1. Home
  2. Cisco Systems
  3. ASA 5510

ASA 5510

Hi all,

I have strange situation with ASA When I have connected 5 workstations everything work fine. LAN 192.168.0.0/24 have WWW, my DNS, my pop3/smtp. Part of my config

object-group service strony tcp port-object eq www port-object eq https object-group service poczta tcp port-object eq smtp port-object eq pop3 port-object eq 995

access-list inside_access_in extended permit udp 192.168.0.0

255.255.255.0 host my_DNS eq domain access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 host my_mail_server object-group poczta access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any object-group strony

nat-control global (outside) 100 213.xxx.xxx.86-213.xxx.xxx.88

Servers in DMZ works fine.

But when I connect to ASA whole network (~150 workstations) I have a lots of this records in log:

3|Jun 08 2006 11:03:17|305006: portmap translation creation failed for udp src inside:192.168.0.31/2609 dst outside:my_DNS_SERVER/53

Whats can be wrong? Where can I looking for solution?

With regards Arek

Reply to
Arek Czereszewski
Loading thread data ...

Arek Czereszewski skrev:

If I'm not missing something here you are only NATing and not PATing anything that would mean that only three workstations can have access to external network at one time one for each of the x.x.x.86, x.x.x.87, x.x.x.88 any further will not be able to NAT

However you could do this:

global (outside) 100 213.x.x.86-213.x.x.87 global (outside) 100 213.x.x.88 nat (inside) 100 0.0.0.0 0.0.0.0 0 0

This would NAT the first two hosts to 86,87 then PAT all the others to

88

Hope this was helpful

-SAto

Reply to
SAto

SAto napisa?(a):

Yes it's work now :) Thank you very much.

Firewalling on pf in *BSD it's still easier for me.

Now I must fwd connections from 192.168.0.0/24 to ports 80,443 to squid.

Regards Arek

Reply to
Arek Czereszewski

Arek Czereszewski skrev:

To the best of my knowledge the pix does not support this. It only supports url lookups with websense to filter urls not cache content.

You could put the squid in bridge mode and put it between your LAN and the PIX but I would personally not recomend such a setup.

It is much better to configure clients to use the cache in the browser settings or run WCCP or route map redirection on a router.

-SAto

Reply to
SAto

Hi,

ASA 7.2 now supports WCCP as well! Have a look at asa manual at

formatting link
Erik

Reply to
Erik Tamminga

Erik Tamminga skrev:

formatting link
Nice, that would be the best solution in this case.

-SAto

Reply to
SAto

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.