Cisco VPN client can't ping remote network.

Unanswered Question
Jan 27th, 2009
User Badges:

I have recently installed a Cisco 5505 and have problems with some of the Cisco VPN Hosts I connect to using the Cisco VPN dialer. The Cisco Dialer connects fine but I am unable to connect to any computers on the remote network.


I have tracked the issue down to the ones that work & the ones that don't. If the remote Cisco is on the same sub-net as the computers I am connecting to it works fine. If the remote Cisco is on a differant sub-net then the computer I am trying to connect to it won't work unless I set up a static nat for a given pc on my network.


When I run through the dynamic Nat for my network I get the following error on the 5505.


regular translation creation failed for protocol 50 src inside:192.168.97.215 dst outside:xx.xxx.xx.xxx


I have been trying to find a solution to this issue ever since I installed the router and have not had any luck with any of the suggestions I have found on the Web. I have attached my config.


Any help would be appreciated.


Mike



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Tue, 01/27/2009 - 08:58
User Badges:
  • Cisco Employee,

What you are saying is that this 5505 is the firewall that hosts the PC that uses the vpn client, and the vpn servers are outside this firewall?


regular translation creation failed for protocol 50 src inside:192.168.97.215 dst outside:xx.xxx.xx.xxx


This message means that the firewall is not allowing ESP to go through PAT, please go ahead and make sure that the remote server has NAT-T enabled.



mpatricksp Tue, 01/27/2009 - 09:13
User Badges:

Thanks for your response.


Yes that exactly the setup we are trying to get to work.


I have a call into them now and will check on their set up but I have no control over how they configure their routers I can only make requests.


I was hoping there was something causing it on my side as I deal with Hospitals and they can get very picky about their security.


I guess what is confusing me is it works if it goes through a Static Nat but not if it runs through our dynamic Nat.


Mike

Ivan Martinon Tue, 01/27/2009 - 09:15
User Badges:
  • Cisco Employee,

Problem is, ESP does not work or passes through PAT since it is a portless protocol, the inspect IPSec pass through, is used only for Dynamic one to one nat, so your only choice is to allow them to enable nat-t or to have a static one to one

mpatricksp Tue, 01/27/2009 - 09:19
User Badges:

Ok,


Thank you for the information, that is what I was trying to find out.


Thanks,


Mike

Actions

This Discussion