https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745564#M529899 <HTML><HEAD></HEAD><BODY><P>Hi Julio,</P><P></P><P>I today was having the same issue.</P><P></P><P>Who doing hairpining NAT on a tcp port, to and from the same interface. Why is it that you need global (dmz4) 101 interface?</P><P></P><P>Thanks</P></BODY></HTML> Wed, 12 Jun 2013 21:12:09 GMT John Peterson 2013-06-12T21:12:09Z https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745553#M529884 <P></P><P>Hello all.</P><P></P><P></P><P>I am having an issue where clients at remote sites can not access website in our dmz.&nbsp; Any thoughts?</P><P></P><P></P><P></P><P>Thanks.</P> Mon, 11 Mar 2019 21:30:18 GMT https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745553#M529884 Matthew Michaluk 2019-03-11T21:30:18Z https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745554#M529885 <HTML><HEAD></HEAD><BODY><P>Matthew</P><P></P><P>Which interface do the clients use to get to the DMZ (looks like the inside interface from your post ?) </P><P></P><P>Do the clients use VPN or is it just normal traffic ? </P><P></P><P>Do you have a NAT statement setup for the client traffic to the DMZ ?</P><P></P><P>Jon</P></BODY></HTML> Mon, 26 Sep 2011 21:20:13 GMT https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745554#M529885 Jon Marshall 2011-09-26T21:20:13Z https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745555#M529886 <HTML><HEAD></HEAD><BODY><P>Inside</P><P></P><P>Normal traffic.</P><P></P><P>nat (dmz4) 101 0.0.0.0 0.0.0.0</P></BODY></HTML> Mon, 26 Sep 2011 21:32:11 GMT https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745555#M529886 Matthew Michaluk 2011-09-26T21:32:11Z https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745556#M529887 <HTML><HEAD></HEAD><BODY><P>Pls. share the output of "sh run nat" and "sh run global"</P><P></P><P>-KS</P></BODY></HTML> Tue, 27 Sep 2011 00:01:02 GMT https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745556#M529887 Kureli Sankar 2011-09-27T00:01:02Z https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745557#M529888 <HTML><HEAD></HEAD><BODY><P> sh run nat</P><P>nat (inside) 0 access-list inside_nat0_outbound</P><P>nat (inside) 101 0.0.0.0 0.0.0.0</P><P>nat (dmz4) 101 0.0.0.0 0.0.0.0</P><P>nat (dmz3) 101 0.0.0.0 0.0.0.0</P><P> sh run global</P><P>global (outside) 101 207.40.1.252 netmask 255.255.255.255</P></BODY></HTML> Tue, 27 Sep 2011 14:12:11 GMT https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745557#M529888 Matthew Michaluk 2011-09-27T14:12:11Z https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745558#M529889 <HTML><HEAD></HEAD><BODY><P>Anyone?&nbsp; </P></BODY></HTML> Thu, 13 Oct 2011 16:33:29 GMT https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745558#M529889 Matthew Michaluk 2011-10-13T16:33:29Z https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745559#M529890 <HTML><HEAD></HEAD><BODY><P>You might need to add this:</P><P></P><P>global (dmz4) 101 interface</P><P></P><P>There no translation for the inside host when&nbsp; they go the dmz4 interface.</P><P></P><P>Hope that helps,</P><P></P><P>Varun</P></BODY></HTML> Thu, 13 Oct 2011 16:37:06 GMT https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745559#M529890 varrao 2011-10-13T16:37:06Z https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745560#M529891 <HTML><HEAD></HEAD><BODY><P>I was having the same problem after changing dynamic nat pools around and found the below tip <A href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml">here</A> (at the bottom under troubleshooting). I ran <STRONG>clear xlate </STRONG>and my problem was solved immediately.</P><P></P><H3><A name="trans-failed">Translation Creation Failed</A></H3><P></P><P>If a connection cannot be created between the client and the WWW&nbsp; server, it might be due to a NAT misconfiguration. Check the security&nbsp; appliance logs for messages which indicate that a protocol failed to&nbsp; create a translation through the security appliance. If such messages&nbsp; appear, verify that NAT has been configured for the desired traffic and&nbsp; that no addresses are incorrect.</P><P></P><BLOCKQUOTE class="jive-quote"><PRE>%ASA-3-305006: portmap translation creation failed for tcp src inside:192.168.100.2/11000 dst inside:192.168.100.10/80</PRE></BLOCKQUOTE><P></P><P>Clear the xlate entries, and then remove and reapply the NAT statements in order to resolve this error.</P></BODY></HTML> Wed, 16 Nov 2011 18:37:48 GMT https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745560#M529891 fitzerpn1 2011-11-16T18:37:48Z https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745561#M529893 <HTML><HEAD></HEAD><BODY><P>Hello Patrick,</P><P></P><P>As Varun said you will need to add the following:</P><P>global (dmz4) 101 interface</P><P></P><P>You can do a packet-tracer too see if now we are hitting the correct nat statement when the packet goes from the dmz to the inside (syn-ack).</P><P></P><P>packet-tracer input inside tcp 192.168.100.2 1025 10.10.7.21 443</P><P></P><P>You can do a clear local-host&nbsp; 10.10.7.21 and clear xlate local 10.10.7.21</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Wed, 16 Nov 2011 18:53:21 GMT https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745561#M529893 Julio Carvajal 2011-11-16T18:53:21Z https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745562#M529895 <HTML><HEAD></HEAD><BODY><P> You need to add an NO NAT from your inside interface to your DMZ to get this to work. </P></BODY></HTML> Wed, 29 Feb 2012 21:15:37 GMT https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745562#M529895 smayfield 2012-02-29T21:15:37Z https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745563#M529897 <HTML><HEAD></HEAD><BODY><P> So for example you have this. </P><P></P><P>192.168.1.0/24Inside(FW)or (RA VPN) ---------VPN------------(FW )10.1.1.0/24Inside------192.168.10.0/24 DMZ</P><P></P><P></P><P>access-list INSIDE_NO_NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0</P><P></P><P>nat (inside) 0 access-list INSIDE_NO_NAT </P></BODY></HTML> Wed, 29 Feb 2012 21:20:45 GMT https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745563#M529897 smayfield 2012-02-29T21:20:45Z https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745564#M529899 <HTML><HEAD></HEAD><BODY><P>Hi Julio,</P><P></P><P>I today was having the same issue.</P><P></P><P>Who doing hairpining NAT on a tcp port, to and from the same interface. Why is it that you need global (dmz4) 101 interface?</P><P></P><P>Thanks</P></BODY></HTML> Wed, 12 Jun 2013 21:12:09 GMT https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745564#M529899 John Peterson 2013-06-12T21:12:09Z https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745565#M529900 <HTML><HEAD></HEAD><BODY><P>Hello John,</P><P></P><P>Here is&nbsp; a document that will help u with the U-turn understanding:</P><P><A _jive_internal="true" href="https://community.cisco.com/docs/DOC-34107">https://supportforums.cisco.com/docs/DOC-34107</A></P><P></P><P>Let me know if u Understand the reason afterwards</P></BODY></HTML> Wed, 12 Jun 2013 23:20:56 GMT https://community.cisco.com/t5/network-security/portmap-translation-creation-failed-for-tcp-src-inside-192-168/m-p/1745565#M529900 Julio Carvajal 2013-06-12T23:20:56Z