asa5505 regular translation creation failed for protocol 50 src inside

Unanswered Question
May 7th, 2007

I have a 5505 that won't pass ipsec traffic from a software client, this is the error that I get from the logs.

regular translation creation failed for protocol 50 src inside:192.168.1.151 dst outside:xxx.xxx.xxx.xxx

a search of the cisco site turned up this: http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K85809210

But I still have the issue after following those instructions.

software version is 7.2

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Mon, 05/07/2007 - 16:35

This sounds like you need to enable on the firewall pptp for app inspection if you are initiating outbound vpn connections:

If the VPN outbound connection is going through regular one-to-one NAT on the ASA issue the follwing:

fixup protocol pptp 1723

if the VPN outbound connection is going through regular PAT you need to create an acl to open up UDP on the inside source towards the outside in addition to the previous statement.

here are some links that may help,and may apply to ASA plaform. I expericed this issue with PIX515e version 6.3, but have also read it applies to version 7.x .

PPTP Background theory:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

WHAT ports to opened to accomodate PPTP tunnels in PAT and NAT scenarios:

http://www.cisco.com/en/US/partner/tech/tk827/tk369/technologies_q_and_a_item09186a00800946ef.shtml

PPTP Frequent asked questions:

http://www.cisco.com/en/US/partner/tech/tk827/tk369/tk529/tsd_technology_support_sub-protocol_home.html

Jorge

sos Mon, 05/07/2007 - 17:04

No Joy on that, the software client is the Cisco Vpn client, which would make this an IPsec connection. Thanks for the try though.

Actions

This Discussion