cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
735
Views
0
Helpful
6
Replies

Regular Translation created failed for protocol 50

dedra_live
Level 1
Level 1

Hello,

I have tried 'inspect ipsec-pass-thru' as well as enabling NAT-T but it still has not helped.

Scenario:

VPN Client -> Local Network ASA 1 -> Local Network Network ASA 2 -> Internet -> Remote Network ASA (VPN Server)

From outside internet, I can successfully connect to remote ASA VPN server via the Cisco VPN client and pass traffic successfully.

However, when I initiate VPN Client connection from local network, it connects sucessfully but on passing the traffic I see 'Regular translation created failed for protocol 50' in 'Local Network ASA 2' logs.

I have enabled 'inspect ipsec-pass-thru' and NAT-T on both ASA's in the local network but it hasn't worked. The problem has to be with our local ASA devices because the VPN connection works fine from outside.

Please suggest what could be the problem. All the forums just talk about enabling the above mentioned two features to make it work (which I have already done).

Thanks.

6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

You would need to enable NAT-T on the Remote Network ASA (VPN Server) itself to allow ESP packet to be encapsulated into UDP/4500 packet because you are dynamically NATing your VPN Client when you are connected to the local LAN and "inspect ipsec-pass-thru" does not support PAT.

Here is the command reference for "inspect ipsec-pass-thru" for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1721168

Ok. But as I stated if I were to use VPN Client from outside internet network it works perfectly fine with the same remote VPN Server configurations. Why is it so ? Is the NAT-Traversal not required from external networks.

The problem only seems to be when there are ASA's in the middle. So the change should be in intermediate ASA's. Is that correct understanding.

Thanks.

From outside, it is capable of using ESP protocol to connect, hence it does not fail.

ESP is a protocol, and it does not have a port number. Therefore, if you PAT outbound traffic, that is why it fails because ESP can't be PATed because it does not have a port number. Hence the requirement to enable NAT-T on the remote VPN server, so when it detects that the path uses PAT, it can negotiate to use the UDP/4500 encapsulated ESP packet.

From the logs, it clearly states that it fails on 'Regular translation created failed for protocol 50'.

ESP is protocol 50, and protocol 50 does not have port number, therefore it fails on PAT.

Thanks.

Is there any other way of getting it work without asking the remote VPN Server support team to do any configuration changes on their end.

Possibly static NAT or something else.

Thanks.

Yes, definitely. You can configure static NAT for your host ip address which is running the vpn client.

Hope that helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: