03-27-2003 04:45 PM - edited 02-20-2020 10:39 PM
I have a pix 515 running dhcp on the outside interface. When a vpn client connects from behind the pix it generates error "protmap translation creation failed for protocol 50 src inside <host> to dst <host>.
03-27-2003 08:56 PM
I think this has to do something with your patting. the work around for this is to deny patting from your lan to the vpn client.
03-28-2003 03:10 PM
It seems - as Salim mentioned above - that you are using a PAT address. For IPSec vpn clients you need to configure a static ip address for the client and allow the remote vpn gateway to reply on ESP (protocol 50).
e.g.
static (inside,outside) y.y.y.y z.z.z.z netmask 255.255.255.255 0 0
access-list acl_in permit esp host x.x.x.x host y.y.y.y
where y.y.y.y is the "outside or public" ip of the host, and x.x.x.x is the remote vpn gateway ip address.
HTH,
Mustafa
03-28-2003 05:23 PM
Thanks for the help. The issue was resolved by adding a acl for esp to the outside interface access-list.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide