04-21-2008 01:22 AM - edited 02-21-2020 01:59 AM
Hi
My problem is as follows:
Users with Nortel vpn clients wants to connect to a vpn server on the internet, through a Cisco ASA 5500 firewall.
They can connect, but the login stops up. ASA log is saying the following:
" regular translation failed for protocol 50 src Intern:10.162.14.100 dst Internet:217.*.*.* "
PAT is in use on the WAN/Internet interface. I have attached an edited version of the config.
Any tip on what i can do to get the transparency i need to allow these clients through the wall?
Best regards
O.V
Solved! Go to Solution.
04-21-2008 06:18 AM
O.V.,
There is nothing really to do here. ESP uses IP Protocol 50 and is *not* TCP, which means it cannot be PATd.
Typically what happens is that the client and the server realize that one of them is being NATTed (by comparing hashes of the IP addresses each is sending and the IP they are getting), and negotiate NAT-traversal.
Typically if they don't negotiate NAT-traversal, that means one end or the other doesn't have it turned on. Have your client and server guys check that out to see what is going on, and make sure you have UDP 4500 allowed through your firewall.
You can read more on NAT traversal here:
04-21-2008 06:18 AM
O.V.,
There is nothing really to do here. ESP uses IP Protocol 50 and is *not* TCP, which means it cannot be PATd.
Typically what happens is that the client and the server realize that one of them is being NATTed (by comparing hashes of the IP addresses each is sending and the IP they are getting), and negotiate NAT-traversal.
Typically if they don't negotiate NAT-traversal, that means one end or the other doesn't have it turned on. Have your client and server guys check that out to see what is going on, and make sure you have UDP 4500 allowed through your firewall.
You can read more on NAT traversal here:
04-21-2008 07:44 AM
I've landed on that also. Looking on the client and server side now.
Thank You
07-18-2008 10:42 PM
I agree, port 500 and port 4500 are the ports usually which needs to be allowed on the upstream firewall if its doing the NAT.
Both are UDP, so i think allowing them should resolve the issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: