Asa drops packets when initiating an vpn connection from the inisde network

Answered Question
Jan 6th, 2009

Hello,

Having some problems with the asabox. I have a site to site between two offices, it works perfect.

But, when a computer from the inside network tries to establish a vpn connection from his/hers windows machine to another network, it all goes wrong. I get the following message in the syslog:

305006 193.xxx.xx.64 regular translation creation failed for protocol 47 src inside:192.168.1.50 dst outside:193.xx.xxx.64

After a quick google, I found this page:

http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1280915

It states that I'm trying to establish a connection to a network or broadcast address. but given that the last numeric is 64, as far as I can tell this is a /26 network. And why does the asa assume that? I haven't thrown in any subnet masks with this address? Anyway, I tried the static command at the bottom, but still it gives me the error message in syslog. this is not a vpn connection configured in the asa. this is just vpn traffic passing through the box.

added some 'useful' things:

Result of the command: "sh nat"

NAT policies on Interface inside:

match ip inside 192.168.1.0 255.255.255.0 inside 192.168.2.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.1.0 255.255.255.0 outside 192.168.2.0 255.255.255.0

NAT exempt

translate_hits = 48, untranslate_hits = 70

match ip inside 192.168.1.0 255.255.255.0 _internal_loopback 192.168.2.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match tcp inside host 192.168.1.50 eq 3389 outside any

static translation to 195.xx.xxx.xx/3389

translate_hits = 0, untranslate_hits = 2

match ip inside 192.168.1.0 255.255.255.0 inside any

dynamic translation to pool 1 (192.168.1.1 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.1.0 255.255.255.0 outside any

dynamic translation to pool 1 (195.xx.xxx.xx [Interface PAT])

translate_hits = 15033, untranslate_hits = 1607

match ip inside 192.168.1.0 255.255.255.0 _internal_loopback any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

NAT policies on Interface outside:

match ip outside host 193.xx.xxx.64 inside any

static translation to 193.xx.xxx.64

translate_hits = 0, untranslate_hits = 40

Result of the command: "sh run nat"

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.1.0 255.255.255.0

Result of the command: "sh run static"

static (inside,outside) tcp interface 3389 192.168.1.50 3389 netmask 255.255.255.255

static (inside,outside) 193.xx.xxx.64 193.xx.xxx.64 netmask 255.255.255.255

Thanks for help,

\\mark

I have this problem too.
0 votes
Correct Answer by acomiskey about 8 years 2 weeks ago

Do you have this in your config?

asa(config)#policy-map global_policy

asa(config-pmap)#class inspection_default

asa(config-pmap-c)#inspect pptp

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
acomiskey Tue, 01/06/2009 - 08:08

Do you have this in your config?

asa(config)#policy-map global_policy

asa(config-pmap)#class inspection_default

asa(config-pmap-c)#inspect pptp

markraves Wed, 01/07/2009 - 01:39

Hello,

Didn't seem to have that piece of wonderful config.

Fantastic sir. This is excellent. I thank you;=)

\\mark

Actions

This Discussion