Buy or Renew
Buy or Renew
Notice: The file download function is disabled. We apologize for the inconvenience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
697
Views
0
Helpful
3
Replies

ASA Portmap translation failed

rstojkov1
Level 1
Level 1

‎04-24-2013 06:09 AM - edited ‎03-11-2019 06:34 PM

Hey all. I am having an issue with the DHCP configured on the ASA for out guest wireless network.  We have the ASA configured to hand out via DHCP for our guest network and a Windows 2008 server setup to hand out for trusted wireless network.  However, we do not have two NIC cards in that server thus we have the ASA hand out for the guest. I simply cannot get an address via the guest network and the ASA produces the "portmap translation creation failed for udp src: educ 10.86.133.170/67 dst OTS-Guest: 10.1.79.104/67".  Any help is appreciated.

Below is the running config:

: Saved

:

ASA Version 8.2(2)

!

hostname OTSASA

!

interface Vlan1

nameif inside

security-level 100

ip address 10.86.192.1 255.255.224.0

!

interface Vlan2

nameif educ

security-level 100

ip address 10.86.128.1 255.255.224.0

!

interface Vlan3

description SegmentedGuestWireless

nameif OTS-Guest

security-level 50

ip address 10.1.79.1 255.255.255.0

!

interface Vlan12

nameif outside-rr

security-level 1

ip address 70.61.239.98 255.255.255.240

!

interface Ethernet0/0

!

interface Ethernet0/1

switchport access vlan 12

!

interface Ethernet0/2

switchport access vlan 2

shutdown

!

interface Ethernet0/3

switchport access vlan 2

shutdown

!

interface Ethernet0/4

switchport access vlan 2

shutdown

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

switchport access vlan 2

switchport trunk allowed vlan 2-3

switchport trunk native vlan 2

switchport mode trunk

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name oldtrail.org

same-security-traffic permit inter-interface

object-group service DM_INLINE_TCP_1 tcp

port-object eq pop2

port-object eq pop3

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list OtsVpnAdminAcl standard permit 10.86.128.0 255.255.224.0

access-list OtsVpnAdminAcl standard permit 10.86.192.0 255.255.224.0

access-list educ_nat0_outbound extended permit ip any 192.168.193.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip any 192.168.193.0 255.255.255.240

access-list outside_access_in extended permit icmp any 10.1.221.96 255.255.255.240

access-list outside_access_in extended permit tcp any host CitrixNAT-T1 eq citrix-ica

access-list outside_access_in extended permit udp any host CitrixNAT-T1 eq 1604

access-list outside_access_in extended permit tcp any host CitrixNAT-T1 eq www

access-list outside_access_in extended permit tcp any host CitrixNAT-T1 eq https

access-list outside_access_in extended permit tcp any host otscomm1NAT-T1 eq ftp

access-list outside_access_in extended permit tcp any host otscomm1NAT-T1 eq ftp-data

access-list outside_access_in extended permit tcp any host VideoNAT-T1 eq ldap

access-list outside_access_in extended permit tcp any host VideoNAT-T1 eq 1503

access-list outside_access_in extended permit udp any host VideoNAT-T1 eq 1718

access-list outside_access_in extended permit udp any host VideoNAT-T1 eq 1719

access-list outside_access_in extended permit tcp any host VideoNAT-T1 eq h323

access-list outside_access_in extended permit tcp any host VideoNAT-T1 eq 1731

access-list outside_access_in extended permit tcp any host VideoNAT-T1 range 3230 3235

access-list outside_access_in extended permit tcp any host VideoNAT-T1 eq 3603

access-list outside_access_in extended permit udp any host VideoNAT-T1 eq 3230

access-list outside_access_in extended permit udp any host VideoNAT-T1 eq 3231

access-list outside_access_in extended permit udp any host VideoNAT-T1 eq 3232

access-list outside_access_in extended permit udp any host VideoNAT-T1 eq 3233

access-list outside_access_in extended permit udp any host VideoNAT-T1 eq 3234

access-list outside_access_in extended permit udp any host VideoNAT-T1 range 3235 3258

access-list outside_access_in extended permit tcp any host InfoNAT-T1 eq www

access-list outside_access_in extended permit tcp any host InfoNAT-T1 eq https

access-list outside_access_in extended permit tcp any host otscomm1NAT-T1 eq www

access-list outside_access_in extended permit tcp any host otscomm1NAT-T1 eq https

access-list outside_access_in remark Cymphonix

access-list outside_access_in extended permit tcp any host otscomm1NAT-T1 eq ssh

access-list outside_access_in remark First Class

access-list outside_access_in extended permit tcp any host otscomm1NAT-T1 eq 510

access-list outside_access_in remark RealAudio

access-list outside_access_in extended permit tcp any host otscomm1NAT-T1 eq 7070

access-list outside_access_in remark Sirsi SP

access-list outside_access_in extended permit tcp any host otscomm1NAT-T1 eq 210

access-list outside_access_in remark SmartPort Inbound

access-list outside_access_in extended permit tcp any host otscomm1NAT-T1 eq 7090

access-list outside_access_in remark Mail services

access-list outside_access_in extended permit tcp any host otscomm1NAT-T1 eq smtp

access-list outside_access_in extended permit tcp any host otscomm1NAT-T1 eq imap4

access-list outside_access_in extended permit tcp any host otscomm1NAT-T1 object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit tcp any host ConstNAT-T1 eq www

access-list outside_access_in remark Living Machine

access-list outside_access_in extended permit tcp any host HMINAT-T1 eq www

access-list outside_access_in remark Living Machine

access-list outside_access_in extended permit tcp any host HMINAT-T1 eq 5800

access-list outside_access_in remark Living Machine

access-list outside_access_in extended permit tcp any host HMINAT-T1 eq 5900

access-list outside_access_in remark Living Machine

access-list outside_access_in extended permit tcp any host PLCNAT-T1 eq www

access-list outside_access_in remark Living Machine

access-list outside_access_in extended permit tcp any host PLCNAT-T1 eq 102

access-list outside_access_in remark Moodle Server

access-list outside_access_in extended permit tcp any host MoodleNAT-T1 eq www

access-list outside_access_in remark Moodle Server

access-list outside_access_in extended permit tcp any host MoodleNAT-T1 eq https

access-list inside_access_in extended permit icmp 10.86.192.0 255.255.224.0 any

access-list inside_access_in extended permit ip 10.86.192.0 255.255.224.0 any

access-list educ_access_in extended permit icmp 10.86.128.0 255.255.224.0 any

access-list educ_access_in extended permit ip 10.86.128.0 255.255.224.0 any

access-list outside-rr_access_in extended permit icmp any 70.61.239.64 255.255.255.240

access-list outside-rr_access_in extended permit tcp any host CitrixNAT-RR eq citrix-ica

access-list outside-rr_access_in extended permit udp any host CitrixNAT-RR eq 1604

access-list outside-rr_access_in extended permit tcp any host CitrixNAT-RR eq www

access-list outside-rr_access_in extended permit tcp any host CitrixNAT-RR eq https

access-list outside-rr_access_in extended permit tcp any host otscomm1NAT-RR eq ftp

access-list outside-rr_access_in extended permit tcp any host otscomm1NAT-RR eq ftp-data

access-list outside-rr_access_in extended permit tcp any host VideoNAT-RR eq ldap

access-list outside-rr_access_in extended permit tcp any host VideoNAT-RR eq 1503

access-list outside-rr_access_in extended permit udp any host VideoNAT-RR eq 1718

access-list outside-rr_access_in extended permit udp any host VideoNAT-RR eq 1719

access-list outside-rr_access_in extended permit tcp any host VideoNAT-RR eq h323

access-list outside-rr_access_in extended permit tcp any host VideoNAT-RR eq 1731

access-list outside-rr_access_in extended permit tcp any host VideoNAT-RR range 3230 3235

access-list outside-rr_access_in extended permit tcp any host VideoNAT-RR eq 3603

access-list outside-rr_access_in extended permit udp any host VideoNAT-RR eq 3230

access-list outside-rr_access_in extended permit udp any host VideoNAT-RR eq 3231

access-list outside-rr_access_in extended permit udp any host VideoNAT-RR eq 3232

access-list outside-rr_access_in extended permit udp any host VideoNAT-RR eq 3233

access-list outside-rr_access_in extended permit udp any host VideoNAT-RR eq 3234

access-list outside-rr_access_in extended permit udp any host VideoNAT-RR range 3235 3258

access-list outside-rr_access_in extended permit tcp any host InfoNAT-RR eq www

access-list outside-rr_access_in extended permit tcp any host InfoNAT-RR eq https

access-list outside-rr_access_in extended permit tcp any host otscomm1NAT-RR eq www inactive

access-list outside-rr_access_in extended permit tcp any host otscomm1NAT-RR eq https

access-list outside-rr_access_in remark Cymphonix

access-list outside-rr_access_in extended permit tcp any host otscomm1NAT-RR eq ssh

access-list outside-rr_access_in remark First Class

access-list outside-rr_access_in extended permit tcp any host otscomm1NAT-RR eq 510

access-list outside-rr_access_in remark RealAudio

access-list outside-rr_access_in extended permit tcp any host otscomm1NAT-RR eq 7070

access-list outside-rr_access_in remark Sirsi SP

access-list outside-rr_access_in extended permit tcp any host otscomm1NAT-RR eq 210

access-list outside-rr_access_in remark SmartPort Inbound

access-list outside-rr_access_in extended permit tcp any host otscomm1NAT-RR eq 7090

access-list outside-rr_access_in remark Mail services

access-list outside-rr_access_in extended permit tcp any host otscomm1NAT-RR eq smtp

access-list outside-rr_access_in extended permit tcp any host otscomm1NAT-RR eq imap4

access-list outside-rr_access_in extended permit tcp any host otscomm1NAT-RR object-group DM_INLINE_TCP_1

access-list outside-rr_access_in extended permit tcp any host ConstNAT-RR eq www

access-list outside-rr_access_in remark Moodle Server

access-list outside-rr_access_in extended permit tcp any host MoodleNAT-RR eq www

access-list outside-rr_access_in remark Moodle Server

access-list outside-rr_access_in extended permit tcp any host MoodleNAT-RR eq https

access-list outside-rr_access_in remark Summer 2011 HVAC external access

access-list outside-rr_access_in extended permit tcp any host HVACNAT-RR eq www

access-list outside-rr_access_in remark Summer 2011 HVAC external access

access-list outside-rr_access_in extended permit tcp any host HVACNAT-RR eq 1911

access-list outside-rr_access_in remark Summer 2011 HVAC exernal access

access-list outside-rr_access_in extended permit tcp any host HVACNAT-RR eq 3011

access-list AquaNova standard permit host HMI

access-list AquaNova standard permit host PLC

access-list OtsBathACL standard permit host CamDriveway

access-list OtsBathACL standard permit host CamFrontDesk

access-list OtsBathACL standard permit host Const

access-list OtsBathACL standard permit host CamServer

pager lines 24

logging enable

logging list RouteTracking message 622001

logging asdm warnings

logging mail RouteTracking

logging from-address

logging recipient-address level debugging

mtu inside 1500

mtu educ 1500

mtu OTS-Guest 1500

mtu outside-rr 1500

ip local pool OTSPIXPOOL 192.168.193.1-192.168.193.10 mask 255.255.255.0

ip verify reverse-path interface inside

ip verify reverse-path interface educ

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any educ

asdm history enable

arp timeout 14400

nat-control

global (outside-rr) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.86.192.0 255.255.224.0

nat (educ) 0 access-list educ_nat0_outbound

nat (educ) 1 10.86.128.0 255.255.224.0

nat (OTS-Guest) 1 10.1.79.0 255.255.255.0

static (educ,inside) 10.86.128.0 10.86.128.0 netmask 255.255.224.0

static (educ,outside-rr) otscomm1NAT-RR otscomm1 netmask 255.255.255.255

static (educ,outside-rr) ConstNAT-RR Const netmask 255.255.255.255

static (educ,outside-rr) MoodleNAT-RR Moodle netmask 255.255.255.255

static (educ,outside-rr) HVACNAT-RR HVACJACE netmask 255.255.255.255

static (educ,outside-rr) VideoNAT-RR Video netmask 255.255.255.255

static (inside,outside-rr) CitrixNAT-RR Citrix netmask 255.255.255.255

static (inside,outside-rr) InfoNAT-RR Info netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group educ_access_in in interface educ

access-group outside-rr_access_in in interface outside-rr

route outside-rr 0.0.0.0 0.0.0.0 70.61.239.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server CiscoASA protocol radius

aaa-server CiscoASA (educ) host 10.86.128.3

key *****

radius-common-pw *****

http server enable

http 10.86.192.0 255.255.224.0 inside

http 10.86.128.0 255.255.224.0 educ

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside-rr

crypto isakmp enable outside-rr

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 10.86.192.0 255.255.224.0 inside

telnet 10.86.128.0 255.255.224.0 educ

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config educ

!

dhcpd address Info-10.86.193.4 inside

!

dhcpd address 10.1.79.3-10.1.79.100 OTS-Guest

dhcpd dns 8.8.8.8 interface OTS-Guest

dhcpd option 3 ip 10.1.79.1 interface OTS-Guest

dhcpd enable OTS-Guest

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 69.50.231.130

ntp server 173.8.198.243

ntp server 204.9.136.253

webvpn

group-policy AquaNovaVPN internal

group-policy AquaNovaVPN attributes

dns-server value 10.86.128.8

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value AquaNova

default-domain value oldtrailschool.com

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy OTSBathPolGP internal

group-policy OTSBathPolGP attributes

dns-server value 10.86.128.8

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value OtsBathACL

default-domain value oldtrailschool.com

group-policy OtsVpnAdmin internal

group-policy OtsVpnAdmin attributes

dns-server value 10.86.128.8

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value OtsVpnAdminAcl

default-domain value oldtrailschool.com

username nmjtech password TuOF1WbhK3Tmhn16 encrypted privilege 15

username admin password 5tEmxPPbLaEfqvKw encrypted privilege 15

username cisco password wM15Ze3e8BiR79aIxNZfRA== nt-encrypted

tunnel-group OtsVpnAdmin type remote-access

tunnel-group OtsVpnAdmin general-attributes

address-pool OTSPIXPOOL

authentication-server-group CiscoASA

default-group-policy OtsVpnAdmin

tunnel-group OtsVpnAdmin ipsec-attributes

pre-shared-key *****

tunnel-group AquaNovaVPN type remote-access

tunnel-group AquaNovaVPN general-attributes

address-pool OTSPIXPOOL

authentication-server-group CiscoASA

default-group-policy AquaNovaVPN

tunnel-group AquaNovaVPN ipsec-attributes

pre-shared-key *****

tunnel-group OTSBathPolVPN type remote-access

tunnel-group OTSBathPolVPN general-attributes

address-pool OTSPIXPOOL

authentication-server-group CiscoASA

default-group-policy OTSBathPolGP

tunnel-group OTSBathPolVPN ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

smtp-server 10.86.192.2

prompt hostname context

Cryptochecksum:543a29e9ba3f36b13cdb72513853b986

: end

asdm location CamDriveway 255.255.255.255 inside

asdm location CamFrontDesk 255.255.255.255 inside

asdm location CamServer 255.255.255.255 inside

asdm history enable

Thanks,

Rob

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎04-24-2013 06:44 AM

Hi,

To me seems that the DHCP is configured correctly.

If the hosts are directly connected to Vlan3, I dont see why they wouldnt be getting an IP address from the ASA.

I am not sure what the logs message you are seeing means. But it doesnt seem to directly refer to OTS-Guest hosts DHCP? Is your physical DHCP server perhaps behind OTS-Guest interface?

- Jouni

0 Helpful

rstojkov1
Level 1
Level 1
In response to Jouni Forss

‎04-24-2013 06:55 AM

Thanks for the reply. Vlan 3 is on the OTS-Guest interface which is ports Fa0/5 and Fa0/6 on the ASA (Fa0/6 only in use) and uses the 10.1.79.1 IP address.  I initially had both the guest and trusted networks on the DHCP server until I realized I only have one NIC card. I have since deactivated the pool for the guest network on the server.

0 Helpful

rstojkov1
Level 1
Level 1
In response to rstojkov1

‎04-24-2013 08:25 AM

I think it may be an issue with my ACL's? Anyone else have any thoughts? My brain is fried.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card