04-14-2011 04:23 PM - edited 03-11-2019 01:21 PM
Hi,
I have an ASA 5505, version 8.2. The inside interface IP is 172.21.25.254
I am trying to have the ASA use a router on the inside network. In ASDM, I have added a static route that looks like this:
route inside 172.0.36.0 255.255.255.0 172.21.25.253 1
When trying to ping an address, I see these errors in the ASDM syslog:
portmap translation creation failed for icmp src inside:172.21.25.30 dst inside:172.0.36.1 (type 8, code 0)
Any advice?
Solved! Go to Solution.
04-14-2011 06:12 PM
Hello Dustin,
By default the ASA won't allow inside hosts on different subnets to communicate. This should do the trick 4 you
ASA7(config)# same-security-traffic permit intra-interface
Hope this helps
__ __
Pablo
04-15-2011 07:38 AM
I think you might have a NATing problem:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
See below from the troubleshooting section concerning the portmap translation creation error message:
"Check the security appliance logs for messages which indicate that a protocol failed to create a translation through the security appliance. If such messages appear, verify that NAT has been configured for the desired traffic and that no addresses are incorrect.
04-14-2011 05:33 PM
The address 172.0.36.1 is a public ip address which can't be used in internal networks unless u own the address or the Asa is used for testing purpose internally
04-14-2011 06:12 PM
Hello Dustin,
By default the ASA won't allow inside hosts on different subnets to communicate. This should do the trick 4 you
ASA7(config)# same-security-traffic permit intra-interface
Hope this helps
__ __
Pablo
04-15-2011 07:38 AM
I think you might have a NATing problem:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
See below from the troubleshooting section concerning the portmap translation creation error message:
"Check the security appliance logs for messages which indicate that a protocol failed to create a translation through the security appliance. If such messages appear, verify that NAT has been configured for the desired traffic and that no addresses are incorrect.
04-15-2011 08:29 AM
I applied the "same-security-traffic permit intra-interface" command, but I'm still having a problem.
After reading the link, I agree that it seems to be a NAT problem, but I'm not sure on how to configure it for this scenario.
Do all the clients need to be using the router instead of the ASA for the gateway? If I do that, I am able to access both networks, but I am not able to access any ipsec tunnels...
04-15-2011 05:44 PM
post ur configuration and the n/w setup if possible
04-18-2011 05:12 PM
I was able to resolve this issue by using the router as the default gateway. The problem turned out to be that it's interfaced was configured as 255.255.0.0 for some reason...
04-18-2011 06:09 PM
Hi Dustin,
In case you would like to know why the original setup with ASA as default gateway wasn't working:
Here was the traffic flow from a PC on the inside interface, to PC2 (the one behind the router).
PC - ASA - Router - PC2
Return traffic: PC2 - Router - PC (Since router (.253) and PC are in the same subnet)
Thus the ASA would never see return communication, and thus would not allow TCP connections through.
The initial error you reported would be solved with "same-security-traffic permit intra-interface".
For the setup to work correctly, you would also have to add the following:
Suppose you have in your config on the ASA:
nat (inside) 1 0 0
global (outside) 1 interface
Add:
global (inside) 1 interface
This way, when traffic goes from PC-ASA -> Router, the source IP becomes that of the inside interface of the ASA. Thus return traffic would be destined to the ASA instead of going directly to the PC from the Router.
Hope this helps.
-Shrikant
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide