authentify
asked on
How do I pass traffic through IPSec Tunnel
I have created two tunnels (site to site) on a Cisco ASA 5510 8.0(2) and the tunnels work fine and I can pass ICMP traffic without a problem. I can even pass from the "inside" network, have it translate to a public IP, initiate the tunnel, open it and ping the other side.
However, when I try to pass UDP traffic through it, particularly protocol 132 SCTP, i get the following error:
305006 regular translation creation failed for protocol 132 src VPN:192.168.x.x dst Outside:216.168.x.x
Now here is a couple of things I dont get:
1. If ICMP traffic passes no problem the routes and crypto maps are correct....we have established that my policies work for setting up the tunnels AND that I can pass ICMP traffic across from the source to the destination and back through.
2. There are really no good explanations out there of what this error truly means. So I am just not understanding. Can someone please tell me what to look for here? How to fix it!?!
Also, I can see the traffic arrive at the firewall "inside" interface and then die there.....
However, when I try to pass UDP traffic through it, particularly protocol 132 SCTP, i get the following error:
305006 regular translation creation failed for protocol 132 src VPN:192.168.x.x dst Outside:216.168.x.x
Now here is a couple of things I dont get:
1. If ICMP traffic passes no problem the routes and crypto maps are correct....we have established that my policies work for setting up the tunnels AND that I can pass ICMP traffic across from the source to the destination and back through.
2. There are really no good explanations out there of what this error truly means. So I am just not understanding. Can someone please tell me what to look for here? How to fix it!?!
Also, I can see the traffic arrive at the firewall "inside" interface and then die there.....
ASKER
jesper,
Couple of things...the ACL between the two are to allow IP, ICMP and UDP protocols.....as I stated ICMP works fine. Plus it doesn't look like it ever even gets translated to the outside interface. So the identical inverse would probably be a good problem at this point!!
But I don't own both ends of the site to site tunnel. Unfortunately, but again why does ICMP work?
Here is the acl's:
access-list 199; 10 elements
access-list 199 line 1 extended permit ip 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 inactive (hitcnt=0) (inactive) 0x4c6044cc
access-list 199 line 2 extended permit ip 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 inactive (hitcnt=0) (inactive) 0x682487d0
access-list 199 line 3 extended permit object-group SigtranVPNProtocols 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_5 0x8a425b12
access-list 199 line 3 extended permit ip 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x682487d0
access-list 199 line 3 extended permit ip 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x4c6044cc
access-list 199 line 3 extended permit icmp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x7a68d2f2
access-list 199 line 3 extended permit icmp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x9ea6c0a5
access-list 199 line 3 extended permit udp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x82b1dd8c
access-list 199 line 3 extended permit udp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x1ecd7fa3
access-list 199 line 3 extended permit 132 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0xb146b7f2
access-list 199 line 3 extended permit 132 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x7cfd34e4
access-list Outside_1_cryptomap; 1 elements
access-list Outside_1_cryptomap line 1 extended permit ip host 66.54.246.38 object-group Verisign-Mattoon 0xbbbe470d
access-list Outside_1_cryptomap line 1 extended permit ip host 66.54.246.38 216.168.245.0 255.255.255.192 (hitcnt=4) 0xf7d1cda9
access-list Outside_2_cryptomap; 4 elements
access-list Outside_2_cryptomap line 1 extended permit object-group SigtranVPNProtocols host 66.54.246.38 object-group Verisign-RockHill 0x27342e4c
access-list Outside_2_cryptomap line 1 extended permit ip host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=4) 0xed6ecb16
access-list Outside_2_cryptomap line 1 extended permit icmp host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=0) 0xb4dfa95c
access-list Outside_2_cryptomap line 1 extended permit udp host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=0) 0xc1013ee3
access-list Outside_2_cryptomap line 1 extended permit 132 host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=0) 0x16acc4d7
access-list 150; 19 elements
access-list 150 line 1 extended permit ip 192.168.1.0 255.255.255.0 host 216.168.244.6 inactive (hitcnt=0) (inactive) 0x2d24d638
access-list 150 line 2 extended permit ip host 216.168.244.6 192.168.1.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0xf6dd74a5
access-list 150 line 3 extended permit ip host 192.168.1.2 any inactive (hitcnt=0) (inactive) 0xaeec8824
access-list 150 line 4 extended permit object-group SigtranVPNProtocols 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_3 0xa5d24631
access-list 150 line 4 extended permit ip 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x489ca84d
access-list 150 line 4 extended permit ip 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x6438eda9
access-list 150 line 4 extended permit icmp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0xe8545e6b
access-list 150 line 4 extended permit icmp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0xbc5ffcd3
access-list 150 line 4 extended permit udp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x7679dc3c
access-list 150 line 4 extended permit udp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x932584ce
access-list 150 line 4 extended permit 132 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0xa50350c8
access-list 150 line 4 extended permit 132 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0xac3dfd84
access-list 150 line 5 extended permit object-group SigtranVPNProtocols object-group DM_INLINE_NETWORK_4 192.168.1.0 255.255.255.0 0xd929a972
access-list 150 line 5 extended permit ip 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x336b8bb6
access-list 150 line 5 extended permit ip 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0xa77a1170
access-list 150 line 5 extended permit icmp 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x61e4ef71
access-list 150 line 5 extended permit icmp 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x7d762d9
access-list 150 line 5 extended permit udp 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x26031807
access-list 150 line 5 extended permit udp 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x4c64675
access-list 150 line 5 extended permit 132 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x4ff91f93
access-list 150 line 5 extended permit 132 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0xa2adb250
Couple of things...the ACL between the two are to allow IP, ICMP and UDP protocols.....as I stated ICMP works fine. Plus it doesn't look like it ever even gets translated to the outside interface. So the identical inverse would probably be a good problem at this point!!
But I don't own both ends of the site to site tunnel. Unfortunately, but again why does ICMP work?
Here is the acl's:
access-list 199; 10 elements
access-list 199 line 1 extended permit ip 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 inactive (hitcnt=0) (inactive) 0x4c6044cc
access-list 199 line 2 extended permit ip 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 inactive (hitcnt=0) (inactive) 0x682487d0
access-list 199 line 3 extended permit object-group SigtranVPNProtocols 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_5 0x8a425b12
access-list 199 line 3 extended permit ip 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x682487d0
access-list 199 line 3 extended permit ip 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x4c6044cc
access-list 199 line 3 extended permit icmp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x7a68d2f2
access-list 199 line 3 extended permit icmp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x9ea6c0a5
access-list 199 line 3 extended permit udp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x82b1dd8c
access-list 199 line 3 extended permit udp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x1ecd7fa3
access-list 199 line 3 extended permit 132 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0xb146b7f2
access-list 199 line 3 extended permit 132 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x7cfd34e4
access-list Outside_1_cryptomap; 1 elements
access-list Outside_1_cryptomap line 1 extended permit ip host 66.54.246.38 object-group Verisign-Mattoon 0xbbbe470d
access-list Outside_1_cryptomap line 1 extended permit ip host 66.54.246.38 216.168.245.0 255.255.255.192 (hitcnt=4) 0xf7d1cda9
access-list Outside_2_cryptomap; 4 elements
access-list Outside_2_cryptomap line 1 extended permit object-group SigtranVPNProtocols host 66.54.246.38 object-group Verisign-RockHill 0x27342e4c
access-list Outside_2_cryptomap line 1 extended permit ip host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=4) 0xed6ecb16
access-list Outside_2_cryptomap line 1 extended permit icmp host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=0) 0xb4dfa95c
access-list Outside_2_cryptomap line 1 extended permit udp host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=0) 0xc1013ee3
access-list Outside_2_cryptomap line 1 extended permit 132 host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=0) 0x16acc4d7
access-list 150; 19 elements
access-list 150 line 1 extended permit ip 192.168.1.0 255.255.255.0 host 216.168.244.6 inactive (hitcnt=0) (inactive) 0x2d24d638
access-list 150 line 2 extended permit ip host 216.168.244.6 192.168.1.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0xf6dd74a5
access-list 150 line 3 extended permit ip host 192.168.1.2 any inactive (hitcnt=0) (inactive) 0xaeec8824
access-list 150 line 4 extended permit object-group SigtranVPNProtocols 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_3 0xa5d24631
access-list 150 line 4 extended permit ip 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x489ca84d
access-list 150 line 4 extended permit ip 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x6438eda9
access-list 150 line 4 extended permit icmp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0xe8545e6b
access-list 150 line 4 extended permit icmp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0xbc5ffcd3
access-list 150 line 4 extended permit udp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x7679dc3c
access-list 150 line 4 extended permit udp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x932584ce
access-list 150 line 4 extended permit 132 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0xa50350c8
access-list 150 line 4 extended permit 132 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0xac3dfd84
access-list 150 line 5 extended permit object-group SigtranVPNProtocols object-group DM_INLINE_NETWORK_4 192.168.1.0 255.255.255.0 0xd929a972
access-list 150 line 5 extended permit ip 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x336b8bb6
access-list 150 line 5 extended permit ip 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0xa77a1170
access-list 150 line 5 extended permit icmp 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x61e4ef71
access-list 150 line 5 extended permit icmp 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x7d762d9
access-list 150 line 5 extended permit udp 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x26031807
access-list 150 line 5 extended permit udp 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x4c64675
access-list 150 line 5 extended permit 132 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x4ff91f93
access-list 150 line 5 extended permit 132 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0xa2adb250
can you post the clean access lists and what the first and last are used fo:
sh run | i access-list
and if using object-groups, that information, as well.
sh run | i access-list
and if using object-groups, that information, as well.
ASKER
I appreciate your help so far, but could you first just expalin what the error message means. I realize you gave some explanation earlier but it makes no sesne that ping works but nothing else does. If ICMP traffic can initiate the tunnel and ping across then why can't UDP Protocol 132?
I would be interested in each access list having a 'deny any any log' at the end so that we can see why protocol 132 is not hitting where it should.
And, can you verify that the crypto ACL at the remote end is an inverse match of yours?
And, can you verify that the crypto ACL at the remote end is an inverse match of yours?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you post the ACL for the VPN connections?