11-21-2008 02:00 PM - edited 03-11-2019 07:16 AM
Hello and thank you in advance for any assistance you may provide.
My logs register error message ASA-3-305006:
portmap translation creation failed for icmp src Insdie:Netmon dst CCIB-DMZ:10.66.65.100 (type8,code0).
I also receive similar message when i attempt to HTTP to same destination. Simply, the ASA is not attempting to NAT.
My pool ID is 4. I orignial had pool ID 20 but later changed it to 4. I currently have other active pool (5) and is working perfect! I am unable to figure out why this one is failing.
My config:
name 10.66.0.0 CCIB_Apps
name 172.16.50.11 Netmon
object-group network CitrixUser
description Citrix User
network-object 172.16.50.0 255.255.255.0
!
interface GigabitEthernet0/2.10
description CCIB/Techcom DMZ
vlan 60
nameif CCIB-DMZ
security-level 75
ip address 10.200.60.1 255.255.255.252
interface GigabitEthernet0/3
description Inside Networks
speed 1000
duplex full
nameif Inside
security-level 100
ip address 10.30.4.10 255.255.255.0 standby 10.30.4.11
!
access-list Inside_nat_static extended permit ip host David_Bagarozza host CCIL
access-list Inside_nat_static_1 extended permit ip host Lee host CCIL
access-list Inside_nat_static_2 extended permit ip host Sohail_PC host PersonVUE_CMS
access-list Inside_nat_static_3 extended permit ip host Stephen_Blair host CCIL
access-list Inside_nat_static_4 extended permit ip host Stephen_Blair host CCIL
access-list Inside_nat_outbound extended permit ip object-group CitrixUser CCIB_Apps 255.255.0.0
access-list Inside_nat_outbound_2 extended permit ip 172.16.0.0 255.255.0.0 any
access-list CCIB-DMZ_access_in extended permit ip CCIB_Apps 255.255.0.0 host 10.200.60.1 inactive
nat-control
global (Outside) 20 10.200.50.1-10.200.50.254 netmask 255.255.255.0
global (Outside) 10 216.13.12.34 netmask 255.255.255.0
global (ACSR-DMZ) 5 interface
global (CCIB-DMZ) 4 interface
nat (Outside) 0 access-list Outside_nat0_outbound
nat (Guest-DMZ) 10 access-list Guest-DMZ_nat_outbound
nat (Webserv-DMZ) 0 access-list Webserv-DMZ_nat0_outbound
nat (Webserv-DMZ) 10 0.0.0.0 0.0.0.0
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 5 access-list Inside_nat_outbound_2
nat (Inside) 4 access-list Inside_nat_outbound
nat (Inside) 20 172.16.50.0 255.255.255.0
static (Inside,Outside) NAT_CMS access-list Inside_nat_static_2
static (Inside,Outside) 10.200.51.1 access-list Inside_nat_static
static (Inside,Outside) 10.200.51.2 access-list Inside_nat_static_1
static (Inside,Outside) 10.200.51.3 access-list Inside_nat_static_4
access-group Outside_access_in in interface Outside
access-group Webserv-DMZ_access_in in interface Webserv-DMZ
access-group ACSR-DMZ_access_in in interface ACSR-DMZ
access-group Inside_access_in in interface Inside
access-group CCIB-DMZ_access_in in interface CCIB-DMZ
access-group Inside_access_in in interface Inside
access-group CCIB-DMZ_access_in in interface CCIB-DMZ
route CCIB-DMZ CCIB_Apps 255.255.0.0 10.200.60.2 1
Thanks again.
11-22-2008 04:56 AM
The problem could be related to the order in selecting the real IPs in Dynamic NAT, are you sure this traffic is matching nat-id 4 and not 5?
Even tough technically it should match 4 (as its acl is more specific).
You can try running the packet-tracer command to see the exact flow and error.
Regards
Farrukh
11-22-2008 08:35 PM
Hi Farrukh,
This is interesting! I ran the packet tracer and packet was droped. Here is the trace from Inside to CCIB-DMZ:
FLOW-LOOKUP - Allow
ROUTE-LOOKUP - Allow
ACCESS-LIST - Allow
IP-OPTIONS - Allow
IDS - Allow
FOVER - Allow
VPN - ALLOW
NAT - DROP
RESULT - The packet is dropped
The "Show rule in NAT Rules table" show:
nat (insdie) 5 access-list Inside_nat_outbound_2
nat control
match ip inside 172.16.0.0 255.255.0.0 CCIB-DMZ any
dynamic translation to pool 5 (no matching global)
translate_hits=2541, untraslated_hits=0
So, you are correct. It is not matching nat id #4...but why? I suspected it had something to do with the order....that is why i moved the nat id from 20 to 4 but was still getting the same results....
How do I fix it?
Do I apply a "global (CCIB-DMZ) 5 interface"?
or fix the nat (inside) 5 172.16.0.0 any to make it more specfic? (something like 172.16.50.0/24 205.144.0.0/16).
I've created additional nat entries (2,& 3) but traffic never matched those pool IDs. Do you think thre is something related to the order in selecting the real IPs? How is that taking place. I appologize if i am asking too many questions.
Regards,
Suhail Alhaj
11-23-2008 01:26 AM
Yes most probably it has something to do with the 'most specific' match NAT rule. Even tough technically nat-id 4 is more specific.
You can fix it using both of the methods you mentioned. However the following solution is simpler:
global (CCIB-DMZ) 5 interface
Regards
Farrukh
11-24-2008 08:08 AM
Great, thanks. I will try it out on Wednesday and let you know the results.
Thanks,
Suhail
11-25-2008 10:33 AM
Farrukh,
See attached for a before and after screen shots of the ASDM. I found that pool id#5 is entry #37 as seen in the ASDM. Pool id# 3 and 5 are entries #38 & 39 respectivily. The ASA was Exempting and applying NAT according to entries as seen by the ASDM. When i removed entry#37, everythin worked fine. I re-applied entry #37 after adjusting the source and destination (..it is entry #36 in 2nd screen shot).
In a dynamic NAT, a lower id pool id number does not neccessary mean it is being processed first. It is actually being proceed according to when it was intially created. In my case, pool id #5 was created earlier this year before i created subsequent new pool IDs.
Thanks for your help.
11-25-2008 10:36 AM
Farrukh,
See attached for a before and after screen shots of the ASDM. I found that pool id#5 is entry #37 as seen in the ASDM. Pool id# 3 and 4 are entries #38 & 39 respectivily. The ASA was Exempting and applying NAT according to entries as seen by the ASDM. When i removed entry#37, everything worked fine. I re-applied entry #37 after adjusting the source and destination (..it is entry #36 in 2nd screen shot).
My conclusion, In a dynamic NAT, a lower pool id number does not neccessary mean it is being processed first. It is actually being proceed according to when it was intially created and applied. In my case, pool id #5 was created 3 months ago before creating subsequent new pool IDs.
Thanks for your help.
Sohail
11-25-2008 10:03 PM
The best selection alogorithm you describe is correct. I mentioned this earlier (best-match).
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042696
"Regular dynamic NAT (nat)-Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used"
Please rate if helpful.
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide