ASA 5510 config issue

Discussion in 'Cisco' started by Lirria, Apr 14, 2009.

  1. Lirria

    Lirria

    Joined:
    Apr 14, 2009
    Messages:
    1
    Hey all -

    I'm hoping somebody out there has a solution for this, we have an ASA 5510 with the gig port expansion. We have the following interfaces:

    E0/0 - outside 38.97.xxx.xxx security level 0
    e0/1 - devint 38.109.xxx.xx security level 0 which then connects to a linux FW (in our datacenter)
    g0/0 - inside - 10.0.0.1 security level 100


    We want to be able to go from the inside to the e0/1 interface and the outside but I seem to be getting the following error: portmap translation creation failed for tcp src inside:

    So I figure it's a matter of getting either the correct nat rule in place or to get the correct ACL (more likely) but I can't seem to find the correct one to include

    here are the current acls:
    access-list Outside-in extended permit tcp any any
    access-list inbound-traffic-on-outside extended permit gre any host COVPN-external
    access-list inbound-traffic-on-outside extended permit tcp any host COVPN-external eq pptp
    access-list inbound-traffic-on-outside extended permit tcp any host COVPNny-external eq pptp
    access-list inbound-traffic-on-outside extended permit gre any host COVPNny-external
    access-list inbound-traffic-on-outside extended permit tcp any host Wiki-external eq https
    access-list inbound-traffic-on-outside extended permit object-group TCPUDP any host VC01-external object-group video-conf-services
    access-list inbound-traffic-on-outside extended permit icmp any any echo-reply
    access-list inbound-traffic-on-outside extended permit icmp any any echo
    access-list inbound-traffic-on-outside extended permit icmp any any unreachable
    access-list inbound-traffic-on-outside extended permit icmp any any source-quench
    access-list inbound-traffic-on-outside extended permit icmp any any time-exceeded
    access-list inbound-traffic-on-outside extended permit object-group TCPUDP any any eq www inactive
    access-list inbound-traffic-on-outside extended permit ip any 38.97.xxx.xxx 255.255.255.248
    access-list inbound-traffic-on-outside extended permit icmp any 38.97.xxx.xxx 255.255.255.248
    access-list inbound-traffic-on-outside extended permit icmp any 38.109.xxx.xxx 255.255.255.128
    access-list inbound-traffic-on-outside extended permit ip any 38.109.xxx.xxx 255.255.255.128
    access-list inbound-traffic-on-outside remark To allow https access to the Exchange client access server
    access-list inbound-traffic-on-outside extended permit tcp any host COExCA-external eq https
    access-list video-conf extended permit object-group TCPUDP host VC01 host VC01-external object-group video-conf-services
    access-list DevInt_access_in extended permit ip CoLan 255.255.0.0 38.97.xxx.xxx 255.255.255.248
    access-list DevInt_access_in extended permit icmp CoLan 255.255.0.0 38.97.xxx.xxx4 255.255.255.248

    global (Outside) 1 38.109.xxx.xxx-38.109.xxx.xxx
    global (Outside) 1 38.109.xxx.xxx netmask 255.255.255.192
    global (Outside) 101 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,Outside) tcp COExCA-external https COExCA https netmask 255.255.255.255
    static (inside,Outside) tcp COExCA-external www COExCA www netmask 255.255.255.255
    static (inside,Outside) COVPNny-external COVPNny netmask 255.255.255.255
    static (inside,Outside) COVPN-external CoVPN netmask 255.255.255.255
    static (inside,Outside) VC01-external VC01 netmask 255.255.255.255
    static (inside,Outside) Wiki-external Wiki netmask 255.255.255.255
    access-group inbound-traffic-on-outside in interface Outside

    And I do have the same-security-traffic permit inter-interface

    So does anybody have any ideas just what I am missing - I have been working on this for a week now and am no better off.

    Any suggestions are welcome.

    Lirria
    Lirria, Apr 14, 2009
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Erich Reimberg N.

    Active/standby config for ASA 5510

    Erich Reimberg N., Jul 1, 2005, in forum: Cisco
    Replies:
    0
    Views:
    728
    Erich Reimberg N.
    Jul 1, 2005
  2. michikrall@hotmail.com

    Cisco 871 + ASA 5510 Quality of Service Config

    michikrall@hotmail.com, Apr 13, 2006, in forum: Cisco
    Replies:
    3
    Views:
    5,908
  3. Tilman Schmidt
    Replies:
    0
    Views:
    3,191
    Tilman Schmidt
    Jan 24, 2008
  4. Tilman Schmidt
    Replies:
    5
    Views:
    18,198
    Lutz Donnerhacke
    Feb 18, 2008
  5. sapmohan

    cisco asa 5510 intervlan config

    sapmohan, Mar 21, 2008, in forum: Cisco
    Replies:
    0
    Views:
    520
    sapmohan
    Mar 21, 2008
Loading...

Share This Page