ASA 5510 configuration issue

[Lirria]

Hey all -

I'm hoping somebody out there has a solution for this, we have an ASA 5510 with the gig port expansion. We have the following interfaces:

E0/0 - outside 38.97.xxx.xxx security level 0
e0/1 - devint 38.109.xxx.xx security level 0 which then connects to a linux FW (in our datacenter)
g0/0 - inside - 10.0.0.1 security level 100


We want to be able to go from the inside to the e0/1 interface and the outside but I seem to be getting the following error: portmap translation creation failed for tcp src inside:

So I figure it's a matter of getting either the correct nat rule in place or to get the correct ACL (more likely) but I can't seem to find the correct one to include

here are the current acls:
access-list Outside-in extended permit tcp any any
access-list inbound-traffic-on-outside extended permit gre any host COVPN-external
access-list inbound-traffic-on-outside extended permit tcp any host COVPN-external eq pptp
access-list inbound-traffic-on-outside extended permit tcp any host COVPNny-external eq pptp
access-list inbound-traffic-on-outside extended permit gre any host COVPNny-external
access-list inbound-traffic-on-outside extended permit tcp any host Wiki-external eq https
access-list inbound-traffic-on-outside extended permit object-group TCPUDP any host VC01-external object-group video-conf-services
access-list inbound-traffic-on-outside extended permit icmp any any echo-reply
access-list inbound-traffic-on-outside extended permit icmp any any echo
access-list inbound-traffic-on-outside extended permit icmp any any unreachable
access-list inbound-traffic-on-outside extended permit icmp any any source-quench
access-list inbound-traffic-on-outside extended permit icmp any any time-exceeded
access-list inbound-traffic-on-outside extended permit object-group TCPUDP any any eq

http://www inactive

access-list inbound-traffic-on-outside extended permit ip any 38.97.xxx.xxx 255.255.255.248
access-list inbound-traffic-on-outside extended permit icmp any 38.97.xxx.xxx 255.255.255.248
access-list inbound-traffic-on-outside extended permit icmp any 38.109.xxx.xxx 255.255.255.128
access-list inbound-traffic-on-outside extended permit ip any 38.109.xxx.xxx 255.255.255.128
access-list inbound-traffic-on-outside remark To allow https access to the Exchange client access server
access-list inbound-traffic-on-outside extended permit tcp any host COExCA-external eq https
access-list video-conf extended permit object-group TCPUDP host VC01 host VC01-external object-group video-conf-services
access-list DevInt_access_in extended permit ip CoLan 255.255.0.0 38.97.xxx.xxx 255.255.255.248
access-list DevInt_access_in extended permit icmp CoLan 255.255.0.0 38.97.xxx.xxx4 255.255.255.248

global (Outside) 1 38.109.xxx.xxx-38.109.xxx.xxx
global (Outside) 1 38.109.xxx.xxx netmask 255.255.255.192
global (Outside) 101 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,Outside) tcp COExCA-external https COExCA https netmask 255.255.255.255
static (inside,Outside) tcp COExCA-external

http://www COExCA

http://www netmask

255.255.255.255
static (inside,Outside) COVPNny-external COVPNny netmask 255.255.255.255
static (inside,Outside) COVPN-external CoVPN netmask 255.255.255.255
static (inside,Outside) VC01-external VC01 netmask 255.255.255.255
static (inside,Outside) Wiki-external Wiki netmask 255.255.255.255
access-group inbound-traffic-on-outside in interface Outside

And I do have the same-security-traffic permit inter-interface

So does anybody have any ideas just what I am missing - I have been working on this for a week now and am no better off.

Any suggestions are welcome.

Lirria

 

[North323]

what is your default gateway? you should have a route like
route devint 38.109.xxx.xx 255.255.0.0 38.97.xxx.xxx

something like that, doesnt look like an access list but rather a route

 

[Lirria]

Thanks for the reply!

the route staement I have is:
route DevInt 38.109.xxx.xxx 255.255.255.128 38.97.xxx.xxx 1

Reading over my post, I did forget something that might help (I blame no coffee )- I receive the following error when I try to access that network:


portmap translation creation failed for tcp src inside:10.0.xxx.xxx/62434 dst DevInt:38.109.xxx.xxx/22

Thanks

 

[unclerico]

you need more cowbell, er, nat:

global (devint) 2 interface
nat (inside) 2 0 0 0 0

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Lirria]

Ok - that makes some sense - I added the global with out a problem, the nat rule came back and said Duplicate nat entry
I have one that is as follows:
nat (inside) 1 0.0.0.0 0.0.0.0


Lirria

 

[unclerico]

oops, remove the global (devint) 2 interface and instead put in global (devint) 1 interface.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Lirria]

Wow - you rock - I need to have a developer test full connectivity - but I can now ping the devices over there - thank you so much!

Lirria

 

[unclerico]

glad to help

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Lirria]

Just as a finally followup - yes that did fix the problem and they are very happy- thank you so much for the help!

have an awesome day!

Lirria