Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2310
Views
0
Helpful
3
Replies

ASA 5510 with nat overload on second public IP?

wotifadmin
Level 1
Level 1

‎11-05-2009 03:26 PM - edited ‎03-11-2019 09:36 AM

Greetings Folks,

We have a 5510 with a public IP address A and a private IP range behind if of Z.Y.Y.0/24, it also has a default route out to 1.2.3.4

We also have a 1841 with a public IP address of B and a private ip range behind it of Z.0.0.0/8, it's default route is 5.6.7.8

We tried to move the public IP of the 1841 on to the ASA 5510 and do Dynamic NAT (which I believe is the equivalent of NAT overload?) and it didn't work.

Of course we couldn't add a new default route on the 5510 but that shouldn't matter as both ranges are served from our ISP via the same VLAN.

In the logs we kept getting 'portmap translation failed for'.. error messages.

When doing the Packet Tracer Wizard from the ASDM it kept failing on the 'dynamic translation to pool 5 (No matching global)'

However when looking in a 'sh nat' we did see a global but it was below the 'dynamic translation to pool 5 (No matching global)' line in the sh nat, so I'm guessing it was hitting that line before hitting the correct dynamic translation line.

Here is the snippet from our configuration: -

global (outside) 10 interface

global (office_outside) 5 interface

nat (inside-eth1) 0 access-list inside-eth1_nat0_outbound

nat (inside-eth1) 5 officeHQ 255.255.0.0

nat (inside-eth1) 10 dc 255.255.0.0

An example of the error we were receiving is as follows: -

Nov 3 22:02:03 <hostname> %ASA-3-305006: portmap translation creation failed for udp src inside-eth1:<server>/56554 dst outside:202.83.64.118/53

Can anyone shed any light on why this didn't work - or if it is even possible?

We are running ASA version 8.2(1) and ASDM version 6.2(1).

Regards,

Glenn Crawford.

Labels:
0 Helpful
3 Replies 3

jan.nielsen
Level 7
Level 7

‎11-05-2009 04:43 PM

You need to have your isp route that other subnet to the public address of the asa, if it is indeed on the same switch vlan from your isp, you should only need one outside interface, in your config you are defining two interfaces, if you route the new subnet to the asa you can do a "global (outside) 5 x.x.x.x" with other address.

0 Helpful

wotifadmin
Level 1
Level 1
In response to jan.nielsen

‎11-05-2009 04:53 PM

Due to requirements outside of my control, we need to keep the office coming from IP address A whilst keeping the existing IP range on the ASA.

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee

‎11-06-2009 10:40 AM

you are matching the

nat (inside-eth1) 5 officeHQ 255.255.0.0

but you don't have a "global (outside) 5" for it on the outside.

If you change the nat sequence to

nat (inside-eth1) 10 dc 255.255.0.0

nat (inside-eth1) 5 officeHQ 255.255.0.0

it will work.

I hope it helps.

PK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card