cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2002
Views
5
Helpful
10
Replies

VPN client Error -Syslog ID 305006

batumibatumi
Level 1
Level 1

Hello,

Friends, i can not connect inside my network to outside worlde using VPN client. Earlier i had in my office FreeBSD and did not have this problem (I could connect to remote ASA using VPN client), when i changed FreeBSD to ASA this problem occur. VPN client is connected, tunnel is created but nothing more.

Its Syslog ID 305006 - regular translation creation failed for protocol 50 src inside:10.0.0.22 dst outside:6.168.y.x

Please give me advice how to resolve this problem.

Thanks in advance

Kind Regards

Giorgi

3 Accepted Solutions

Accepted Solutions

Giorgi,

are you geting the same translation error? if so could u confirm the other end supports transparent tunneling (NAT-T) , if u have some control of other firewall have them enable transparent tunneling , if they do make sure vpn client have in transport tab NAT-T enabled which is default, Ipsec over UDP (NAT/PAT) 1000.

Get back if still problems.

Regards

Jorge Rodriguez

View solution in original post

See Enable NAT-Traversal (#1 RA VPN Issue)

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1

on other side asa do bellow

PIX/ASA 7.1 and earlier

pix(config)#isakmp nat-traversal 20

PIX/ASA 7.2(1) and later

securityappliance(config)#crypto isakmp nat-traversal 20

Jorge Rodriguez

View solution in original post

correct, that will enable NAT-T on other end, were you enable to VPNin after u enable NAT-t

on other side? just to make sure your problem is resolved.

Regards

Jorge Rodriguez

View solution in original post

10 Replies 10

JORGE RODRIGUEZ
Level 10
Level 10

You need ipsec pass thru inspection in your asa global policy

for IPsec Cisco VPN CLIENT connecting outbound add inspect Ipsec, asa should already have a policy-map called global_policy

example

ciscoasa(config)# policy-map global_policy

ciscoasa(config-pmap)# class inspection_default

ciscoasa(config-pmap-c)# inspect ipsec-pass-thru

ciscoasa(config-pmap-c)#exit

Let us know if still problems

Regards

Jorge Rodriguez

Hi jorgemcse,

Thanks for posting and helping :)

I have already done this but no result. Still can not enter in remote network using VPN client.

This policy map is configured as in my side of ASA as Remote side same.

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global-policy

class global-class

inspect dns preset_dns_map

inspect esmtp

inspect ftp

inspect h323 h225

inspect h323 ras

inspect icmp

inspect ipsec-pass-thru

inspect netbios

inspect rsh

inspect sip

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect xdmcp

Kind Regards

Giorgi

Giorgi,

are you geting the same translation error? if so could u confirm the other end supports transparent tunneling (NAT-T) , if u have some control of other firewall have them enable transparent tunneling , if they do make sure vpn client have in transport tab NAT-T enabled which is default, Ipsec over UDP (NAT/PAT) 1000.

Get back if still problems.

Regards

Jorge Rodriguez

Yes, i get the same errors ! Nothing changed !!!

I could make changes in remote ASA (where i try to connect via VPN client) ,,enable transparent tunneling - how could i enabe it'' ?

In my VPN client its ipsec over udp (nat/pat)

See Enable NAT-Traversal (#1 RA VPN Issue)

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1

on other side asa do bellow

PIX/ASA 7.1 and earlier

pix(config)#isakmp nat-traversal 20

PIX/ASA 7.2(1) and later

securityappliance(config)#crypto isakmp nat-traversal 20

Jorge Rodriguez

PIX/ASA 7.2(1) and later

securityappliance(config)#crypto isakmp nat-traversal 20 <<< Two days ago this command i tried in my ASA (but no result)...

Now, i'll try on remote ASA ...

Great Thanks for helping

Best Regards

Giorgi

no problem, enable it on other side.

let us know how works out.

Regards

Jorge Rodriguez

Jorge,

securityappliance(config)#crypto isakmp nat-traversal 20 <<< i should do onlt this command and nothing more ?

Regards

Giorgi

correct, that will enable NAT-T on other end, were you enable to VPNin after u enable NAT-t

on other side? just to make sure your problem is resolved.

Regards

Jorge Rodriguez

Dear Jorge,

Great thanks for helping. I did everything as you told me and this problem is resolved.

P.S. Happy new year, and wish everything best.

Kind Regards

Giorgi

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: