Solved: 305006 portmap translation creation failed src inside dst outsid

OneTwoThree445566 · ‎05-08-2013

Hello all,

I am stumped.

Here is my scrubbed config. I hope I didn't leave out anything useful.

interface Vlan100

nameif inside

security-level 100

ip address 10.0.0.1 255.255.0.0

no shutdown

interface Vlan200

nameif outside

security-level 0

ip address 1.2.3.4 255.255.255.0

no shutdown

interface Vlan300

nameif voip

security-level 50

ip address 192.168.0.1 255.255.255.0

no shutdown

interface Vlan400

nameif wlan

security-level 50

ip address 172.16.0.1 255.255.255.0

no shutdown

global (outside) 1 interface
global (outside) 2 1.2.3.9
global (outside) 3 1.2.3.10

global (outside) 4 interface

global (voip) 4 interface

global (wlan) 4 interface

nat (inside) 0 access-list no_nat
nat (inside) 1 10.0.0.0 255.255.0.0
nat (voip) 2 192.168.0.0 255.255.255.0
nat (wlan) 3 172.16.0.0 255.255.255.0

nat (inside) 4 10.0.1.0 255.255.255.0

What I am after: I want voip and wlan to be on there own and only be able to go to internet (with their own external IP) and not talk to eachother or inside. The exception is that I want 10.0.1.0/24 (management range) to be able to talk to wlan and voip.

The problem: With the configuration as shown above, I acheive everything I need except for 10.0.1.0/24 reports "portmap translation creation failed for tcp src inside:10.0.1.13/1076 dst outside:1.2.2.2/443" when trying to move through the outside interface (the internet).

If I swap ID's 1 and 4 then 10.0.1.0/24 works perfectly, it can talk to all 3 segments, but the rest of the 10.0.0.0/16 range displays the portmap translation errors in the asdm real-time log viewer when trying to access the internet (outside interface).

I feel like I am very close to my desired configuration, but I can't figure out how to solve this problem.

ASA5505

Cisco Adaptive Security Appliance Software Version 8.2(2)

Device Manager Version 6.3(1)

Thanks a bunch for stopping by.

Jouni Forss · ‎05-08-2013

Also,

I would personally recommend not configuring Dynamic PAT between your local interface. Mostly for the sake of having a simple NAT between your local networks.

I would leave the NAT configurations out completely or configure NAT0 between the networks and then use ACL to control what traffic is allow from each interface.

You could for example configure

access-list INSIDE-NAT0

access-list INSIDE-NAT0 permit ip 10.0.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 10.0.0.0 255.255.0.0 172.16.0.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

access-list VOIP-NAT0 permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.0.0

access-list VOIP-NAT0 permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0

nat (voip) 0 access-list VOIP-NAT0

access-list WLAN-NAT0 permit ip 172.16.0.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list WLAN-NAT0 permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.255.0.0

nat (wlan) 0 access-list WLAN-NAT0

EDIT: Typos

- Jouni

View solution in original post

Jouni Forss · ‎05-08-2013

Hi,

I am not 100% sure but I think if you are going to try to do Dynamic PAT using the "interface" IP address for 2 local networks then you should use the same ID

Current

global (outside) 1 interface

global (outside) 4 interface

nat (inside) 1 10.0.0.0 255.255.0.0

nat (inside) 4 10.0.1.0 255.255.255.0

New

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.255.0.0

nat (inside) 1 10.0.1.0 255.255.255.0

I mean changing the ID doesnt alter the situation at all since you were attempting to PAT the LAN networks to the same "interface" IP address anyway.

EDIT: Typo

- Jouni

Jouni Forss · ‎05-08-2013

Also,

I would personally recommend not configuring Dynamic PAT between your local interface. Mostly for the sake of having a simple NAT between your local networks.

I would leave the NAT configurations out completely or configure NAT0 between the networks and then use ACL to control what traffic is allow from each interface.

You could for example configure

access-list INSIDE-NAT0

access-list INSIDE-NAT0 permit ip 10.0.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 10.0.0.0 255.255.0.0 172.16.0.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

access-list VOIP-NAT0 permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.0.0

access-list VOIP-NAT0 permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0

nat (voip) 0 access-list VOIP-NAT0

access-list WLAN-NAT0 permit ip 172.16.0.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list WLAN-NAT0 permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.255.0.0

nat (wlan) 0 access-list WLAN-NAT0

EDIT: Typos

- Jouni

Jouni Forss · ‎05-08-2013

Actually,

It might even be enough to just remove the

global (outside) 4 interface

To enable Internet traffic / translation for the 10.0.1.0/24 network also

- Jouni

OneTwoThree445566 · ‎05-08-2013

Jouni,

Thanks for the tips! Here is what I ended up doing and it seems to be working perfectly!

access-list no_nat extended permit ip 10.0.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list no_nat extended permit ip 10.0.1.0 255.255.255.0 172.16.0.0 255.255.255.0

global (outside) 1 interface
global (outside) 2 1.2.3.9
global (outside) 3 1.2.3.10

nat (inside) 0 access-list no_nat
nat (inside) 1 10.0.0.0 255.255.0.0
nat (voip) 2 192.168.0.0 255.255.255.0
nat (wlan) 3 172.16.0.0 255.255.255.0

Thanks for your assistance, I really appreciate it.

Jouni Forss · ‎05-08-2013

No problem,

Seem you actually made the NAT configuration simpler so that might actually be better than what I suggested.

I guess you dont really need NAT0 configurations on each interface as the operation should be birectional anyway. And since "inside" now has NAT0 configuration to the other networks it should be possible to connect in each direction (provided you want to even allow that on the ACLs)

- Jouni

305006 portmap translation creation failed src inside dst outside