12-25-2008 08:43 AM - edited 03-11-2019 07:29 AM
Hello,
Friends, i can not connect inside my network to outside worlde using VPN client. Earlier i had in my office FreeBSD and did not have this problem (I could connect to remote ASA using VPN client), when i changed FreeBSD to ASA this problem occur. VPN client is connected, tunnel is created but nothing more.
Its Syslog ID 305006 - regular translation creation failed for protocol 50 src inside:10.0.0.22 dst outside:6.168.y.x
Please give me advice how to resolve this problem.
Thanks in advance
Kind Regards
Giorgi
Solved! Go to Solution.
12-26-2008 07:59 AM
Giorgi,
are you geting the same translation error? if so could u confirm the other end supports transparent tunneling (NAT-T) , if u have some control of other firewall have them enable transparent tunneling , if they do make sure vpn client have in transport tab NAT-T enabled which is default, Ipsec over UDP (NAT/PAT) 1000.
Get back if still problems.
Regards
12-26-2008 08:18 AM
See Enable NAT-Traversal (#1 RA VPN Issue)
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1
on other side asa do bellow
PIX/ASA 7.1 and earlier
pix(config)#isakmp nat-traversal 20
PIX/ASA 7.2(1) and later
securityappliance(config)#crypto isakmp nat-traversal 20
12-26-2008 08:59 AM
correct, that will enable NAT-T on other end, were you enable to VPNin after u enable NAT-t
on other side? just to make sure your problem is resolved.
Regards
12-25-2008 09:13 AM
You need ipsec pass thru inspection in your asa global policy
for IPsec Cisco VPN CLIENT connecting outbound add inspect Ipsec, asa should already have a policy-map called global_policy
example
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect ipsec-pass-thru
ciscoasa(config-pmap-c)#exit
Let us know if still problems
Regards
12-25-2008 10:53 PM
Hi jorgemcse,
Thanks for posting and helping :)
I have already done this but no result. Still can not enter in remote network using VPN client.
This policy map is configured as in my side of ASA as Remote side same.
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
inspect dns preset_dns_map
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect ipsec-pass-thru
inspect netbios
inspect rsh
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
Kind Regards
Giorgi
12-26-2008 07:59 AM
Giorgi,
are you geting the same translation error? if so could u confirm the other end supports transparent tunneling (NAT-T) , if u have some control of other firewall have them enable transparent tunneling , if they do make sure vpn client have in transport tab NAT-T enabled which is default, Ipsec over UDP (NAT/PAT) 1000.
Get back if still problems.
Regards
12-26-2008 08:09 AM
Yes, i get the same errors ! Nothing changed !!!
I could make changes in remote ASA (where i try to connect via VPN client) ,,enable transparent tunneling - how could i enabe it'' ?
In my VPN client its ipsec over udp (nat/pat)
12-26-2008 08:18 AM
See Enable NAT-Traversal (#1 RA VPN Issue)
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1
on other side asa do bellow
PIX/ASA 7.1 and earlier
pix(config)#isakmp nat-traversal 20
PIX/ASA 7.2(1) and later
securityappliance(config)#crypto isakmp nat-traversal 20
12-26-2008 08:32 AM
PIX/ASA 7.2(1) and later
securityappliance(config)#crypto isakmp nat-traversal 20 <<< Two days ago this command i tried in my ASA (but no result)...
Now, i'll try on remote ASA ...
Great Thanks for helping
Best Regards
Giorgi
12-26-2008 08:37 AM
no problem, enable it on other side.
let us know how works out.
Regards
12-26-2008 08:55 AM
Jorge,
securityappliance(config)#crypto isakmp nat-traversal 20 <<< i should do onlt this command and nothing more ?
Regards
Giorgi
12-26-2008 08:59 AM
correct, that will enable NAT-T on other end, were you enable to VPNin after u enable NAT-t
on other side? just to make sure your problem is resolved.
Regards
12-27-2008 12:19 AM
Dear Jorge,
Great thanks for helping. I did everything as you told me and this problem is resolved.
P.S. Happy new year, and wish everything best.
Kind Regards
Giorgi
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: