https://community.cisco.com/t5/network-security/asdm-syslog-messages/m-p/1171570#M874683 <HTML><HEAD></HEAD><BODY><P><B>Is that why the portmap translation has failed?</B></P><P></P><P>This means there is no translation defined in the asa for this traffic between the two hosts going through asa INSIDE interface.</P><P></P><P>if you are terminating an Ipsec tunnel somewhere in your inside interface by another device as you indicated and want the far end of the tunnel talk to hosts on your ASA inside 31.0 traversing INSIDE interface sort of like a U-turn for the traffic you would need to allow that traffic in asa through nonat exempt rule.</P><P></P><P>this would be an example:</P><P></P><P>access-list nonat_traffic extended permit ip X.X.0.0 <MASK> X.X.31.0 <MASK></MASK></MASK></P><P>same-security-traffic permit intra-interface</P><P></P><P>nat (INSIDE) 0 access-list nonat_traffic</P><P></P></BODY></HTML> Tue, 24 Mar 2009 19:29:33 GMT JORGE RODRIGUEZ 2009-03-24T19:29:33Z https://community.cisco.com/t5/network-security/asdm-syslog-messages/m-p/1171567#M874680 <P>I am looking for information on what is the significance of type and code on syslog messages.</P><P></P><P>3 Mar 23 2009 22:42:36 305006 192.168.0.2 portmap translation creation failed for icmp src INSIDE:X.X.31.10 dst INSIDE:X.X.0.2 (type 8, code 0)</P> Mon, 11 Mar 2019 15:09:04 GMT https://community.cisco.com/t5/network-security/asdm-syslog-messages/m-p/1171567#M874680 wesleyfry 2019-03-11T15:09:04Z https://community.cisco.com/t5/network-security/asdm-syslog-messages/m-p/1171568#M874681 <HTML><HEAD></HEAD><BODY><P><B>portmap translation creation failed for icmp src INSIDE:X.X.31.10 dst INSIDE:X.X.0.2 </B></P><P></P><P>Here is some info for that 305006 message</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4770951" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4770951</A></P><P></P><P>ICMP message 0 is Echo Reply message and 8 is Echo message:</P><P>Have a look at icmp Types codes RFC-792</P><P><A class="jive-link-custom" href="http://www.faqs.org/rfcs/rfc792.html" target="_blank">http://www.faqs.org/rfcs/rfc792.html</A></P><P></P><P></P><P>My interpretation for your syslog message seeing the source X.X.31.10 and destination it seems as icmp is comming perhaps from another router from the INSIDE of the ASA? can you provide info on your topology with regards to these two networks to help you better if there is a problem with communication between these two nets, but seems that source x.x.31.10 is from different source/network behind asa traversing the same INSIDE interface not directly connected to INSIDE, by which in this case if ou expect this hosts network x.x.31.0 to communicate with x.x.0.2 hots/network you will need to configure couple of nat exempt rules in addition to same security trafic intra interface command statemens. </P><P></P><P>Regards</P><P></P></BODY></HTML> Tue, 24 Mar 2009 04:09:55 GMT https://community.cisco.com/t5/network-security/asdm-syslog-messages/m-p/1171568#M874681 JORGE RODRIGUEZ 2009-03-24T04:09:55Z https://community.cisco.com/t5/network-security/asdm-syslog-messages/m-p/1171569#M874682 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply. The 31.0 is an internal network and the 0.2 is and a remote site where the VPN terminates on the inside on a different router. The ICMP traffic is NMS related, but the 0.2 subnet does not exist. Is that why the portmap translation has failed?</P></BODY></HTML> Tue, 24 Mar 2009 17:20:08 GMT https://community.cisco.com/t5/network-security/asdm-syslog-messages/m-p/1171569#M874682 wesleyfry 2009-03-24T17:20:08Z https://community.cisco.com/t5/network-security/asdm-syslog-messages/m-p/1171570#M874683 <HTML><HEAD></HEAD><BODY><P><B>Is that why the portmap translation has failed?</B></P><P></P><P>This means there is no translation defined in the asa for this traffic between the two hosts going through asa INSIDE interface.</P><P></P><P>if you are terminating an Ipsec tunnel somewhere in your inside interface by another device as you indicated and want the far end of the tunnel talk to hosts on your ASA inside 31.0 traversing INSIDE interface sort of like a U-turn for the traffic you would need to allow that traffic in asa through nonat exempt rule.</P><P></P><P>this would be an example:</P><P></P><P>access-list nonat_traffic extended permit ip X.X.0.0 <MASK> X.X.31.0 <MASK></MASK></MASK></P><P>same-security-traffic permit intra-interface</P><P></P><P>nat (INSIDE) 0 access-list nonat_traffic</P><P></P></BODY></HTML> Tue, 24 Mar 2009 19:29:33 GMT https://community.cisco.com/t5/network-security/asdm-syslog-messages/m-p/1171570#M874683 JORGE RODRIGUEZ 2009-03-24T19:29:33Z https://community.cisco.com/t5/network-security/asdm-syslog-messages/m-p/1171571#M874684 <HTML><HEAD></HEAD><BODY><P>Thanks for your assitance Jorge!</P></BODY></HTML> Wed, 25 Mar 2009 22:35:21 GMT https://community.cisco.com/t5/network-security/asdm-syslog-messages/m-p/1171571#M874684 wesleyfry 2009-03-25T22:35:21Z https://community.cisco.com/t5/network-security/asdm-syslog-messages/m-p/1171572#M874685 <HTML><HEAD></HEAD><BODY><P>Wes, you're very welcome.</P></BODY></HTML> Thu, 26 Mar 2009 01:05:06 GMT https://community.cisco.com/t5/network-security/asdm-syslog-messages/m-p/1171572#M874685 JORGE RODRIGUEZ 2009-03-26T01:05:06Z