Solved: ERROR: Portmap Translation Creation Failed..

support · ‎08-19-2010

Hi,

On a ASA 5505 with Sec Plus, I try to configure backup ISP link, using the guide found here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

I have done according to the document.

But I recieve this error:

Result of the command: "show running-config"

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name DOMAIN.local

enable password xxxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxx encrypted

names

name 192.168.0.150 Server1 description SBS 2003 Server

name 84.xxx.xxx.20 IP_outside

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

description Direct Connect

backup interface Vlan13

nameif outside

security-level 0

pppoe client vpdn group PPPoE_DirectConnect

ip address IP_outside 255.255.255.255 pppoe

!

interface Vlan3

nameif dmz

security-level 50

ip address 10.0.0.1 255.255.255.0

!

interface Vlan13

description Backupnett ICE

nameif ICE

security-level 0

ip address 192.168.10.10 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 13

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

switchport access vlan 3

!

interface Ethernet0/7

switchport access vlan 3

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name DOMAIN.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in remark For RWW

access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq 4125

access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq pptp

access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq 444

access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq smtp

access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq https

access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq www

access-list outside_access_in extended permit icmp any IP_outside 255.255.255.252 echo-reply

access-list DOMAINVPN_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended permit ip any 192.168.0.192 255.255.255.192

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.192 255.255.255.192

access-list DOMAIN_VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

access-list ICE_access_in extended permit tcp any 192.168.10.0 255.255.255.0 eq www

access-list ICE_access_in extended permit tcp any 192.168.10.0 255.255.255.0 eq https

access-list ICE_access_in extended permit tcp any 192.168.10.0 255.255.255.0 eq smtp

access-list ICE_access_in extended permit tcp any 192.168.10.0 255.255.255.0 eq 444

access-list ICE_access_in extended permit tcp any 192.168.10.0 255.255.255.0 eq pptp

access-list ICE_access_in extended permit icmp any 192.168.10.0 255.255.255.0 echo-reply

access-list ICE_access_in remark For RWW

access-list ICE_access_in extended permit tcp any 192.168.10.0 255.255.255.0 eq 4125

pager lines 24

logging enable

logging asdm warnings

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu ICE 1500

ip local pool VPNPool 192.168.10.210-192.168.10.225 mask 255.255.255.0

no failover

monitor-interface inside

monitor-interface outside

monitor-interface dmz

monitor-interface ICE

icmp unreachable rate-limit 1 burst-size 1

icmp permit 84.xxx.xxx.0 255.255.255.0 outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (ICE) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 10.0.0.0 255.255.255.0

static (inside,ICE) tcp interface 4125 Server1 4125 netmask 255.255.255.255

static (inside,outside) tcp interface 4125 Server1 4125 netmask 255.255.255.255

static (inside,ICE) tcp interface 444 Server1 444 netmask 255.255.255.255

static (inside,outside) tcp interface 444 Server1 444 netmask 255.255.255.255

static (inside,ICE) tcp interface pptp Server1 pptp netmask 255.255.255.255

static (inside,outside) tcp interface pptp Server1 pptp netmask 255.255.255.255

static (inside,ICE) tcp interface smtp Server1 smtp netmask 255.255.255.255

static (inside,outside) tcp interface smtp Server1 smtp netmask 255.255.255.255

static (inside,ICE) tcp interface https Server1 https netmask 255.255.255.255

static (inside,outside) tcp interface https Server1 https netmask 255.255.255.255

static (inside,ICE) tcp interface www Server1 www netmask 255.255.255.255

static (inside,outside) tcp interface www Server1 www netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group ICE_access_in in interface ICE

route outside 0.0.0.0 0.0.0.0 84.xxx.xxx.1 1 track 1

route ICE 0.0.0.0 0.0.0.0 192.168.10.1 254

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 123

type echo protocol ipIcmpEcho 84.xxx.xxx.1 interface outside

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs group1

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 123 reachability

no vpn-addr-assign local

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

vpdn group PPPoE_DirectConnect request dialout pppoe

vpdn group PPPoE_DirectConnect localname DOMAINas

vpdn group PPPoE_DirectConnect ppp authentication pap

vpdn username DOMAINas password *********

dhcpd auto_config outside

!

dhcpd address 10.0.0.10-10.0.0.39 dmz

dhcpd dns 84.xxx.xxx.1 84.xxx.xxx.2 interface dmz

dhcpd lease 6000 interface dmz

dhcpd enable dmz

!

ntp server 64.0.0.2 source outside

group-policy DOMAIN_VPN internal

group-policy DOMAIN_VPN attributes

dns-server value 192.168.0.150

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DOMAIN_VPN_splitTunnelAcl

default-domain value DOMAIN.local

username frank password xxxxxxxxxxxxxxxxx encrypted privilege 0

username frank attributes

vpn-group-policy DOMAIN_VPN

username admin password xxxxxxxxxxxxxxxxx /tk encrypted privilege 15

tunnel-group DOMAIN_VPN type ipsec-ra

tunnel-group DOMAIN_VPN general-attributes

default-group-policy DOMAIN_VPN

dhcp-server Server1

tunnel-group DOMAIN_VPN ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

class-map imblock

match any

class-map P2P

match port tcp eq www

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect im impolicy

parameters

match protocol msn-im yahoo-im

drop-connection log

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

policy-map type inspect http P2P_HTTP

parameters

match request uri regex _default_gator

drop-connection log

match request uri regex _default_x-kazaa-network

drop-connection log

match request uri regex _default_msn-messenger

drop-connection log

match request uri regex _default_gnu-http-tunnel_arg

drop-connection log

policy-map IM_P2P

class imblock

inspect im impolicy

class P2P

inspect http P2P_HTTP

!

service-policy global_policy global

service-policy IM_P2P interface inside

prompt hostname context

Cryptochecksum:56ec19733d9b186e5c3d15a599c857c3

: end

Nagaraja Thanthry · ‎08-19-2010

Hello,

Your global configuration is incorrect:

global (ICE) 2 interface

nat (inside) 1 0.0.0.0 0.0.0.0

The global pool for ICE interface is numbered as 2 and your NAT configuration is using pool 1. Please change the global pool number to 1:

global (ICE) 1 interface

Hope this helps.

Regards,

NT

View solution in original post

Nagaraja Thanthry · ‎08-19-2010

Hello,

Your global configuration is incorrect:

global (ICE) 2 interface

nat (inside) 1 0.0.0.0 0.0.0.0

The global pool for ICE interface is numbered as 2 and your NAT configuration is using pool 1. Please change the global pool number to 1:

global (ICE) 1 interface

Hope this helps.

Regards,

NT

support · ‎08-19-2010

Hi Nagaraja,

Thanks for your answer. Now everything works just fine

marcosnunez · ‎11-16-2015

access-list nonat-acl extended permit ip any any

nat (inside) 0 access-list nonat-acl