Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How do I pass traffic through IPSec Tunnel

Posted on 2009-07-06
6
Medium Priority
?
699 Views
Last Modified: 2012-08-13
I have created two tunnels (site to site) on a Cisco ASA 5510 8.0(2) and the tunnels work fine and I can pass ICMP traffic without a problem.  I can even pass from the "inside" network, have it translate to a public IP, initiate the tunnel, open it and ping the other side.  

However, when I try to pass UDP traffic through it, particularly protocol 132 SCTP, i get the following error:

305006 regular translation creation failed for protocol 132 src VPN:192.168.x.x dst Outside:216.168.x.x

Now here is a couple of things I dont get:
1. If ICMP traffic passes no problem the routes and crypto maps are correct....we have established that my policies work for setting up the tunnels AND that I can pass ICMP traffic across from the source to the destination and back through.

2. There are really no good explanations out there of what this error truly means.  So I am just not understanding.  Can someone please tell me what to look for here?  How to fix it!?!

Also, I can see the traffic arrive at the firewall "inside" interface and then die there.....
0
Comment
Question by:authentify
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24786148
The access-lists between two firewall appliances for non-dynamic connections must be the identical inverse of each other and need to include allowing those UDP port connections.

Can you post the ACL for the VPN connections?
0
 
LVL 1

Author Comment

by:authentify
ID: 24786349
jesper,

Couple of things...the ACL between the two are to allow IP, ICMP and UDP protocols.....as I stated ICMP works fine.  Plus it doesn't look like it ever even gets translated to the outside interface.  So the identical inverse would probably be a good problem at this point!!

But I don't own both ends of the site to site tunnel.  Unfortunately, but again why does ICMP work?

Here is the acl's:

access-list 199; 10 elements
access-list 199 line 1 extended permit ip 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 inactive (hitcnt=0) (inactive) 0x4c6044cc
access-list 199 line 2 extended permit ip 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 inactive (hitcnt=0) (inactive) 0x682487d0
access-list 199 line 3 extended permit object-group SigtranVPNProtocols 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_5 0x8a425b12
access-list 199 line 3 extended permit ip 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x682487d0
access-list 199 line 3 extended permit ip 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x4c6044cc
access-list 199 line 3 extended permit icmp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x7a68d2f2
access-list 199 line 3 extended permit icmp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x9ea6c0a5
access-list 199 line 3 extended permit udp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x82b1dd8c
access-list 199 line 3 extended permit udp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x1ecd7fa3
access-list 199 line 3 extended permit 132 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0xb146b7f2
access-list 199 line 3 extended permit 132 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x7cfd34e4

access-list Outside_1_cryptomap; 1 elements
access-list Outside_1_cryptomap line 1 extended permit ip host 66.54.246.38 object-group Verisign-Mattoon 0xbbbe470d
access-list Outside_1_cryptomap line 1 extended permit ip host 66.54.246.38 216.168.245.0 255.255.255.192 (hitcnt=4) 0xf7d1cda9
access-list Outside_2_cryptomap; 4 elements
access-list Outside_2_cryptomap line 1 extended permit object-group SigtranVPNProtocols host 66.54.246.38 object-group Verisign-RockHill 0x27342e4c
access-list Outside_2_cryptomap line 1 extended permit ip host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=4) 0xed6ecb16
access-list Outside_2_cryptomap line 1 extended permit icmp host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=0) 0xb4dfa95c
access-list Outside_2_cryptomap line 1 extended permit udp host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=0) 0xc1013ee3
access-list Outside_2_cryptomap line 1 extended permit 132 host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=0) 0x16acc4d7

access-list 150; 19 elements
access-list 150 line 1 extended permit ip 192.168.1.0 255.255.255.0 host 216.168.244.6 inactive (hitcnt=0) (inactive) 0x2d24d638
access-list 150 line 2 extended permit ip host 216.168.244.6 192.168.1.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0xf6dd74a5
access-list 150 line 3 extended permit ip host 192.168.1.2 any inactive (hitcnt=0) (inactive) 0xaeec8824
access-list 150 line 4 extended permit object-group SigtranVPNProtocols 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_3 0xa5d24631
access-list 150 line 4 extended permit ip 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x489ca84d
access-list 150 line 4 extended permit ip 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x6438eda9
access-list 150 line 4 extended permit icmp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0xe8545e6b
access-list 150 line 4 extended permit icmp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0xbc5ffcd3
access-list 150 line 4 extended permit udp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x7679dc3c
access-list 150 line 4 extended permit udp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x932584ce
access-list 150 line 4 extended permit 132 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0xa50350c8
access-list 150 line 4 extended permit 132 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0xac3dfd84
access-list 150 line 5 extended permit object-group SigtranVPNProtocols object-group DM_INLINE_NETWORK_4 192.168.1.0 255.255.255.0 0xd929a972
access-list 150 line 5 extended permit ip 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x336b8bb6
access-list 150 line 5 extended permit ip 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0xa77a1170
access-list 150 line 5 extended permit icmp 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x61e4ef71
access-list 150 line 5 extended permit icmp 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x7d762d9
access-list 150 line 5 extended permit udp 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x26031807
access-list 150 line 5 extended permit udp 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x4c64675
access-list 150 line 5 extended permit 132 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x4ff91f93
access-list 150 line 5 extended permit 132 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0xa2adb250
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24786517
can you post the clean access lists and what the first and last are used fo:

sh run | i access-list

and if using object-groups, that information, as well.
0
Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

 
LVL 1

Author Comment

by:authentify
ID: 24787082
I appreciate your help so far, but could you first just expalin what the error message means.  I realize you gave some explanation earlier but it makes no sesne that ping works but nothing else does.  If ICMP traffic can initiate the tunnel and ping across then why can't UDP Protocol 132?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24787403
I would be interested in each access list having a 'deny any any log' at the end so that we can see why protocol 132 is not hitting where it should.

And, can you verify that the crypto ACL at the remote end is an inverse match of  yours?
0
 
LVL 1

Accepted Solution

by:
authentify earned 0 total points
ID: 25842281
Just so all you know, the official answer from Cisco is that thy do not support SCTP.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question