Cisco ASA log error "regular translation creation failed for icmp ..."

Posted by Martijn Heemels on Server Fault See other posts from Server Fault or by Martijn Heemels
Published on 2010-03-25T16:49:43Z Indexed on 2010/03/26 11:23 UTC
Read the original article Hit count: 3373

Filed under:

asa

|

cisco

|

log

|

firewall

Every few seconds our new Cisco ASA 5505 firewall is logging errors that I can't figure out with my limited Cisco experience.

Severity Date        Time        Syslog ID Source IP  Destination IP  Description
3       Mar 25 2010 17:21:14    305006    8.8.8.8                    regular translation creation failed for icmp src inside:10.10.0.200 dst outside:8.8.8.8 (type 3, code 3)
3       Mar 25 2010 17:18:37    305006    8.8.4.4                    regular translation creation failed for icmp src inside:10.10.0.200 dst outside:8.8.4.4 (type 3, code 3)

The logged inside IP is our internal DNS resolver, and the outside IP's are Google's public DNS servers. ICMP Type 3 Code 3 means "Port Unreachable"

Our "outside" interface has a fixed IP and our "inside" interface is in the 10.10.0.0/16 subnet.

The 'Inspect DNS' Service Policy is enabled, with the preset DNS inspection map. Furthermore there's an ACL that allows all inbound ICMP on the "outside" interface.

I've spent hours trying to figure this one out, so any and all advice is welcome!

© Server Fault or respective owner

Related posts about asa

Cisco ASA bonding/teaming/port-channel capabilities

as seen on Server Fault - Search for 'Server Fault'
Hello, This seemed to me like a really simple question that I would be able to answer by myself but I have not been able to find any info on this subject. I have a Cisco ASA 5510 which has 4 FastEthernet interfaces. I was wondering if it would be possible to use 2 or 3 of these interfaces as a port-channel… >>> More
QoS basics on a Cisco ASA

as seen on Server Fault - Search for 'Server Fault'
Could someone briefly explain how to use QoS on Cisco ASA 5505? I have the basics of policing down, but what about shaping and priorities? Basically what I'm trying to do is carve out some bandwidth for my VPN subnets (in an object-group called priority-traffic). I've seen this Cisco QoS document… >>> More
Cisco ASA: Routing packets based on where the connections started from

as seen on Server Fault - Search for 'Server Fault'
We have a Cisco ASA 5505 (version 8.2(2)) with three interfaces: outside: IP address 11.11.11.11, this is the default route inside: IP address 10.1.1.1, this is the local subnet newlink: 22.22.22.22, this is a new internet connection. We need to move VPN users from the 11.11.11.11 address to the… >>> More
Why do I start at privilege level 1 when logging into a Cisco ASA 5510?

as seen on Server Fault - Search for 'Server Fault'
I have created a test user that is set to privilege 15 in the config: username test password **************** encrypted privilege 15 When I log in to the ASA 5510 I am in privilege 1 according to sh curpriv: login as: test [email protected]'s password: Type help or '?' for a list of available… >>> More
Cisco ASA intermittently fails to see traffic

as seen on Server Fault - Search for 'Server Fault'
users | Mikrotik -- Internet | ASA | ServerA and ServerB I'm trying to troubleshoot a problem with a new Cisco ASA 5505. The network design is as above - the Microtik is the existing router, ServerA and ServerB used to plug directly into it. ServerA has IP 10.30.1.10, ServerB has IP 10.30… >>> More

Related posts about cisco

Cisco Unifed Communication integration for Microsoft Lync crashes on Remote Desktop services 2008 R2!

as seen on Server Fault - Search for 'Server Fault'
Hi everybody i have deployed office communication server 2007 R2 and communicator 2007 R2 and i made integration with Cisco Unified Communication Manager 7.1 in my network, i also uses Remote Desktop Servers 2008 R2 for Thin Client Computers, now that i installed Cisco UC integration client for communicator… >>> More
Cisco Unified Communication integration for Microsoft Lync crashes on Remote Desktop services 2008 R2!

as seen on Server Fault - Search for 'Server Fault'
Hi everybody i have deployed office communication server 2007 R2 and communicator 2007 R2 and i made integration with Cisco Unified Communication Manager 7.1 in my network, i also use Remote Desktop Servers 2008 R2 for Thin Client Computers, now that i installed Cisco UC integration client for communicator… >>> More
Cisco Prime NCS not starting

as seen on Server Fault - Search for 'Server Fault'
I have received the Cisco Prime OVA file and which we placed onto an Oracle virtual environment. We turn the VM on and the CLI boots, When we try to start the NCS service we get errors. HOSTNAME/USER# ncs start Starting Network Control System... Exception in thread "main" java.lang.NullPointerException … >>> More
how to set port forwarding on a cisco 881 router (with cisco configuration professional)

as seen on Super User - Search for 'Super User'
I recently got a cisco 881 router for work and I have everything working except port forwarding I want to forward all incoming port 80 requests to 10.10.10.60 and all incoming port 53322 requests to 10.10.10.40 im using cisco configuration professional and im not sure where to find this option thanks… >>> More
Cisco: Site-to-site VPN with cisco 878 and ASA weirdness

as seen on Server Fault - Search for 'Server Fault'
I currently have 2 sites, both connected to each other through 2 firewalls / routers in a site-to-site VPN. Pinging from server to server (Using 2mb/2mb SDSL) through that VPN obviously works, however, at one site, we have another internet connection (7m/400k ADSL), and only the link between the two… >>> More