PIX-3-305006: portmap translation creation failed for protocol 50 src insid

Unanswered Question

Hello All,

I have a PIX 501 that is connected to a westell 2200 dsl router (verizon ).

I am using the safenet v 10 softremote vpn client to connect to a dlink 808 hv vpn endpoint. When I connect my vpn client thru the PIX i get a connection to my end point, but I can't map drive, or use remote destop on the remote network etc..

If I disconnect the PIX from the network, and connect the dsl router to my switch, connect to the internet, connect my vpn client to my end point all works fine. I do have ipsec, iptpp, & l2tp passthru enabled on the PIX.

I noticed this message in my syslog when I had the PIX connected to the metwork, and connected to my dlink endpoint with my safenet client.

PIX-3-305006: portmap translation creation failed for protocol 50 src inside:192.168.20.35 dst

outside:151.196.159.42

Can anyone tell me what this msg means, and how I can get around it.

192.168.20.200 Jan 29 2007 13:30:59: %

Thanks for any ideas.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Fernando_Meza Mon, 02/05/2007 - 16:13

Hi .. it sounds to me like you are having a NAT-Traversal issue. The error message means that IPsec (protocol 50) was unable to be translated on its way out. Now I suggest to investigate with your vendor as to whether the vpn client supports NAT-Traversal and if it does then you will need to open that traffic on the PIX.

Note: Be aware that IPSec and PAT conflict. meaning that you will have problems trying to establish a VPN tunnel through a PIX which is doing PAT ( port address translation ). NAT transparency overcomes this issue.

Confused ..? please have a look at the below link for more details !!!

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455c72.html#wp1039027

I hoper it helps .. please rate if it does !!!

Thank you for your explanation,I will rate this.

The Safenet Softremote client v 10 does support NAT-T,This is from their site

FAQ Description:

ports that need to be open

Question:

What ports need to be opened on my firewall to allow IPSec traffic through it?

Answer:

Open UDP port 500, ESP protocol 50 and AH protocol 51, if needed.

How do I do open those ports on the PIX ?

FAQ

Description:

Will Softremote work with NAT

Question:

My home gateway is assigning private IP addresses to my home network and translating them to a public IP address to route across the Internet (using NAT). Will this work with VPN?

Answer:

Network Address Translation (NAT) is common for the remote user who encounters NAT devices in home networks, broadband modems, and hotels. Although an IPSec VPN connection can co-exist with NAT devices, there are some scenarios in which IPSec - NAT incompatibilities arise. To overcome these incompatibilities, SoftRemote has implemented the latest emerging standards for NAT-Traversal (NAT-T: Draft-ietf-ipsec-nat-t-ike-01and draft-ietf-ipsec-udp-encaps-01.txt and draft-02). When connecting with a peer device that has implemented to the same NAT-T emerging standards, SoftRemote will automatically detect the presence of the NAT device. When a NAT device is detected, SoftRemote and the peer device will encapsulate the IPSec packets inside UDP packets. This allows the VPN connection to traverse the NAT device without any changes in the NAT device itself.

Support for the NAT-T Internet Drafts requires a similarly compliant VPN tunnel endpoint for this feature to be utilized. SafeNet has successfully tested against the Netscreen NS100 gateway and continues to test other NAT-T Gateways as they come available. Please contact the vendor of your VPN endpoint product to determine whether it supports NAT-T. If not, you will need to make arrangements with your ISP to obtain a public IP address for the machine running the SoftRemote VPN client.

and the DLINK 808 HV supports NAT-T as well.

Actions

This Discussion