Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
470
Views
0
Helpful
2
Replies

Asa drops packets when initiating an vpn connection from the inisde network

Go to solution
markraves
Level 1
Level 1

‎01-06-2009 02:51 AM - edited ‎02-21-2020 03:11 AM

Hello,

Having some problems with the asabox. I have a site to site between two offices, it works perfect.

But, when a computer from the inside network tries to establish a vpn connection from his/hers windows machine to another network, it all goes wrong. I get the following message in the syslog:

305006 193.xxx.xx.64 regular translation creation failed for protocol 47 src inside:192.168.1.50 dst outside:193.xx.xxx.64

After a quick google, I found this page:

http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1280915

It states that I'm trying to establish a connection to a network or broadcast address. but given that the last numeric is 64, as far as I can tell this is a /26 network. And why does the asa assume that? I haven't thrown in any subnet masks with this address? Anyway, I tried the static command at the bottom, but still it gives me the error message in syslog. this is not a vpn connection configured in the asa. this is just vpn traffic passing through the box.

added some 'useful' things:

Result of the command: "sh nat"

NAT policies on Interface inside:

match ip inside 192.168.1.0 255.255.255.0 inside 192.168.2.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.1.0 255.255.255.0 outside 192.168.2.0 255.255.255.0

NAT exempt

translate_hits = 48, untranslate_hits = 70

match ip inside 192.168.1.0 255.255.255.0 _internal_loopback 192.168.2.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match tcp inside host 192.168.1.50 eq 3389 outside any

static translation to 195.xx.xxx.xx/3389

translate_hits = 0, untranslate_hits = 2

match ip inside 192.168.1.0 255.255.255.0 inside any

dynamic translation to pool 1 (192.168.1.1 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.1.0 255.255.255.0 outside any

dynamic translation to pool 1 (195.xx.xxx.xx [Interface PAT])

translate_hits = 15033, untranslate_hits = 1607

match ip inside 192.168.1.0 255.255.255.0 _internal_loopback any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

NAT policies on Interface outside:

match ip outside host 193.xx.xxx.64 inside any

static translation to 193.xx.xxx.64

translate_hits = 0, untranslate_hits = 40

Result of the command: "sh run nat"

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.1.0 255.255.255.0

Result of the command: "sh run static"

static (inside,outside) tcp interface 3389 192.168.1.50 3389 netmask 255.255.255.255

static (inside,outside) 193.xx.xxx.64 193.xx.xxx.64 netmask 255.255.255.255

Thanks for help,

\\mark

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10

‎01-06-2009 08:08 AM

Do you have this in your config?

asa(config)#policy-map global_policy

asa(config-pmap)#class inspection_default

asa(config-pmap-c)#inspect pptp

View solution in original post

0 Helpful
2 Replies 2

Go to solution
acomiskey
Level 10
Level 10

‎01-06-2009 08:08 AM

Do you have this in your config?

asa(config)#policy-map global_policy

asa(config-pmap)#class inspection_default

asa(config-pmap-c)#inspect pptp

0 Helpful

Go to solution
markraves
Level 1
Level 1
In response to acomiskey

‎01-07-2009 01:39 AM

Hello,

Didn't seem to have that piece of wonderful config.

Fantastic sir. This is excellent. I thank you;=)

\\mark

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card