Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Asa drops packets when initiating an vpn connection from the inisde network

Hello,

Having some problems with the asabox. I have a site to site between two offices, it works perfect.

But, when a computer from the inside network tries to establish a vpn connection from his/hers windows machine to another network, it all goes wrong. I get the following message in the syslog:

305006 193.xxx.xx.64 regular translation creation failed for protocol 47 src inside:192.168.1.50 dst outside:193.xx.xxx.64

After a quick google, I found this page:

http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1280915

It states that I'm trying to establish a connection to a network or broadcast address. but given that the last numeric is 64, as far as I can tell this is a /26 network. And why does the asa assume that? I haven't thrown in any subnet masks with this address? Anyway, I tried the static command at the bottom, but still it gives me the error message in syslog. this is not a vpn connection configured in the asa. this is just vpn traffic passing through the box.

added some 'useful' things:

Result of the command: "sh nat"

NAT policies on Interface inside:

match ip inside 192.168.1.0 255.255.255.0 inside 192.168.2.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.1.0 255.255.255.0 outside 192.168.2.0 255.255.255.0

NAT exempt

translate_hits = 48, untranslate_hits = 70

match ip inside 192.168.1.0 255.255.255.0 _internal_loopback 192.168.2.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match tcp inside host 192.168.1.50 eq 3389 outside any

static translation to 195.xx.xxx.xx/3389

translate_hits = 0, untranslate_hits = 2

match ip inside 192.168.1.0 255.255.255.0 inside any

dynamic translation to pool 1 (192.168.1.1 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.1.0 255.255.255.0 outside any

dynamic translation to pool 1 (195.xx.xxx.xx [Interface PAT])

translate_hits = 15033, untranslate_hits = 1607

match ip inside 192.168.1.0 255.255.255.0 _internal_loopback any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

NAT policies on Interface outside:

match ip outside host 193.xx.xxx.64 inside any

static translation to 193.xx.xxx.64

translate_hits = 0, untranslate_hits = 40

Result of the command: "sh run nat"

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.1.0 255.255.255.0

Result of the command: "sh run static"

static (inside,outside) tcp interface 3389 192.168.1.50 3389 netmask 255.255.255.255

static (inside,outside) 193.xx.xxx.64 193.xx.xxx.64 netmask 255.255.255.255

Thanks for help,

\\mark

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Asa drops packets when initiating an vpn connection from the

Do you have this in your config?

asa(config)#policy-map global_policy

asa(config-pmap)#class inspection_default

asa(config-pmap-c)#inspect pptp

2 REPLIES
Green

Re: Asa drops packets when initiating an vpn connection from the

Do you have this in your config?

asa(config)#policy-map global_policy

asa(config-pmap)#class inspection_default

asa(config-pmap-c)#inspect pptp

New Member

Re: Asa drops packets when initiating an vpn connection from the

Hello,

Didn't seem to have that piece of wonderful config.

Fantastic sir. This is excellent. I thank you;=)

\\mark

197
Views
0
Helpful
2
Replies
CreatePlease to create content