?
Solved

How do I pass traffic through IPSec Tunnel

Posted on 2009-07-06
6
Medium Priority
?
698 Views
Last Modified: 2012-08-13
I have created two tunnels (site to site) on a Cisco ASA 5510 8.0(2) and the tunnels work fine and I can pass ICMP traffic without a problem.  I can even pass from the "inside" network, have it translate to a public IP, initiate the tunnel, open it and ping the other side.  

However, when I try to pass UDP traffic through it, particularly protocol 132 SCTP, i get the following error:

305006 regular translation creation failed for protocol 132 src VPN:192.168.x.x dst Outside:216.168.x.x

Now here is a couple of things I dont get:
1. If ICMP traffic passes no problem the routes and crypto maps are correct....we have established that my policies work for setting up the tunnels AND that I can pass ICMP traffic across from the source to the destination and back through.

2. There are really no good explanations out there of what this error truly means.  So I am just not understanding.  Can someone please tell me what to look for here?  How to fix it!?!

Also, I can see the traffic arrive at the firewall "inside" interface and then die there.....
0
Comment
Question by:authentify
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24786148
The access-lists between two firewall appliances for non-dynamic connections must be the identical inverse of each other and need to include allowing those UDP port connections.

Can you post the ACL for the VPN connections?
0
 
LVL 1

Author Comment

by:authentify
ID: 24786349
jesper,

Couple of things...the ACL between the two are to allow IP, ICMP and UDP protocols.....as I stated ICMP works fine.  Plus it doesn't look like it ever even gets translated to the outside interface.  So the identical inverse would probably be a good problem at this point!!

But I don't own both ends of the site to site tunnel.  Unfortunately, but again why does ICMP work?

Here is the acl's:

access-list 199; 10 elements
access-list 199 line 1 extended permit ip 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 inactive (hitcnt=0) (inactive) 0x4c6044cc
access-list 199 line 2 extended permit ip 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 inactive (hitcnt=0) (inactive) 0x682487d0
access-list 199 line 3 extended permit object-group SigtranVPNProtocols 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_5 0x8a425b12
access-list 199 line 3 extended permit ip 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x682487d0
access-list 199 line 3 extended permit ip 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x4c6044cc
access-list 199 line 3 extended permit icmp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x7a68d2f2
access-list 199 line 3 extended permit icmp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x9ea6c0a5
access-list 199 line 3 extended permit udp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x82b1dd8c
access-list 199 line 3 extended permit udp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x1ecd7fa3
access-list 199 line 3 extended permit 132 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0xb146b7f2
access-list 199 line 3 extended permit 132 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x7cfd34e4

access-list Outside_1_cryptomap; 1 elements
access-list Outside_1_cryptomap line 1 extended permit ip host 66.54.246.38 object-group Verisign-Mattoon 0xbbbe470d
access-list Outside_1_cryptomap line 1 extended permit ip host 66.54.246.38 216.168.245.0 255.255.255.192 (hitcnt=4) 0xf7d1cda9
access-list Outside_2_cryptomap; 4 elements
access-list Outside_2_cryptomap line 1 extended permit object-group SigtranVPNProtocols host 66.54.246.38 object-group Verisign-RockHill 0x27342e4c
access-list Outside_2_cryptomap line 1 extended permit ip host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=4) 0xed6ecb16
access-list Outside_2_cryptomap line 1 extended permit icmp host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=0) 0xb4dfa95c
access-list Outside_2_cryptomap line 1 extended permit udp host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=0) 0xc1013ee3
access-list Outside_2_cryptomap line 1 extended permit 132 host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=0) 0x16acc4d7

access-list 150; 19 elements
access-list 150 line 1 extended permit ip 192.168.1.0 255.255.255.0 host 216.168.244.6 inactive (hitcnt=0) (inactive) 0x2d24d638
access-list 150 line 2 extended permit ip host 216.168.244.6 192.168.1.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0xf6dd74a5
access-list 150 line 3 extended permit ip host 192.168.1.2 any inactive (hitcnt=0) (inactive) 0xaeec8824
access-list 150 line 4 extended permit object-group SigtranVPNProtocols 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_3 0xa5d24631
access-list 150 line 4 extended permit ip 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x489ca84d
access-list 150 line 4 extended permit ip 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x6438eda9
access-list 150 line 4 extended permit icmp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0xe8545e6b
access-list 150 line 4 extended permit icmp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0xbc5ffcd3
access-list 150 line 4 extended permit udp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x7679dc3c
access-list 150 line 4 extended permit udp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x932584ce
access-list 150 line 4 extended permit 132 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0xa50350c8
access-list 150 line 4 extended permit 132 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0xac3dfd84
access-list 150 line 5 extended permit object-group SigtranVPNProtocols object-group DM_INLINE_NETWORK_4 192.168.1.0 255.255.255.0 0xd929a972
access-list 150 line 5 extended permit ip 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x336b8bb6
access-list 150 line 5 extended permit ip 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0xa77a1170
access-list 150 line 5 extended permit icmp 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x61e4ef71
access-list 150 line 5 extended permit icmp 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x7d762d9
access-list 150 line 5 extended permit udp 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x26031807
access-list 150 line 5 extended permit udp 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x4c64675
access-list 150 line 5 extended permit 132 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x4ff91f93
access-list 150 line 5 extended permit 132 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0xa2adb250
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24786517
can you post the clean access lists and what the first and last are used fo:

sh run | i access-list

and if using object-groups, that information, as well.
0
ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

 
LVL 1

Author Comment

by:authentify
ID: 24787082
I appreciate your help so far, but could you first just expalin what the error message means.  I realize you gave some explanation earlier but it makes no sesne that ping works but nothing else does.  If ICMP traffic can initiate the tunnel and ping across then why can't UDP Protocol 132?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24787403
I would be interested in each access list having a 'deny any any log' at the end so that we can see why protocol 132 is not hitting where it should.

And, can you verify that the crypto ACL at the remote end is an inverse match of  yours?
0
 
LVL 1

Accepted Solution

by:
authentify earned 0 total points
ID: 25842281
Just so all you know, the official answer from Cisco is that thy do not support SCTP.
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question