tunnel-group DefaultRAGroup general-attributes

address-pool install_pool

authentication-server-group BETONOWA-DC LOCAL

default-group-policy DefaultRAGroup_1

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

radius-sdi-xauth

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

authentication ms-chap-v2

Julio Carvajal · ‎09-12-2013

Hello Lukasz,

To be honest with you I have not played that much with L2TP but configuration speaking it should be the same.

Can you use a different Pool subnet for the VPn traffic (different than 192.168.1.0) Make sure you use the rigth NAT0 configuration.

Just to check if that makes a difference.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

portmap translation creation failed for udp src inside dst inside