topic Re: %FWSM-3-305006: portmap translation creation failed for icmp in Network Security

%FWSM-3-305006: portmap translation creation failed for icmp src outside

Nadeem ahmed Ahmed — Mon, 11 Mar 2019 17:24:18 GMT

Hi ,

I have configured my FWSM with no nat-control, simple routing mode, but i am getting following error log when i ping from host residing at the outside interface of FWSM to inside interface of FWSM, I know that inside interface of FWSM cannot be pingged as per FWSM design, but i need to know why i am getting this error.

4:11:38 Local4.Error 192.168.49.11 Mar 07 2010 14:09:32: %FWSM-3-305006: portmap translation creation failed for icmp src outside:192.168.255.5 dst inside:192.168.48.225 (type 8, code 0)

interface Vlan99
nameif outside
security-level 0
ip address 192.168.49.11 255.255.255.240 standby 192.168.49.12
!
interface Vlan57
nameif FWSM

security-level 85
ip address 192.168.57.1 255.255.255.0 standby 192.168.57.2
!
interface Vlan6
nameif inside

security-level 90
ip address 192.168.48.225 255.255.255.224 standby 192.168.48.226

!
interface Vlan67
nameif FWSM_2
security-level 80
ip address 192.168.67.1 255.255.255.0 standby 192.168.67.2

route outside 0.0.0.0 0.0.0.0 192.168.49.1 1 (towards MSFC)

logging enable
logging timestamp
logging standby
logging emblem
logging console debugging
logging trap debugging
logging history debugging
logging asdm debugging

I would appreciate if some one can share the experince.

Regards,

Nad

Re: %FWSM-3-305006: portmap translation creation failed for icmp

Kureli Sankar — Sun, 21 Mar 2010 22:31:42 GMT

Do you have

static (inside,outside) 192.168.48.0 192.168.48.0 net 255.255.255.0

Also, pls. enable icmp inspection under the policy-map.

-KS

Re: %FWSM-3-305006: portmap translation creation failed for icmp

Jennifer Halim — Mon, 22 Mar 2010 04:41:11 GMT

Unfortunately there is no specific syslog messages for pinging the wrong interface of the fwsm. The syslog message that you are seeing will be the one generated for pinging the wrong interface of the firewall.

Re: %FWSM-3-305006: portmap translation creation failed for icmp

Nadeem ahmed Ahmed — Mon, 22 Mar 2010 06:27:34 GMT

Hi,

I have disabled the Nat-control, FWSM is working in pure routing mode..?

Also what will be the use of enabling icmp inspection in my scenario.

Thanks!

Re: %FWSM-3-305006: portmap translation creation failed for icmp

Nadeem ahmed Ahmed — Mon, 22 Mar 2010 06:30:51 GMT

Hi halijenn ,

I am getting this message only when i ping to inside interface while no syslog message comes with other interfaces... Is it due to the most secure interface ? while other less secure interface are not giving any syslog message.

Please suggest if any!!

nad

Re: %FWSM-3-305006: portmap translation creation failed for icmp

Jennifer Halim — Mon, 22 Mar 2010 06:56:29 GMT

Sorry, as per design, you can't ping the opposite interface of the firewall, whether it is ping from the outside host towards the inside or FWSM interface, OR/ ping from an inside host towards the outside interface or FWSM interface of the FWSM.

You can only ping as per the following:

- Ping through the FWSM, ie: from inside host towards outside host, and vice versa. In this case, you would need to configure "inspect icmp".

- Ping the direct FWSM interface, ie: from inside host, you can only ping the inside interface, from the outside host, you can ping the outside interface, etc.