Cisco VPN :: ASA 5505 / Regular Translation Creation Failed For Icmp
Mar 15, 2011
I have site-to-site VPN and IPsec VPN installed on ASA 5505. VPNs work OK except few stranges:I can't ping 192.168.17.104 from remote ip 192.168.17.138 - 305006 192.168.17.138 regular translation creation failed for icmp src OLD-Private:192.168.17.104 dst OLD-Private:192.168.17.138 (type 0, code 0) in the same time I able to ping 192.168.17.104 from my network 192.168.10.0 and can ping from ASA No firewall at 192.168.17.104?How to fix it?
There is my config:
ASA Version 8.2(2)
!hostname ASA5505domain-name domainenable password password encryptedpasswd password encryptednames!interface Vlan1 description INTERNET mac-address 0000.0000.0001 nameif WAN security-level 0 ip address a.a.a.a 255.255.255.248 standby a1.a1.a1.a1 ospf cost 10!interface Vlan2 description OLD-PRIVATE mac-address 0000.0000.0102 nameif OLD-Private security-level 100 ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3 ospf cost 10!interface Vlan6 description MANAGEMENT mac-address 0000.0000.0106 nameif Management security-level 100 ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3 ospf cost 10!interface Vlan100 description LAN Failover Interface!interface Ethernet0/0!interface Ethernet0/1 shutdown!interface Ethernet0/2 shutdown!interface Ethernet0/3 shutdown!interface Ethernet0/4 shutdown!interface
[code]....
View 10 Replies
ADVERTISEMENT
Apr 23, 2012
I'm connected to my remote access vpn and am getting the below error, wierd thing i only get this error for ICMP, i can browse data on our network retrieve files etc, but pings fail for some reason
NAT-T is enabled
NAT rules are in place
ICMP is not blocked as can ping elsewhere
Where to being looking as to why only ICMP fails?
View 2 Replies
View Related
Oct 10, 2011
We have a PIX with 3 interfaces. Inside, Outside,DMZ.
On my DMZ we have some clients that come in and remotely connect back to there office via MSPPTP. I setup the ASA with this to get rid of the error message: regular translation creation failed for protocol 47 src
policy-map global-policy
inspection_default
inspect pptp
Now when the dmz client tries to connect back to there PPTP server I get the following error.
172.31.10.204 0 24.172.85.162 37624 Teardown dynamic GRE translation from dmz:172.31.10.204/0 to outside:24.172.85.162/37624 duration 0:01:30
172.31.10.204 1069 173.188.74.155 1723 Deny TCP (no connection) from 172.31.10.204/1069 to 173.188.74.155/1723 flags PSH ACK on interface dmz
172.31.10.204 173.188.74.155 63767 Teardown GRE connection 8393958 from dmz:172.31.10.204 to outside:173.188.74.155/63767 duration 0:01:08 bytes [ code]...
View 7 Replies
View Related
Dec 4, 2012
I am having an issue with a specific server that is not reachable from other sub nets. Every other device on the same sub net as the server is reachable via the other sub nets. This server is special because it's NAT'd to an external IP address and has several site-to-site VPN's set up. The firewall is a Cisco ASA 5510.
This is the error I see on the ASA syslog when I try to ping the server from another sub net: 3 Dec 05 2012 10:58:49 10.0.15.101 regular translation creation failed for icmp src inside:10.0.20.8 dst inside:10.0.15.101 (type 0, code 0)
The problem server is on sub net 10.0.20.0/24 and the server IP address is 10.0.20.8. Every device on the 10.0.20.0/24 sub net can hit the server, but devices on other sub nets cannot. For instance, a device on 10.0.15.0/24 cannot reach 10.0.20.8, but can reach other devices on 10.0.20.0/24.
View 1 Replies
View Related
Jan 27, 2013
After adding a NAT rule on Friday morning, I'm now getting a bunch of "portmap translation creation failed" messages from my ASA5520. (It's currently running 8.4(3).) The failure errors appear to have nothing to do with the change that was made. [code] I have very similar rules in place for other vendors to access other machines. The only difference between this new one and those old ones is the use of the objects in the rule instead of the direct IP addresses. This is also the first one that invovles a range instead of a specific address or network. [code]
View 4 Replies
View Related
Aug 1, 2012
Two Vlans (ID1 and 100)are on a Cat 4500, which connects to an ASA, interface DMZ. On 4500, there is default route point to the ASA DMZ interface Issue, server on vlan 100 cannot ping a server on Vlan 1, vice verse. When I enable the realtime log, it gives me a “Translation creation failed” message, please see the attached files.
View 1 Replies
View Related
May 22, 2012
See the error below on my ASA5510.
305006 200.200.0.34 53 portmap translation creation failed for udp src inside:192.168.1.4/1047 dst outside:200.200.0.34/53
The first two computers work normally( IP 2 and 3) , but the third computer gets ip does not work on the Internet.
View 2 Replies
View Related
Mar 24, 2013
We have an ASA 5540 with 8.2(5)
Last three days in early afternoon we start getting these errors in the log and webpages either won't load or pages only half load.
3|Mar 22 2013|13:22:24|305006|184.73.105.115|443|||portmap translation creation failed for tcp src inside:10.10.176.114/58217 dst outside:184.73.105.115/443
3|Mar 22 2013|13:22:24|305006|54.243.129.71|80|||portmap translation creation failed for tcp src inside:10.35.54.37/1517 dst outside:54.243.129.71/80
[Code].....
View 6 Replies
View Related
Dec 27, 2011
We have an ASA 5505 and I want to block www.facebook.com for all users on the inside network. I followed the instructions laid out in Cisco support document ID 100513 using regular expressions with MPF but am running into some problems.
[URL]
Once the configuration has been changed based on these instruction www.facebook.com is blocked. However I can't access any other websites except my Google News home page comes up just fine for some reason.
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 4nJloDG8uYd8w4D3 encrypted
names
!
interface Vlan1
[code]....
View 18 Replies
View Related
Apr 26, 2012
I'm having a problem with the language translation for anyconnect.here's my setup:
-asa 5505
-asa version: 8.4(3)
-asdm version 6.4(7)
-anyconnect essentials
-anyconnect webdeploy: anyconnect-win-3.0.5080-k9.pkg
The anyconnect client is deployed by the asa using the webdeploy.my client machine is a windows 7 with regionnal settings set to french (canada).I added the language localization transform files for web deploy (the mst for french) to my asa using the asdm:remote access VPN -> network (client) Access -> anyconnect customization/localization -> Localized Installer Transforms -> add the french mst.
View 1 Replies
View Related
Feb 26, 2012
I setup and SSL anyconnect VPN on my Cisco ASA 5505. It works well and connects with out a problem. However, I can't ping any internal clients, but I can RDP to them. Most of the time people end up posting their config so I will as well.
MafSecASA# show run
: Saved
:
ASA Version 8.2(1)
[Code].....
View 3 Replies
View Related
Sep 11, 2012
I was logged into our ASA 5505 via ASDM-IDM Launcher (everything was working) and when I tried to update a change later on today it was unable to send the request. I tried to ping the device and the request timed out. The internet is still working, the VPN connections are still up. But I cannot connect into it anymore.
View 4 Replies
View Related
Aug 31, 2012
[code]....
Red error what is the reason? Only appears in the window 2003 server.
View 5 Replies
View Related
Apr 4, 2013
I have many VPN sites using ASA5505 with broadband connection and terminating on a single ASA5550.I have a problem with one site. they are having poor performance. One of the issues I can see is an error on the remote ASA 5505.ive tried the reccomended fix using this command: crypto ipsec security-association replay window-size 1024.
View 1 Replies
View Related
Jul 2, 2012
We need to connect from an external computer connected by cisco-vpn-client to one internal server that is behind an ASA 5505 config with Easy VPN. The VPN connection with the client to our 5520 firewall is fine, but when I try to connect to the server on the LAN, FW log says:
Routing failed to locate next hop for TCP from Internet:172.17.1.215/1108 to Lan_Interna:172.33.0.50/3389
Attached image.
View 22 Replies
View Related
Nov 28, 2011
There is ASA 5505:
- 8.4(2) IOS
- FLASH: 128 Mb
- DRAM: 256 Mb
Requirements for 8.4(2) are acomplished: For the ASA 5505, only the Unlimited Hosts license and the Security Plus license with failover enabled require 512 MB; other licenses can use 256 MB.Are installed latest AnyConnect packeges for linux, some smatphones (each 4-5 MB). But for Windoes it's 21 MB and we got error "Failed to unzip the Anyconenct Package". In prior IOS version there was command cache-fs limit, by default it was 20 Mb. As i understand ASA now dinamically determines amount of cache memory and it's not enough. Because of the increased size of the AnyConnect package from 4MB in AnyConnect 2.5 to 21 MB in AnyConnect 3.0, you may need to upgrade the ASA flash and memory card first.If your ASA has only the default internal flash memory size or the default DRAM size (for cache memory) you could have problems storing and loading multiple AnyConnect client packages on the ASA. Even if you have enough space on the flash to hold the package files, the ASA could run out of cache memory when it unzips and loads the client images.So there is a question, after DRAM upgrade to 512 MB will be there enough cache memory for Anyconnect packeges with total size 35-40 Mb?
View 3 Replies
View Related
Apr 9, 2013
I have ASA 5505, in routed mode, basic license.I run a web server in DMZ. I can reach Internet from DMZ. Also, the trafic from outside can reach the web server. However, if the web site is requested from within the DMZ, the request will fail, and the firewall log contains the following message:
Failed to locate egress interface for TCP from DMZ50: 30.30.30.10/49213 to 170.70.30.114/80
I don't have DNS, so the request must go to Internet, even the web site is hosted on the server in DMZ.
Here is sample of my config file:
interface Vlan1
nameif inside
security-level 100
ip address 162.160.1.3 255.255.255.0
!
interface Vlan2
[code]....
What can be the reason for requests, originated in DMZ, to fail, and how could it be fixed?
View 1 Replies
View Related
Nov 16, 2012
[OK] webvpn
webvpn
[ERROR] anyconnect image disk0:/anyconnect-win-3.0.08057-k9.pkg 2
copying 'disk0:/anyconnect-win-3.0.08057-k9.pkg' to a temporary ramfs file failed
Trying to add the windows anyconnect to the list of usable software for clients and that error happened. What is going wrong? I assume I dont have enough RAM...
View 1 Replies
View Related
Feb 8, 2011
i have a query regarding the no. of isakmp policy priority creating..when i create a new policy in ASA 5500 firewall, i get the below error...i assume it will support only 20 nos, where as we can use between 1-65535.. can anyone from cisco confirm it...running version is 8.x & VPN Plus license.Policy limit reached. No more than 20 isakmp policies can be configured.”
View 2 Replies
View Related
Nov 13, 2011
I need to implement a DMZ in my office. Before talking about the configuration , i would like to know best practises of implementing DMZ.My questions are,is traffic from inside to DMZ is permit by default?,What about DMZ to Inside traffic ?,Is it necessary to do a NAT from inside to DMZ with the same IP as of inside,What is the use of " static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 ? is it a no nat statement?,Is it necessary to permit traffic from DMZ to inside?,Suppose i have a web server in DMZ, for inside host whether it will take path through ASA or path through internet?
View 17 Replies
View Related
Oct 11, 2011
How do you create a vlan? In enable mode, there is no "vlan" command.
View 4 Replies
View Related
Jan 19, 2012
I am having Cisco 3845 series router with c3900-universalk9-mz.SPA.151-4.M2.bin IOS . I want to install new Licence on it for DATA. When i am trying to install licence on it i am facing the error "% Error: License installation failed with error: XML parsing failed".
View 4 Replies
View Related
Jul 26, 2011
I need to create a DMZ zone in my network. One server need to be put in DMZ. I have a PIX 515E 6.3.3. It has free port to create DMZ.
1) Put a new switch for DMZ zone
2) Connect it to the DMZ port
3) Create a NAT for inside to DMZ with same IP as inside
4) Create ACL for permiting traffic to DMZ and apply it to outside interface
5) Create ACl for permitting traffic from DMZ to inside
6) Routing for DMZ in PIX
View 3 Replies
View Related
Feb 7, 2011
I have cisco switch model WS-C3750G-12S-D. It is in transparent mode. I am getting below error message when tried to create new vlan.
Proposed configuration exceeds the limit of 1005 VLANs that can be supported on this platform. Reduce the number of VLANs proposed to be within this limit.
After deleting few unnecessary vlans, it allowed me to create.
3750#sh vtp statusVTP Version : running VTP1 (VTP2 capable)Configuration Revision : 0Maximum VLANs supported locally : 1005Number of existing VLANs : 959VTP Operating Mode : TransparentVTP Domain Name : VTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0xBC 0xA7 0xEC 0xDE 0x36 0x6C 0x61 0xB4 Configuration last modified by 97.193.17.172 at 0-0-00 00:00:00
I confused with terms 'maximum supported vlans' and 'maximum locally supported vlans'. If switch is supporting vlans 1-4094 means it should also allow to create locally. Otherwise how they will pass through the switch trunks without local creation.
View 1 Replies
View Related
Jul 30, 2012
On the ASA running the 8.4.4.1 code in transparent mode. Can I create sub interfaces in different vlans and attach them to different BVI groups?
switch---trunk---ASA---Trunk---switch
Gig0/1.1 vlan 100 bridge-gr1 Gig0/2.1 vlan 101 bridge-gr1
Gig0/1.2 vlan 200 bridge-gr2 Gig0/2.2 vlan 201 bridge-gr2
View 6 Replies
View Related
Apr 11, 2012
I could not find any report in ACS 5.3 which gives details on user creation and deletion in ACS. This feature was there in ACS 4.x but it seems not provided in 5.3 version.
View 3 Replies
View Related
Sep 11, 2011
My backup userid, password, privi 15 on all our company routers Say around 300 routers, it is difficult to log in each router and create a backup account, i heard from one of my friend that i can create a backup account and can upload thru the kiwicat tool and it will automatically creates my backup account on all the routers. Procedure to create this.
View 6 Replies
View Related
May 28, 2012
i have acs 5.2 i need to create a network admin policy to our nx-os devices such as nexus switches, how this will be done on acs 5.2?
View 0 Replies
View Related
Apr 22, 2013
I have a query regarding the deletion and creation of one of my SVI interface on 6513 ,The reason behind it as follows.My traffic get to Internet in this manner
proxy(external int.)[IP:192.168.1.30] --> Gi0/9[6513 in VLAN 170] --> SVI VLAN 170[IP:192.168.1.10] --> Gi0/10[In VLAN 170] -->ASR[IP:192.168.1.20],I need to assign this VLAN ie 170 to my inside interface of firewall but it was mentioned in books like this "Assign the VLAN for the FWSM before it is applied to the MultilayerSwitch Feature Card (MSFC)." so I am thinking the following steps to assign VLAN 170 to firewall group first before creating SVI Interface for it
1.Remove all currently assign ie Gi 0/9 & Gi0/10 interfaces from this VLAN and then delete this VLAN.
2.Create the same SVI ie VLAN 170[IP:192.168.1.10] by this way the issue can be resolved.
As in part of my configuration PBR is define like this .
interface Vlan170
description "PUBLIC IP VLAN"
ip address 192.168.1.20. 255.255.255.0
ip policy route-map NAT
route-map NAT permit 10
match ip address 101
set ip next-hop 192.168.1.10
I need to clearify what impact it may have on PBR part if I delete and create the VLAN 170.Will the traffic move to the inside interface of FWSM.
View 0 Replies
View Related
Sep 9, 2011
What is the difference between DWDM/CWDM and "regular" SFP's? By "regular" I mean Rx and Tx are fixed to specific wavelength. As I have understood, at least Rx of WDM SFP's accepts a range of wavelengths
View 2 Replies
View Related
Feb 19, 2012
have 2 inside networks:
object network INSIDE_10.6
subnet 10.6.0.0 255.255.0.0
object network INSIDE_192.168
subnet 192.168.0.0 255.255.255.0
I grouped these 2 into 1 object-group:
object-group network INSIDE
network-object object INSIDE_10.6
network-object object INSIDE_192.168
Public IP address used for PAT:
object network PAT
host 152.x.x.x
I used the following statement to create Dynamic PAT to public IP address:
object network INSIDE_10.6
nat (any,any) dynamic PAT
object network INSIDE_192.168
nat (any,any) dynamic PAT
Is that correct? Also I'm using one public address to PAT both inside networks. Is there any dvantage of using 2 different ones, so each inside network would be PAT to its own address?
View 1 Replies
View Related
Aug 29, 2011
We have a customer in a country where the local telecom hands out the data E1 link in a G703 interface with two coaxial cables (Tx & Rx) out of a Watson/Schmidt Telecom SHDSL modem.
We need a way to convert the G703 cables and signaling to a regular RJ45 so that we can connect it to the customer firewall which has regular gigabit Ethernet connections. Some have suggested a 1941 with a serial and gigabit cards. We just need a affordable solution for this and the configuration.
View 3 Replies
View Related
May 22, 2012
we managed to integrate our newly setup ACS 5.2 to our regional domain. now im creating a Device Admin access Policy for Regional Network Admin group and Regional Network Operators group. each having full and read access respectively.
i already have the default identity policy and authorization policy with with command sets fullaccess and showonly for each group, now i dont know how can i match the AD group regionaladm and regionalops so that each user falls under one of these groups will have a correct read/write access.
View 4 Replies
View Related