topic Portmap Error creation in Network Security

Portmap Error creation

rsjavahar — Mon, 11 Mar 2019 17:57:30 GMT

we have 3 networks. Outside(172.14.XX.XX), Inside(172.20.XX.XX) and Local (INTF2 192.168.XX.XX) , inside outside network is working fine , but when we tryed to access the INTF2 Network we are getting Pormap Cration Errors. We are using ASA 5510 with Ver 8.2 The second Issues we are not able to ping from the work stations (ICMP) is not working . Please help me

Configuration

ciscoasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.17.XX.XX 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.20.XX.XX.10 255.255.255.0
!
interface Ethernet0/2
nameif intf2
security-level 0
ip address 192.168.1.4 255.255.252.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
object-group network natpool
network-object 172.17.XX.XX 255.255.255.128
object-group network MainstayCCnetwork
network-object 203.XXX.XXX.0 255.255.255.0
object-group network InstaCCnetwork
network-object 203.XXX.XXX.0 255.255.255.128
object-group network nonatinside
network-object 172.20.XX.XX.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit udp object-group MainstayCCnetwork 172.17.XX.XX 255.255.255.240
access-list outside_access_in extended permit tcp object-group MainstayCCnetwork 172.17.XX.XX 255.255.255.240 eq h323
access-list outside_access_in extended permit udp object-group MainstayCCnetwork 172.17.XX.XX 255.255.255.240 eq sip
access-list outside_access_in extended permit tcp object-group MainstayCCnetwork 172.17.XX.XX 255.255.255.240 eq 6498
access-list outside_access_in extended permit tcp object-group MainstayCCnetwork 172.17.XX.XX 255.255.255.240 eq 6499
access-list outside_access_in extended permit tcp object-group MainstayCCnetwork 172.17.XX.XX 255.255.255.240 eq 6500
access-list outside_access_in extended permit tcp object-group MainstayCCnetwork 172.17.XX.XX 255.255.255.240 eq 6565
access-list outside_access_in extended permit tcp object-group MainstayCCnetwork 172.17.XX.XX 255.255.255.240 eq smtp
access-list outside_access_in extended permit tcp object-group MainstayCCnetwork 172.17.XX.XX 255.255.255.240 eq ldap
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit udp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork eq 14300
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork eq h323
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork eq 6498
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork eq 6499
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork eq 6503
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork eq 6565
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork eq www
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork eq smtp
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork eq ldap
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group InstaCCnetwork eq 6500
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group InstaCCnetwork eq 6505
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group InstaCCnetwork eq 6508
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork range 14001 14015
access-list inside_access_in extended permit udp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork eq sip
access-list intf2_access_in extended permit ip 172.20.XX.XX.0 255.255.255.0 192.168.0.0 255.255.252.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu intf2 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group intf2_access_in in interface intf2
route outside 0.0.0.0 0.0.0.0 172.17.XX.XX 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:17956bfe428fcf5154645159f0d68b55
: end

Re: Portmap Error creation

edadios — Thu, 10 Jun 2010 12:17:12 GMT

For inside to intf2 traffic, you will need something like the following :

global (intf2) 1 interface

This will PAT your inside traffic to the interface intf2 when trying to get to that side of the network.

With regards to icmp failures, since you are using interface overload, you should configure the following :

policy-map global_policy
class inspection_default
inspect icmp

Regards,

Re: Portmap Error creation

rsjavahar — Wed, 16 Jun 2010 07:54:46 GMT

I tried it its not working . after adding the Global statement also , i am not able to access my DNS server IP is 192.168.1.11 my cleints PC ip is 172.20.16.19 .. here i am sending the ASA LOG , Please give me solution..

regards

6|Jun 16 2010|07:11:54|305012|172.20.16.19|192.168.1.4|Teardown dynamic UDP translation from inside:172.20.16.19/64660 to intf2:192.168.1.4/1029 duration 0:00:30
6|Jun 16 2010|07:11:46|305012|172.20.16.19|192.168.1.4|Teardown dynamic UDP translation from inside:172.20.16.19/54316 to intf2:192.168.1.4/1028 duration 0:00:30
6|Jun 16 2010|07:11:24|302015|207.46.197.32|172.20.16.19|Built outbound UDP connection 58 for intf2:207.46.197.32/123 (207.46.197.32/123) to inside:172.20.16.19/123 (192.168.1.4/5)
6|Jun 16 2010|07:11:24|305011|172.20.16.19|192.168.1.4|Built dynamic UDP translation from inside:172.20.16.19/123 to intf2:192.168.1.4/5
6|Jun 16 2010|07:11:24|302016|192.168.1.14|172.20.16.19|Teardown UDP connection 53 for intf2:192.168.1.14/53 to inside:172.20.16.19/64660 duration 0:00:00 bytes 411
6|Jun 16 2010|07:11:24|302015|192.168.1.11|172.20.16.19|Built outbound UDP connection 57 for intf2:192.168.1.11/138 (192.168.1.11/138) to inside:172.20.16.19/138 (192.168.1.4/4)
6|Jun 16 2010|07:11:24|302015|192.168.1.13|172.20.16.19|Built outbound UDP connection 56 for intf2:192.168.1.13/138 (192.168.1.13/138) to inside:172.20.16.19/138 (192.168.1.4/4)
6|Jun 16 2010|07:11:24|302015|192.168.1.12|172.20.16.19|Built outbound UDP connection 55 for intf2:192.168.1.12/138 (192.168.1.12/138) to inside:172.20.16.19/138 (192.168.1.4/4)
6|Jun 16 2010|07:11:24|302015|192.168.1.14|172.20.16.19|Built outbound UDP connection 54 for intf2:192.168.1.14/138 (192.168.1.14/138) to inside:172.20.16.19/138 (192.168.1.4/4)
6|Jun 16 2010|07:11:24|305011|172.20.16.19|192.168.1.4|Built dynamic UDP translation from inside:172.20.16.19/138 to intf2:192.168.1.4/4
6|Jun 16 2010|07:11:24|302015|192.168.1.14|172.20.16.19|Built outbound UDP connection 53 for intf2:192.168.1.14/53 (192.168.1.14/53) to inside:172.20.16.19/64660 (192.168.1.4/1029)
6|Jun 16 2010|07:11:24|305011|172.20.16.19|192.168.1.4|Built dynamic UDP translation from inside:172.20.16.19/64660 to intf2:192.168.1.4/1029
6|Jun 16 2010|07:11:16|302016|192.168.1.14|172.20.16.19|Teardown UDP connection 52 for intf2:192.168.1.14/53 to inside:172.20.16.19/54316 duration 0:00:00 bytes 266
6|Jun 16 2010|07:11:16|302015|192.168.1.14|172.20.16.19|Built outbound UDP connection 52 for intf2:192.168.1.14/53 (192.168.1.14/53) to inside:172.20.16.19/54316 (192.168.1.4/1028)
6|Jun 16 2010|07:11:16|305011|172.20.16.19|192.168.1.4|Built dynamic UDP translation from inside:172.20.16.19/54316 to intf2:192.168.1.4/1028

Re: Portmap Error creation

edadios — Thu, 17 Jun 2010 02:05:03 GMT

The portmap creation error is now gone.

So the correction on the NAT for inside to intf2 worked.

Hoiwever, looking at the configuration further, and the access-list you have been trying to implement (though they are wrong) appears that you want the inside to go to the intf2 as untranslated. so instead of doing dynamic nat, we should have done identity nat to itself.

So let us remove that global we previously added and implement statics instead, and then clear the nat tables

##############

no global (intf2) 1 interface

static (inside,intf2) 172.20.xx.0 172.20.xx.0 netmask 255.255.255.0

! (put correct address on xx)

clear xlate

clear local-host

###############

The last 2 commands will tear down existing connections, and then they will get rebuilt when establishing new one.

Also note, a number of your access-lists have wrong direction.

The one applied to intf2 is completely wrong.

access-list intf2_access_in extended permit ip 172.20.XX.XX.0 255.255.255.0 192.168.0.0 255.255.252.0 (it should be the other way around)

access-list intf2_access_in extended permit ip 192.168.0.0 255.255.252.0 172.20.XX.XX.0 255.255.255.0

So if you need traffic flowing from intf2 to inside, please correct this, by puttin no in front of first line, and reissue the corrected command:

######

no access-list intf2_access_in extended permit ip 172.20.XX.XX 255.255.255.0 192.168.0.0 255.255.252.0

access-list intf2_access_in extended permit ip 192.168.0.0 255.255.252.0 172.20.XX.XX.0 255.255.255.0

#######

Above command have to be modified a bit to be taken in by firewall.

Lots of the lines in the other applied access-lists are wrong and don't make sense (source/destination reversed) , however so far things go though due to the first few line being permit ip any any.

####################

access-list outside_access_in extended permit udp object-group MainstayCCnetwork 172.17.XX.XX 255.255.255.240
access-list outside_access_in extended permit tcp object-group MainstayCCnetwork 172.17.XX.XX 255.255.255.240 eq h323
access-list outside_access_in extended permit udp object-group MainstayCCnetwork 172.17.XX.XX 255.255.255.240 eq sip
access-list outside_access_in extended permit tcp object-group MainstayCCnetwork 172.17.XX.XX 255.255.255.240 eq 6498
access-list outside_access_in extended permit tcp object-group MainstayCCnetwork 172.17.XX.XX 255.255.255.240 eq 6499
access-list outside_access_in extended permit tcp object-group MainstayCCnetwork 172.17.XX.XX 255.255.255.240 eq 6500
access-list outside_access_in extended permit tcp object-group MainstayCCnetwork 172.17.XX.XX 255.255.255.240 eq 6565
access-list outside_access_in extended permit tcp object-group MainstayCCnetwork 172.17.XX.XX 255.255.255.240 eq smtp
access-list outside_access_in extended permit tcp object-group MainstayCCnetwork 172.17.XX.XX 255.255.255.240 eq ldap

access-list inside_access_in extended permit udp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork eq 14300
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork eq h323
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork eq 6498
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork eq 6499
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork eq 6503
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork eq 6565
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork eq www
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork eq smtp
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork eq ldap
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group InstaCCnetwork eq 6500
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group InstaCCnetwork eq 6505
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group InstaCCnetwork eq 6508
access-list inside_access_in extended permit tcp 172.17.XX.XX 255.255.255.240 object-group MainstayCCnetwork range 14001

#########################

If you still have problems, pease provide the latest configuration you have, and the new logs you are getting.

Also, I do not see you testing the pings, does the pings work now?

Re: Portmap Error creation

rsjavahar — Tue, 22 Jun 2010 07:44:24 GMT

Thank You very much the now the network is fine .. Thank you for support

regards