04-17-2010 05:47 AM
Hello,
I have tried 'inspect ipsec-pass-thru' as well as enabling NAT-T but it still has not helped.
Scenario:
VPN Client -> Local Network ASA 1 -> Local Network Network ASA 2 -> Internet -> Remote Network ASA (VPN Server)
From outside internet, I can successfully connect to remote ASA VPN server via the Cisco VPN client and pass traffic successfully.
However, when I initiate VPN Client connection from local network, it connects sucessfully but on passing the traffic I see 'Regular translation created failed for protocol 50' in 'Local Network ASA 2' logs.
I have enabled 'inspect ipsec-pass-thru' and NAT-T on both ASA's in the local network but it hasn't worked. The problem has to be with our local ASA devices because the VPN connection works fine from outside.
Please suggest what could be the problem. All the forums just talk about enabling the above mentioned two features to make it work (which I have already done).
Thanks.
04-17-2010 06:17 AM
You would need to enable NAT-T on the Remote Network ASA (VPN Server) itself to allow ESP packet to be encapsulated into UDP/4500 packet because you are dynamically NATing your VPN Client when you are connected to the local LAN and "inspect ipsec-pass-thru" does not support PAT.
Here is the command reference for "inspect ipsec-pass-thru" for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1721168
04-17-2010 06:24 AM
Ok. But as I stated if I were to use VPN Client from outside internet network it works perfectly fine with the same remote VPN Server configurations. Why is it so ? Is the NAT-Traversal not required from external networks.
The problem only seems to be when there are ASA's in the middle. So the change should be in intermediate ASA's. Is that correct understanding.
Thanks.
04-17-2010 06:31 AM
From outside, it is capable of using ESP protocol to connect, hence it does not fail.
ESP is a protocol, and it does not have a port number. Therefore, if you PAT outbound traffic, that is why it fails because ESP can't be PATed because it does not have a port number. Hence the requirement to enable NAT-T on the remote VPN server, so when it detects that the path uses PAT, it can negotiate to use the UDP/4500 encapsulated ESP packet.
From the logs, it clearly states that it fails on 'Regular translation created failed for protocol 50'.
ESP is protocol 50, and protocol 50 does not have port number, therefore it fails on PAT.
04-17-2010 06:44 AM
Thanks.
Is there any other way of getting it work without asking the remote VPN Server support team to do any configuration changes on their end.
04-17-2010 07:04 AM
Possibly static NAT or something else.
Thanks.
04-17-2010 03:41 PM
Yes, definitely. You can configure static NAT for your host ip address which is running the vpn client.
Hope that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide