01-28-2013 08:32 AM - edited 03-11-2019 05:53 PM
After adding a NAT rule on Friday morning, I'm now getting a bunch of "portmap translation creation failed" messages from my ASA 5520. (It's currently running 8.4(3).) The failure errors appear to have nothing to do with the change that was made. Here are the relevant additions to the config:
! Define objects involved
object network BCSNovar
host 172.16.173.191
object network Harris
! public addresses masked to protect the innocent.
range x.x.x.1 x.x.x.254
description Harris Corporation - Novar
! Access list to allow the traffic in
access-list outside_access_in remark Harris RDP access to BCSNovar server via port 3392
access-list outside_access_in extended permit tcp object Harris object BCSNovar eq 3392 log alerts
! NAT the inside address to the outside address for the port
object network BCSNovar
nat (Inside,Outside) static interface service tcp 3389 3392
I have very similar rules in place for other vendors to access other machines. The only difference between this new one and those old ones is the use of the objects in the rule instead of the direct IP addresses. This is also the first one that invovles a range instead of a specific address or network.
The errors are fairly frequent and usually involved normal web traffic on ports 80/443 or NTP. Here are a few copied from the ASDM interface:
3 | Jan 28 2013 | 11:26:42 | 72.240.1.140 | 123 | portmap translation creation failed for udp src Inside:172.16.171.10/65535 dst Outside:72.240.1.140/123 |
3 | Jan 28 2013 | 11:27:44 | 174.132.200.187 | 80 | portmap translation creation failed for tcp src Inside:172.16.31.119/53767 dst Outside:174.132.200.187/80 |
3 | Jan 28 2013 | 11:29:47 | 74.63.137.149 | 80 | portmap translation creation failed for tcp src Inside:172.16.30.130/3151 dst Outside:74.63.137.149/80 |
I have no idea why these are failing. Any help would be appreciated.
Solved! Go to Solution.
01-28-2013 05:49 PM
Sounds to me like there is a co-incidence between the newly configured rules and the error message seen.
Did you perform "clear xlate" after configuring the new rules?
Also the IP Address in the error message as you said, doesn't seem to match the newly configured NAT host, so it might not be related.
Without looking at the full configuration, it would be difficult to see what could be the issue.
01-28-2013 05:49 PM
Sounds to me like there is a co-incidence between the newly configured rules and the error message seen.
Did you perform "clear xlate" after configuring the new rules?
Also the IP Address in the error message as you said, doesn't seem to match the newly configured NAT host, so it might not be related.
Without looking at the full configuration, it would be difficult to see what could be the issue.
01-30-2013 07:16 AM
01-30-2013 07:14 PM
Are you still getting the error message, or the error message has disappeared now?
Also, are you actually having any problem from those host in the error message?
If you run packet tracer for the same source and destination as the error message, does it fail or pass? if it fails, can you pls post the output of the packet tracer.
01-31-2013 06:56 AM
I am still getting them. Here are a couple of random failures and the associated packet tracer output:
Jan 31 2013 09:32:41: %ASA-3-305006: portmap translation creation failed for udp src Inside:172.16.171.10 (fwdcvod01.buckeyehq.com) /65535 dst Outside:72.240.1.140 (unresolved) /123
Jan 31 2013 09:44:12: %ASA-3-305006: portmap translation creation failed for tcp src Inside:172.16.30.66 (hpc14520rr.buckeyehq.com) /1242 dst Outside:206.72.206.242 (unresolved) /80
Both seem to be dropping at the same rule, which is not one that I altered.
10-22-2013 04:24 AM
Ultimately, it was a 'clear xlate' that fixed the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide