Portmap Translation Creation Failed

[GreatApe]

Hi guys, Im a little confused about my config for an ASA I have here, I was hoping someone could point me in the right direction.


Its a fairly standard setup:

Internal dmz and outside interfaces.

interface Ethernet0/0
speed 10
duplex full
nameif outside
security-level 0
ip address 116.X.X.41 255.255.255.252

interface Ethernet0/1
nameif inside
security-level 100
ip address 192.X.X.20 255.255.255.0

interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.X.X.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list Inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 172.X.X.0 255.255.255.0
nat (management) 0 access-list Inside_nat0_outbound
nat (management) 1 192.10.201.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 116.X.X.42 1 (Next Hop BGP Router)



I can provide other parts of config if needed

The problem seems to be that when I route traffic to the inside interface of the ASA, unless i specify a route for its destination it attempts to translate from the inside interface back to the inside interface..

For example we have some phone software that requires to get to 210.50.23.6
We dont have a default route out to the internet, but I distributed a static route at our core to pass this traffic to the ASA. From my syslog I could see the following:

portmap translation creation failed for tcp src inside:192.X.X.214/1537 dst inside:210.50.23.6/2208

I could see from this message it was trying to translate to the same interface... So I added a specific route for 210.50.23.6

route outside 210.50.23.6 255.255.255.255 116.X.X.42 1

And it started working:
Built outbound TCP connection 1091413 for outside:210.50.23.6/2208 (210.50.23.6/2208) to inside:192.X.X.214/1546 (116.X.X.41/40740)

So my question is why doesnt the global rule combined with the default route (route outside 0.0.0.0 0.0.0.0 116.X.X.42 1) handle this?

Im guessing that my lazy internal nat rule (nat (inside) 1 0.0.0.0 0.0.0.0) is causing problems?

Any help with this would be much appreciated! Thanks!

 

[unclerico]

please post full scrubbed config. based on what i see, your default route should be all that is needed.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[GreatApe]

Hi there, thanks for the reply. Here are the relevant parts of the config: Do you need access lists and the like?

ASA Version 8.2(1)
!
hostname ABN-FW3-CISCO-ASA5510
domain-name default.domain.invalid
enable password O71opceA52lS9bNr encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
speed 10
duplex full
nameif outside
security-level 0
ip address 116.X.X.74 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.X.X.20 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.X.X.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.X.X.20 255.255.255.0
management-only

global (outside) 1 interface
nat (inside) 1 192.X.X.0 255.255.255.0
nat (dmz) 1 172.X.X.0 255.255.255.0
static (inside,dmz) 192.X.X.0 192.X.X.0 netmask 255.255.0.0
static (dmz,outside) 116.X.X.137 172.X.X.3 netmask 255.255.255.255
static (dmz,outside) 116.X.X.138 172.X.X.6 netmask 255.255.255.255
access-group OUT in interface outside
access-group DMZ in interface dmz

router eigrp 1
no auto-summary
network 172.X.X.0 255.255.255.0
network 192.X.X.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 116.X.X.73 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

If I do a show route

ABN-FW3-CISCO-ASA5510# show route | include 0.0.0.0
Gateway of last resort is 116.212.205.42 to network 0.0.0.0
D 10.X.X.0 255.255.255.0 [90/30976] via 192.X.X.253, 313:02:25, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 116.X.X.42, outside

still not sure what might be causing the ASA to send out the internal interface unless there is a specific route... Probably a stupid error by me!

 

[sp33domcgee]

My favorite command to see what is going on in the firewall and how it will handle traffic is packet-tracer.

First, with only the default route applied perform this from CLI

packet-tracer input OUTSIDE tcp 210.50.23.6 80(YOUR INSIDE IP ADD) 80

Then add the more specific route and do it again. Lastly do that in the other direction as well.

packet-tracer input INSIDE tcp (YOUR INSIDE IP ADD) 80 210.50.23.6 80.

Post all results here.