Showing results for 
Search instead for 
Did you mean: 

NAT problem - traffic from internet not reaching internal source.


Hi all,

I have just added a /16 network and I am having trouble figuring our why I cannot get trafiic back to devices on this network.  Traffic to/from our existing networks works fine, but not the 10.8 network.  Ping requests are returned, but not internet traffic.  When I look at traffic I see these errors:  "

3          Jul 31 2013          09:07:59          305006          56070                              portmap translation creation failed for tcp src inside: dst inside:" and


3          Jul 31 2013          09:09:33          305006          56071                              portmap translation creation failed for tcp src inside: dst inside:"

So, it appears that the traffic is returned, hits the inside interface, but is not being sent back to the proper device.  Can anyone see anything in this config that may be causing this?



ASA Version 8.2(2)


hostname ***-ASA5510


name SBS

name inside-nets


interface Ethernet0/0

description Link to ***

nameif outside

security-level 0

ip address ***.***.***.***


interface Ethernet0/1

nameif inside

security-level 100

ip address


interface Ethernet0/2


nameif ***

security-level 0

ip address ***.***.***.***


interface Ethernet0/3

nameif GuestWireless

security-level 0

ip address


interface Management0/0

nameif management

security-level 100

no ip address


banner exec Unauthorized Access is Prohibited.

banner login No Unauthorized Access.  All Access Attempts Will Be Logged.

banner motd  Authorized Access Only.

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended deny ip any

access-list outside_access_in remark ICMP type 11 for Windows Traceroute

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in remark ICMP type 3 for Cisco and Linux

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit tcp any host *.*.*.* eq 993

access-list outside_access_in extended permit tcp any host *.*.*.* eq imap4

access-list outside_access_in extended permit tcp any host *.*.*.* eq 4125

access-list outside_access_in extended permit tcp any host *.*.*.* eq https

access-list outside_access_in extended permit tcp any host *.*.*.* eq https

access-list remote-users_splitTunnelAcl standard permit inside-nets 

access-list inside_nat0_outbound extended permit ip inside-nets

pager lines 24

logging enable

logging timestamp

logging list Config_Changes level emergencies

logging list Config_Changes message 113019

logging list Config_Changes message 111007-111009

logging list Config_Changes message 113012

logging list vpn-log level debugging class vpnc

logging trap vpn-log

logging asdm notifications

logging facility 23

logging device-id hostname

logging host inside

logging debug-trace

logging permit-hostdown

mtu outside 1500

mtu inside 1500

mtu ISP2 1500

mtu GuestWireless 1500

mtu management 1500

ip local pool remote-user-pool mask

icmp unreachable rate-limit 10 burst-size 5

asdm location inside-nets inside

no asdm history enable

arp timeout 14400

global (outside) 101 interface

global (ISP2) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101

nat (GuestWireless) 101

static (inside,outside) tcp interface smtp SBS smtp netmask

static (inside,outside) tcp interface 4125 SBS 4125 netmask

static (inside,outside) tcp interface https SBS https netmask

static (inside,outside) tcp interface imap4 SBS imap4 netmask

static (inside,outside) tcp interface 993 SBS 993 netmask

static (inside,outside) tcp interface 6699 Untangle 6699 netmask

static (inside,***) *.*.*.* SBS netmask dns

static (inside,outside) [public IP] netmask

access-group outside_access_in in interface outside


router ospf 1

network area 0

network area 0

network inside-nets area 0


default-information originate always


route outside [Public IP] 1 track 1

route outside *.*.*.* 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server SBS-RADIUS protocol radius

reactivation-mode depletion deadtime 1

max-failed-attempts 2

aaa-server SBS-RADIUS (inside) host SBS

key *

radius-common-pw *

aaa authentication ssh console SBS-RADIUS LOCAL

aaa authentication enable console SBS-RADIUS LOCAL

aaa authentication http console SBS-RADIUS LOCAL

aaa authorization exec authentication-server

http server enable

http inside-nets inside

snmp-server host inside community * version 2c

no snmp-server location

no snmp-server contact

snmp-server community *

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 123

type echo protocol ipIcmpEcho *.*.*.* interface outside

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-


crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal


track 1 rtr 123 reachability

telnet timeout 5

ssh inside-nets inside

ssh timeout 60

ssh version 2

console timeout 0

management-access inside

dhcpd address GuestWireless

dhcpd dns *.*.*.* *.*.*.* interface GuestWireless

dhcpd option 3 ip interface GuestWireless

dhcpd enable GuestWireless


threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server SBS


group-policy remote-users internal

group-policy remote-users attributes

dns-server value

vpn-idle-timeout none

vpn-session-timeout none

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value remote-users_splitTunnelAcl

default-domain value ***.local

tunnel-group remote-users type remote-access

tunnel-group remote-users general-attributes

address-pool remote-user-pool

authentication-server-group SBS-RADIUS

default-group-policy remote-users

tunnel-group remote-users ipsec-attributes

pre-shared-key ***


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

  inspect snmp

class class-default

  set connection decrement-ttl


service-policy global_policy global

prompt hostname context


profile CiscoTAC-1

  no active

  destination address http

  destination address email

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily