cisco asa packet dropped cisco asa 5540

[vietcgi]

3|Apr 04 2003 16:47:11|305006: portmap translation creation failed for
tcp src INSIDE:192.168.30.134/59008 dst OUTSIDE:64.241.243.11/80
3|Apr 04 2003 16:47:11|305006: portmap translation creation failed for
tcp src INSIDE:192.168.30.56/36069 dst OUTSIDE:216.38.193.10/80
3|Apr 04 2003 16:47:11|305006: portmap translation creation failed for
tcp src INSIDE:192.168.30.134/46121 dst OUTSIDE:198.87.233.14/80
3|Apr 04 2003 16:47:11|305006: portmap translation creation failed for
tcp src INSIDE:192.168.30.105/51684 dst OUTSIDE:217.154.245.10/80
3|Apr 04 2003 16:47:11|305006: portmap translation creation failed for
tcp src INSIDE:192.168.30.111/45204 dst OUTSIDE:70.42.254.201/80
3|Apr 04 2003 16:47:11|305006: portmap translation creation failed for
tcp src INSIDE:192.168.30.50/35945 dst OUTSIDE:64.241.243.11/80
3|Apr 04 2003 16:47:11|305006: portmap translation creation failed for
tcp src INSIDE:192.168.30.69/55010 dst OUTSIDE:70.42.254.201/80
3|Apr 04 2003 16:47:11|305006: portmap translation creation failed for
tcp src INSIDE:192.168.30.50/35944 dst OUTSIDE:64.241.243.11/80
3|Apr 04 2003 16:47:11|305006: portmap translation creation failed for
tcp src INSIDE:192.168.30.50/58455 dst OUTSIDE:63.241.59.55/80


we are getting lots of these erorrs. Wonder if any experts know what is going on.

Thanks,..

 

[vietcgi]

here is our current config.

nterface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address xx.xx.xxx.2 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif INSIDE
security-level 100
ip address 192.168.30.1 255.255.255.0
!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE_access_in extended permit icmp any any
access-list INSIDE_access_in extended permit tcp any any
access-list INSIDE extended permit icmp any any
access-list INSIDE extended permit ip 192.168.30.0 255.255.255.0 host xx.xx.xxx.2
access-list INSIDE_in extended permit ip any any

access-list OUTSIDE_access_in extended permit tcp any host xx.xx.xx.204 eq www

pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
monitor-interface OUTSIDE
monitor-interface INSIDE
icmp permit any OUTSIDE
icmp permit any INSIDE
asdm image disk0:/asdm502.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) xx.xx.xx.204 192.168.30.204 netmask 255.255.255.255
access-group OUTSIDE_access_in in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 xx.xx.xx.254 1
timeout xlate 0:06:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Remote internal

 

[desperado618]

Your posted acl does not include your Nat 0 acl (INSIDE_nat0_outbound). Unless there is something flakey in that ACL, I believe you might just need to do a Clear Xlate. I have had that happen twice and a clear xlate fixed the issue.

http://www.NetLeets.com

IT Security news and information
In plain English