portmap translation creation failed for tcp src inside:192.168.9

Matthew Michaluk · ‎09-26-2011

Hello all.

I am having an issue where clients at remote sites can not access website in our dmz. Any thoughts?

Thanks.

Jon Marshall · ‎09-26-2011

Matthew

Which interface do the clients use to get to the DMZ (looks like the inside interface from your post ?)

Do the clients use VPN or is it just normal traffic ?

Do you have a NAT statement setup for the client traffic to the DMZ ?

Jon

Matthew Michaluk · ‎09-26-2011

Inside

Normal traffic.

nat (dmz4) 101 0.0.0.0 0.0.0.0

Kureli Sankar · ‎09-26-2011

Pls. share the output of "sh run nat" and "sh run global"

-KS

Matthew Michaluk · ‎09-27-2011

sh run nat

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

nat (dmz4) 101 0.0.0.0 0.0.0.0

nat (dmz3) 101 0.0.0.0 0.0.0.0

sh run global

global (outside) 101 207.40.1.252 netmask 255.255.255.255

varrao · ‎10-13-2011

You might need to add this:

global (dmz4) 101 interface

There no translation for the inside host when they go the dmz4 interface.

Hope that helps,

Varun

Thanks,
Varun Rao

Matthew Michaluk · ‎10-13-2011

Anyone?

fitzerpn1 · ‎11-16-2011

I was having the same problem after changing dynamic nat pools around and found the below tip here (at the bottom under troubleshooting). I ran clear xlate and my problem was solved immediately.

Translation Creation Failed

If a connection cannot be created between the client and the WWW server, it might be due to a NAT misconfiguration. Check the security appliance logs for messages which indicate that a protocol failed to create a translation through the security appliance. If such messages appear, verify that NAT has been configured for the desired traffic and that no addresses are incorrect.

%ASA-3-305006: portmap translation creation failed for tcp src 
inside:192.168.100.2/11000 dst inside:192.168.100.10/80

Clear the xlate entries, and then remove and reapply the NAT statements in order to resolve this error.

Julio Carvajal · ‎11-16-2011

Hello Patrick,

As Varun said you will need to add the following:

global (dmz4) 101 interface

You can do a packet-tracer too see if now we are hitting the correct nat statement when the packet goes from the dmz to the inside (syn-ack).

packet-tracer input inside tcp 192.168.100.2 1025 10.10.7.21 443

You can do a clear local-host 10.10.7.21 and clear xlate local 10.10.7.21

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

John Peterson · ‎06-12-2013

Hi Julio,

I today was having the same issue.

Who doing hairpining NAT on a tcp port, to and from the same interface. Why is it that you need global (dmz4) 101 interface?

Thanks

Julio Carvajal · ‎06-12-2013

Hello John,

Here is a document that will help u with the U-turn understanding:

https://supportforums.cisco.com/docs/DOC-34107

Let me know if u Understand the reason afterwards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

smayfield · ‎02-29-2012

You need to add an NO NAT from your inside interface to your DMZ to get this to work.

smayfield · ‎02-29-2012

So for example you have this.

192.168.1.0/24Inside(FW)or (RA VPN) ---------VPN------------(FW )10.1.1.0/24Inside------192.168.10.0/24 DMZ

access-list INSIDE_NO_NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 0 access-list INSIDE_NO_NAT

portmap translation creation failed for tcp src inside:192.168.91.35/32483 dst dmz4:10.10.7.21/443

Translation Creation Failed