Problem Establishing Outbound VPN through ASA 5505

Answered Question

While inside a network secured by an ASA 5505 I cannot establish a PPTP VPN out. The ASA is logging the following:

09 2009 20:50:09 305006 24.13.209.125 regular translation creation failed for protocol 47 src inside:192.168.132.108 dst outside:xxx.xxx.xxx.125

I've looked up the error msg online but for whatever reason I'm just not grasping what it is saying. How do I fix this? Let me know if you have any questions...thanks guys!

bc

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 7 years 4 months ago

Hi,

Enable pptp inspection

pixfirewall(config)#policy-map global_policy

pixfirewall(config-pmap)#class inspection_default

pixfirewall(config-pmap-c)#inspect pptp

Go over this link for background detail info pptp/gre usage under various codes.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kevin Redmon Wed, 08/05/2009 - 18:53

BC,

Can you confirm whether you are doing a static 1-to-1 translation or PAT'ing to a particular IP address?

GRE is a port-less protocol. A prerequisite for PAT to work is there must be port on the inside to be translated to a port on the outside. This is a protocol limitation. With that being said, GRE does NOT work with PAT.

If you have a "spare" IP address, configure a static one-to-one translation for the host that needs to form the PPTP VPN tunnel.

If that is not available, you will likely be forced to use another VPN solution such as SSL VPN and/or NAT-T.

JORGE RODRIGUEZ Wed, 08/05/2009 - 23:42

It works fine with PAT as long is only one single host on the inside connects to PPTP server/gateway and that you have pptp inspection in asa code 7.x above and fixup prot pptp 1723 for pix 6.x bellow.

If there were several inside hosts connecting to pptp server/dateway then one-to-one nat will be required .

PIX506E - 6.3.5

show conn

GRE out 67.43.xx.xx:1723 in 192.168.0.21:32800 idle 0:00:16 bytes 1310 flags EG

GRE out 67.43.xx.xx:20863 in 192.168.0.21:1723 idle 0:00:20 bytes 11447 flags PG

I don't even have a one to one static nat for 192.168.0.21 inside host - all is through interface outside dhcp assigned pu address.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ_wireless) 1 10.14.14.0 255.255.255.0 0 0

static (inside,outside) tcp interface 3074 XBOX360 3074 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 3074 XBOX360 3074 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 88 XBOX360 88 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www XBOX360 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface domain XBOX360 domain netmask 255.255.255.255 0 0

static (inside,outside) udp interface domain XBOX360 domain netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ssh WS-2950XL-1 ssh netmask 255.255.255.255 0 0

static (inside,DMZ_wireless) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

Regards

Actions

This Discussion