regular translation creation failed for protocol 50

Answered Question
Oct 20th, 2009
User Badges:

Hello,


I get the following error when trying to connect a vpn client through an ASA5505 with an already configured ipsec AES/256 site to site connection:

regular translation creation failed for protocol 50 src:inside:192.168.1.167

dst:outside:xx.xxx.x.64

The site to site addressing is not relevant, I'm not trying to pass traffic over the site-to-site, but rather create a new vpn from inside client to outside external vpn box that's not under my control.


The client is able to create a connection, but no traffic is passed, when I try to ping / rdp, the above message is returned to me.


If I add the rule static(inside, outside) interface 192.168.1.167 netmask 255.255.255.255 then it works, everyting works, but ONLY from this computer.


Been googling for hours, but with no result as of yet.

Hope someone can shed some light over my issues.

Thanks,

\\mark



Correct Answer by JORGE RODRIGUEZ about 7 years 5 months ago

Hi, have the far end client running the VPN server to enable NAT-T, if they have a PIX/ASA have then add crypto isakmp nat-traversal 20 just like you do have in yours.


Regards



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
markraves Tue, 10/20/2009 - 04:22
User Badges:

Config pasted:

unimportant stuff cut.


ASA Version 7.2(4)

hostname ciscoasa

domain-name default.domain.invalid

enable password cVAXXXX/XXXXXX encrypted

passwd cVXXXX/XXXXmY encrypted

names

interface Vlan2

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan3

nameif outside

security-level 0

ip address 195.1.xx.xxx 255.255.255.252

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

mtu inside 1500

mtu outside 1500

arp timeout 14400

global (inside) 1 interface

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.1.0 255.255.255.0

access-group portforw in interface outside

route outside 0.0.0.0 0.0.0.0 195.1.xx.xxx 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 193.213.xxx.xx

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 9

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp nat-traversal 20

dhcpd auto_config inside

!

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec

password-storage disable

ip-comp disable

re-xauth disable

group-lock value 193.213.xxx.xx

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelspecified

split-tunnel-network-list value outside_2_cryptomap

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

smartcard-removal-disconnect enable

client-firewall none

client-access-rule none

webvpn

functions url-entry

html-content-filter none

homepage none

keep-alive-ignore 4

http-comp gzip

filter none

url-list none

customization value DfltCustomization

port-forward none

port-forward-name value Application Access

sso-server none

deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

svc none

svc keep-installer installed

svc keepalive none

svc rekey time none

svc rekey method none

svc dpd-interval client none

svc dpd-interval gateway none

svc compression deflate

tunnel-group 193.213.xxx.xx type ipsec-l2l

tunnel-group 193.213.xxx.xx ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

inspect esmtp

inspect ipsec-pass-thru

!

markraves Tue, 10/20/2009 - 04:25
User Badges:

destination ip..


Forgot, the destination IP address (vpn-client-to-external-box network) is 192.168.50.4


Thanks,

Correct Answer
JORGE RODRIGUEZ Tue, 10/20/2009 - 09:16
User Badges:
  • Green, 3000 points or more

Hi, have the far end client running the VPN server to enable NAT-T, if they have a PIX/ASA have then add crypto isakmp nat-traversal 20 just like you do have in yours.


Regards



JORGE RODRIGUEZ Tue, 10/20/2009 - 13:53
User Badges:
  • Green, 3000 points or more

Martin, is your issue resolved? does far end have NAT-T enabled.. did you try test RA to client without using static nat at your end.


regards


markraves Wed, 10/21/2009 - 23:53
User Badges:

Hello,


Sorry for not following up yesterday, I couldn't check it, didn't dare stray out of my apartement. Bloody sick. And there were noone I could send over to test.

But today I'm all better and have had a chance to test it out! And it works. it just works. Fantastic. Thanks a lot;=)

\\mark

rchudasama Tue, 10/25/2011 - 08:56
User Badges:

Jorge I have the same issue but unfortunately clients on far end are not willing to change configuration on their PIX/VPN appliance. Is there is any otherways to solve this issue?


Thanks

Rajesh

Actions

This Discussion