Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problem Establishing Outbound VPN through ASA 5505

While inside a network secured by an ASA 5505 I cannot establish a PPTP VPN out. The ASA is logging the following:

09 2009 20:50:09 305006 24.13.209.125 regular translation creation failed for protocol 47 src inside:192.168.132.108 dst outside:xxx.xxx.xxx.125

I've looked up the error msg online but for whatever reason I'm just not grasping what it is saying. How do I fix this? Let me know if you have any questions...thanks guys!

bc

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Problem Establishing Outbound VPN through ASA 5505

Hi,

Enable pptp inspection

pixfirewall(config)#policy-map global_policy

pixfirewall(config-pmap)#class inspection_default

pixfirewall(config-pmap-c)#inspect pptp

Go over this link for background detail info pptp/gre usage under various codes.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Regards

3 REPLIES

Re: Problem Establishing Outbound VPN through ASA 5505

Hi,

Enable pptp inspection

pixfirewall(config)#policy-map global_policy

pixfirewall(config-pmap)#class inspection_default

pixfirewall(config-pmap-c)#inspect pptp

Go over this link for background detail info pptp/gre usage under various codes.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Regards

Cisco Employee

Re: Problem Establishing Outbound VPN through ASA 5505

BC,

Can you confirm whether you are doing a static 1-to-1 translation or PAT'ing to a particular IP address?

GRE is a port-less protocol. A prerequisite for PAT to work is there must be port on the inside to be translated to a port on the outside. This is a protocol limitation. With that being said, GRE does NOT work with PAT.

If you have a "spare" IP address, configure a static one-to-one translation for the host that needs to form the PPTP VPN tunnel.

If that is not available, you will likely be forced to use another VPN solution such as SSL VPN and/or NAT-T.

Re: Problem Establishing Outbound VPN through ASA 5505

It works fine with PAT as long is only one single host on the inside connects to PPTP server/gateway and that you have pptp inspection in asa code 7.x above and fixup prot pptp 1723 for pix 6.x bellow.

If there were several inside hosts connecting to pptp server/dateway then one-to-one nat will be required .

PIX506E - 6.3.5

show conn

GRE out 67.43.xx.xx:1723 in 192.168.0.21:32800 idle 0:00:16 bytes 1310 flags EG

GRE out 67.43.xx.xx:20863 in 192.168.0.21:1723 idle 0:00:20 bytes 11447 flags PG

I don't even have a one to one static nat for 192.168.0.21 inside host - all is through interface outside dhcp assigned pu address.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ_wireless) 1 10.14.14.0 255.255.255.0 0 0

static (inside,outside) tcp interface 3074 XBOX360 3074 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 3074 XBOX360 3074 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 88 XBOX360 88 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www XBOX360 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface domain XBOX360 domain netmask 255.255.255.255 0 0

static (inside,outside) udp interface domain XBOX360 domain netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ssh WS-2950XL-1 ssh netmask 255.255.255.255 0 0

static (inside,DMZ_wireless) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

Regards

2282
Views
0
Helpful
3
Replies
This widget could not be displayed.