Cisco ASA logs "regular translation creation failed for icmp ..." for DNS traffic, yet it works

Solution 1:

This looks like a mismatch in the firewall's NAT state-table timeouts and the DNS server's own timeouts.

ICMP Port Unreachable is being returned by your DNS server, probably in response to a late received packet. BIND picks a random(ish) port for each outbound query, and it's possible for a long-delayed response to arrive long after BIND stopped listening for the response on that port.

That does beg the question of why the firewall happily allows the (late) returned packet in, without subsequently letting the ICMP error back out.

Solution 2:

You could try the following, from most likely to least likely:

• You may need to enable "Inspect ICMP" in order to make ICMP replies work correctly - this is the case with the newer ASA software (as of 8.2, I believe)
• Check that you have the appropriate NAT statement(s) on the inside interface and GLOBAL statement on the outside interface
• Check that your access-list on the inside interface allows outbound ICMP that matches this traffic

If none of these things fix the issue, try setting up captures as follows:

asa(config)# access-list test permit icmp host 10.10.0.200 8.8.0.0 255.255.0.0
asa(config)# access-list test permit icmp host <outside interface IP> 8.8.0.0 255.255.0.0
asa(config)# access-list test permit icmp 8.8.0.0 255.255.0.0 host 10.10.0.200
asa(config)# access-list test permit icmp 8.8.0.0 255.255.0.0 host <outside interface IP>
asa# capture test1 access-list test interface outside trace
asa# capture test2 access-list test interface inside trace

Then, after a couple of these errors are logged (if I recall correctly, this is the syntax):

asa# show capture test1 trace
asa# show capture test2 trace