How do I pass traffic through IPSec Tunnel

I have created two tunnels (site to site) on a Cisco ASA 5510 8.0(2) and the tunnels work fine and I can pass ICMP traffic without a problem.  I can even pass from the "inside" network, have it translate to a public IP, initiate the tunnel, open it and ping the other side.  

However, when I try to pass UDP traffic through it, particularly protocol 132 SCTP, i get the following error:

305006 regular translation creation failed for protocol 132 src VPN:192.168.x.x dst Outside:216.168.x.x

Now here is a couple of things I dont get:
1. If ICMP traffic passes no problem the routes and crypto maps are correct....we have established that my policies work for setting up the tunnels AND that I can pass ICMP traffic across from the source to the destination and back through.

2. There are really no good explanations out there of what this error truly means.  So I am just not understanding.  Can someone please tell me what to look for here?  How to fix it!?!

Also, I can see the traffic arrive at the firewall "inside" interface and then die there.....
LVL 1
authentifyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jan SpringerCommented:
The access-lists between two firewall appliances for non-dynamic connections must be the identical inverse of each other and need to include allowing those UDP port connections.

Can you post the ACL for the VPN connections?
0
authentifyAuthor Commented:
jesper,

Couple of things...the ACL between the two are to allow IP, ICMP and UDP protocols.....as I stated ICMP works fine.  Plus it doesn't look like it ever even gets translated to the outside interface.  So the identical inverse would probably be a good problem at this point!!

But I don't own both ends of the site to site tunnel.  Unfortunately, but again why does ICMP work?

Here is the acl's:

access-list 199; 10 elements
access-list 199 line 1 extended permit ip 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 inactive (hitcnt=0) (inactive) 0x4c6044cc
access-list 199 line 2 extended permit ip 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 inactive (hitcnt=0) (inactive) 0x682487d0
access-list 199 line 3 extended permit object-group SigtranVPNProtocols 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_5 0x8a425b12
access-list 199 line 3 extended permit ip 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x682487d0
access-list 199 line 3 extended permit ip 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x4c6044cc
access-list 199 line 3 extended permit icmp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x7a68d2f2
access-list 199 line 3 extended permit icmp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x9ea6c0a5
access-list 199 line 3 extended permit udp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x82b1dd8c
access-list 199 line 3 extended permit udp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x1ecd7fa3
access-list 199 line 3 extended permit 132 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0xb146b7f2
access-list 199 line 3 extended permit 132 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x7cfd34e4

access-list Outside_1_cryptomap; 1 elements
access-list Outside_1_cryptomap line 1 extended permit ip host 66.54.246.38 object-group Verisign-Mattoon 0xbbbe470d
access-list Outside_1_cryptomap line 1 extended permit ip host 66.54.246.38 216.168.245.0 255.255.255.192 (hitcnt=4) 0xf7d1cda9
access-list Outside_2_cryptomap; 4 elements
access-list Outside_2_cryptomap line 1 extended permit object-group SigtranVPNProtocols host 66.54.246.38 object-group Verisign-RockHill 0x27342e4c
access-list Outside_2_cryptomap line 1 extended permit ip host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=4) 0xed6ecb16
access-list Outside_2_cryptomap line 1 extended permit icmp host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=0) 0xb4dfa95c
access-list Outside_2_cryptomap line 1 extended permit udp host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=0) 0xc1013ee3
access-list Outside_2_cryptomap line 1 extended permit 132 host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=0) 0x16acc4d7

access-list 150; 19 elements
access-list 150 line 1 extended permit ip 192.168.1.0 255.255.255.0 host 216.168.244.6 inactive (hitcnt=0) (inactive) 0x2d24d638
access-list 150 line 2 extended permit ip host 216.168.244.6 192.168.1.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0xf6dd74a5
access-list 150 line 3 extended permit ip host 192.168.1.2 any inactive (hitcnt=0) (inactive) 0xaeec8824
access-list 150 line 4 extended permit object-group SigtranVPNProtocols 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_3 0xa5d24631
access-list 150 line 4 extended permit ip 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x489ca84d
access-list 150 line 4 extended permit ip 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x6438eda9
access-list 150 line 4 extended permit icmp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0xe8545e6b
access-list 150 line 4 extended permit icmp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0xbc5ffcd3
access-list 150 line 4 extended permit udp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x7679dc3c
access-list 150 line 4 extended permit udp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x932584ce
access-list 150 line 4 extended permit 132 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0xa50350c8
access-list 150 line 4 extended permit 132 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0xac3dfd84
access-list 150 line 5 extended permit object-group SigtranVPNProtocols object-group DM_INLINE_NETWORK_4 192.168.1.0 255.255.255.0 0xd929a972
access-list 150 line 5 extended permit ip 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x336b8bb6
access-list 150 line 5 extended permit ip 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0xa77a1170
access-list 150 line 5 extended permit icmp 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x61e4ef71
access-list 150 line 5 extended permit icmp 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x7d762d9
access-list 150 line 5 extended permit udp 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x26031807
access-list 150 line 5 extended permit udp 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x4c64675
access-list 150 line 5 extended permit 132 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x4ff91f93
access-list 150 line 5 extended permit 132 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0xa2adb250
0
Jan SpringerCommented:
can you post the clean access lists and what the first and last are used fo:

sh run | i access-list

and if using object-groups, that information, as well.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

authentifyAuthor Commented:
I appreciate your help so far, but could you first just expalin what the error message means.  I realize you gave some explanation earlier but it makes no sesne that ping works but nothing else does.  If ICMP traffic can initiate the tunnel and ping across then why can't UDP Protocol 132?
0
Jan SpringerCommented:
I would be interested in each access list having a 'deny any any log' at the end so that we can see why protocol 132 is not hitting where it should.

And, can you verify that the crypto ACL at the remote end is an inverse match of  yours?
0
authentifyAuthor Commented:
Just so all you know, the official answer from Cisco is that thy do not support SCTP.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.