Solved: Re: ASA Static Route problems

Dustin Barnett · ‎04-14-2011

Hi,

I have an ASA 5505, version 8.2. The inside interface IP is 172.21.25.254

I am trying to have the ASA use a router on the inside network. In ASDM, I have added a static route that looks like this:

route inside 172.0.36.0 255.255.255.0 172.21.25.253 1

When trying to ping an address, I see these errors in the ASDM syslog:

portmap translation creation failed for icmp src inside:172.21.25.30 dst inside:172.0.36.1 (type 8, code 0)

Any advice?

pablo.nxh · ‎04-14-2011

Hello Dustin,

By default the ASA won't allow inside hosts on different subnets to communicate. This should do the trick 4 you

ASA7(config)# same-security-traffic permit intra-interface

Hope this helps

__ __

Pablo

View solution in original post

sean_evershed · ‎04-15-2011

I think you might have a NATing problem:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

See below from the troubleshooting section concerning the portmap translation creation error message:

"Check the security appliance logs for messages which indicate that a protocol failed to create a translation through the security appliance. If such messages appear, verify that NAT has been configured for the desired traffic and that no addresses are incorrect.

View solution in original post

ccnpwannabe · ‎04-14-2011

The address 172.0.36.1 is a public ip address which can't be used in internal networks unless u own the address or the Asa is used for testing purpose internally

pablo.nxh · ‎04-14-2011

Hello Dustin,

By default the ASA won't allow inside hosts on different subnets to communicate. This should do the trick 4 you

ASA7(config)# same-security-traffic permit intra-interface

Hope this helps

__ __

Pablo

sean_evershed · ‎04-15-2011

I think you might have a NATing problem:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

See below from the troubleshooting section concerning the portmap translation creation error message:

"Check the security appliance logs for messages which indicate that a protocol failed to create a translation through the security appliance. If such messages appear, verify that NAT has been configured for the desired traffic and that no addresses are incorrect.

Dustin Barnett · ‎04-15-2011

I applied the "same-security-traffic permit intra-interface" command, but I'm still having a problem.

After reading the link, I agree that it seems to be a NAT problem, but I'm not sure on how to configure it for this scenario.

Do all the clients need to be using the router instead of the ASA for the gateway? If I do that, I am able to access both networks, but I am not able to access any ipsec tunnels...

ccnpwannabe · ‎04-15-2011

post ur configuration and the n/w setup if possible

Dustin Barnett · ‎04-18-2011

I was able to resolve this issue by using the router as the default gateway. The problem turned out to be that it's interfaced was configured as 255.255.0.0 for some reason...

Shrikant Sundaresh · ‎04-18-2011

Hi Dustin,

In case you would like to know why the original setup with ASA as default gateway wasn't working:

Here was the traffic flow from a PC on the inside interface, to PC2 (the one behind the router).

PC - ASA - Router - PC2

Return traffic: PC2 - Router - PC (Since router (.253) and PC are in the same subnet)

Thus the ASA would never see return communication, and thus would not allow TCP connections through.

The initial error you reported would be solved with "same-security-traffic permit intra-interface".

For the setup to work correctly, you would also have to add the following:

Suppose you have in your config on the ASA:

nat (inside) 1 0 0

global (outside) 1 interface

Add:

global (inside) 1 interface

This way, when traffic goes from PC-ASA -> Router, the source IP becomes that of the inside interface of the ASA. Thus return traffic would be destined to the ASA instead of going directly to the PC from the Router.

Hope this helps.

-Shrikant