«

Hi all,

I have strange situation with ASA
When I have connected 5 workstations everything work fine.
LAN 192.168.0.0/24 have WWW, my DNS, my pop3/smtp.
Part of my config

object-group service strony tcp
port-object eq www
port-object eq https
object-group service poczta tcp
port-object eq smtp
port-object eq pop3
port-object eq 995

access-list inside_access_in extended permit udp 192.168.0.0
255.255.255.0 host my_DNS eq domain
access-list inside_access_in extended permit tcp 192.168.0.0
255.255.255.0 host my_mail_server object-group poczta
access-list inside_access_in extended permit tcp 192.168.0.0
255.255.255.0 any object-group strony

nat-control
global (outside) 100 213.xxx.xxx.86-213.xxx.xxx.88

Servers in DMZ works fine.

But when I connect to ASA whole network (~150 workstations)
I have a lots of this records in log:
3|Jun 08 2006 11:03:17|305006: portmap translation creation failed for
udp src inside:192.168.0.31/2609 dst outside:my_DNS_SERVER/53

Whats can be wrong? Where can I looking for solution?

With regards
Arek

--
Arek Czereszewski
"UNIX is like a wigwam:
no windows, no gates, apache inside."

Arek Czereszewski skrev:

> global (outside) 100 213.xxx.xxx.86-213.xxx.xxx.88

If I'm not missing something here you are only NATing and not PATing
anything
that would mean that only three workstations can have access to
external network at one time one for each of the x.x.x.86, x.x.x.87,
x.x.x.88 any further will not be able to NAT

However you could do this:

global (outside) 100 213.x.x.86-213.x.x.87
global (outside) 100 213.x.x.88
nat (inside) 100 0.0.0.0 0.0.0.0 0 0

This would NAT the first two hosts to 86,87 then PAT all the others to
88

Hope this was helpful

-SAto

SAto napisał(a):
> Arek Czereszewski skrev:
>
>> global (outside) 100 213.xxx.xxx.86-213.xxx.xxx.88
>
> If I'm not missing something here you are only NATing and not PATing
> anything
> that would mean that only three workstations can have access to
> external network at one time one for each of the x.x.x.86, x.x.x.87,
> x.x.x.88 any further will not be able to NAT
>
> However you could do this:
>
> global (outside) 100 213.x.x.86-213.x.x.87
> global (outside) 100 213.x.x.88
> nat (inside) 100 0.0.0.0 0.0.0.0 0 0
>
> This would NAT the first two hosts to 86,87 then PAT all the others to
> 88
>
> Hope this was helpful

Yes it's work now
Thank you very much.

Firewalling on pf in *BSD it's still easier for me.

Now I must fwd connections from 192.168.0.0/24 to ports 80,443 to squid.

Regards
Arek

--
Arek Czereszewski
arek (at) wup-katowice (dot) pl | gg: 1349941
"UNIX is like a wigwam:
no windows, no gates, apache inside."

Arek Czereszewski skrev:
> Now I must fwd connections from 192.168.0.0/24 to ports 80,443 to squid.

To the best of my knowledge the pix does not support this.
It only supports url lookups with websense to filter urls not cache
content.

You could put the squid in bridge mode and put it between your LAN and
the PIX but I would personally not recomend such a setup.

It is much better to configure clients to use the cache in the browser
settings or run WCCP or route map redirection on a router.

-SAto

Hi,

ASA 7.2 now supports WCCP as well! Have a look at asa manual at
http://www.cisco.com/application/pdf...0080641f89.pdf

Erik


"SAto" <> wrote in message
news: oups.com...
>
> Arek Czereszewski skrev:
>> Now I must fwd connections from 192.168.0.0/24 to ports 80,443 to squid.
>
> To the best of my knowledge the pix does not support this.
> It only supports url lookups with websense to filter urls not cache
> content.
>
> You could put the squid in bridge mode and put it between your LAN and
> the PIX but I would personally not recomend such a setup.
>
> It is much better to configure clients to use the cache in the browser
> settings or run WCCP or route map redirection on a router.
>
> -SAto
>

Erik Tamminga skrev:

> ASA 7.2 now supports WCCP as well! Have a look at asa manual at
> http://www.cisco.com/application/pdf...0080641f89.pdf

Nice, that would be the best solution in this case.

-SAto