Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1305
Views
0
Helpful
4
Replies

Cisco VPN client can't ping remote network.

mpatricksp
Level 1
Level 1

‎01-27-2009 07:45 AM - edited ‎02-21-2020 03:14 AM

I have recently installed a Cisco 5505 and have problems with some of the Cisco VPN Hosts I connect to using the Cisco VPN dialer. The Cisco Dialer connects fine but I am unable to connect to any computers on the remote network.

I have tracked the issue down to the ones that work & the ones that don't. If the remote Cisco is on the same sub-net as the computers I am connecting to it works fine. If the remote Cisco is on a differant sub-net then the computer I am trying to connect to it won't work unless I set up a static nat for a given pc on my network.

When I run through the dynamic Nat for my network I get the following error on the 5505.

regular translation creation failed for protocol 50 src inside:192.168.97.215 dst outside:xx.xxx.xx.xxx

I have been trying to find a solution to this issue ever since I installed the router and have not had any luck with any of the suggestions I have found on the Web. I have attached my config.

Any help would be appreciated.

Mike

Preview file
11 KB
0 Helpful
4 Replies 4

Ivan Martinon
Level 7
Level 7

‎01-27-2009 08:58 AM

What you are saying is that this 5505 is the firewall that hosts the PC that uses the vpn client, and the vpn servers are outside this firewall?

regular translation creation failed for protocol 50 src inside:192.168.97.215 dst outside:xx.xxx.xx.xxx

This message means that the firewall is not allowing ESP to go through PAT, please go ahead and make sure that the remote server has NAT-T enabled.

0 Helpful

mpatricksp
Level 1
Level 1
In response to Ivan Martinon

‎01-27-2009 09:13 AM

Thanks for your response.

Yes that exactly the setup we are trying to get to work.

I have a call into them now and will check on their set up but I have no control over how they configure their routers I can only make requests.

I was hoping there was something causing it on my side as I deal with Hospitals and they can get very picky about their security.

I guess what is confusing me is it works if it goes through a Static Nat but not if it runs through our dynamic Nat.

Mike

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to mpatricksp

‎01-27-2009 09:15 AM

Problem is, ESP does not work or passes through PAT since it is a portless protocol, the inspect IPSec pass through, is used only for Dynamic one to one nat, so your only choice is to allow them to enable nat-t or to have a static one to one

0 Helpful

mpatricksp
Level 1
Level 1
In response to Ivan Martinon

‎01-27-2009 09:19 AM

Ok,

Thank you for the information, that is what I was trying to find out.

Thanks,

Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card