Solved

How do I pass traffic through IPSec Tunnel

Posted on 2009-07-06
6
684 Views
Last Modified: 2012-08-13
I have created two tunnels (site to site) on a Cisco ASA 5510 8.0(2) and the tunnels work fine and I can pass ICMP traffic without a problem.  I can even pass from the "inside" network, have it translate to a public IP, initiate the tunnel, open it and ping the other side.  

However, when I try to pass UDP traffic through it, particularly protocol 132 SCTP, i get the following error:

305006 regular translation creation failed for protocol 132 src VPN:192.168.x.x dst Outside:216.168.x.x

Now here is a couple of things I dont get:
1. If ICMP traffic passes no problem the routes and crypto maps are correct....we have established that my policies work for setting up the tunnels AND that I can pass ICMP traffic across from the source to the destination and back through.

2. There are really no good explanations out there of what this error truly means.  So I am just not understanding.  Can someone please tell me what to look for here?  How to fix it!?!

Also, I can see the traffic arrive at the firewall "inside" interface and then die there.....
0
Comment
Question by:authentify
  • 3
  • 3
6 Comments
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
The access-lists between two firewall appliances for non-dynamic connections must be the identical inverse of each other and need to include allowing those UDP port connections.

Can you post the ACL for the VPN connections?
0
 
LVL 1

Author Comment

by:authentify
Comment Utility
jesper,

Couple of things...the ACL between the two are to allow IP, ICMP and UDP protocols.....as I stated ICMP works fine.  Plus it doesn't look like it ever even gets translated to the outside interface.  So the identical inverse would probably be a good problem at this point!!

But I don't own both ends of the site to site tunnel.  Unfortunately, but again why does ICMP work?

Here is the acl's:

access-list 199; 10 elements
access-list 199 line 1 extended permit ip 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 inactive (hitcnt=0) (inactive) 0x4c6044cc
access-list 199 line 2 extended permit ip 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 inactive (hitcnt=0) (inactive) 0x682487d0
access-list 199 line 3 extended permit object-group SigtranVPNProtocols 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_5 0x8a425b12
access-list 199 line 3 extended permit ip 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x682487d0
access-list 199 line 3 extended permit ip 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x4c6044cc
access-list 199 line 3 extended permit icmp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x7a68d2f2
access-list 199 line 3 extended permit icmp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x9ea6c0a5
access-list 199 line 3 extended permit udp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x82b1dd8c
access-list 199 line 3 extended permit udp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x1ecd7fa3
access-list 199 line 3 extended permit 132 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0xb146b7f2
access-list 199 line 3 extended permit 132 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x7cfd34e4

access-list Outside_1_cryptomap; 1 elements
access-list Outside_1_cryptomap line 1 extended permit ip host 66.54.246.38 object-group Verisign-Mattoon 0xbbbe470d
access-list Outside_1_cryptomap line 1 extended permit ip host 66.54.246.38 216.168.245.0 255.255.255.192 (hitcnt=4) 0xf7d1cda9
access-list Outside_2_cryptomap; 4 elements
access-list Outside_2_cryptomap line 1 extended permit object-group SigtranVPNProtocols host 66.54.246.38 object-group Verisign-RockHill 0x27342e4c
access-list Outside_2_cryptomap line 1 extended permit ip host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=4) 0xed6ecb16
access-list Outside_2_cryptomap line 1 extended permit icmp host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=0) 0xb4dfa95c
access-list Outside_2_cryptomap line 1 extended permit udp host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=0) 0xc1013ee3
access-list Outside_2_cryptomap line 1 extended permit 132 host 66.54.246.38 216.168.244.0 255.255.255.192 (hitcnt=0) 0x16acc4d7

access-list 150; 19 elements
access-list 150 line 1 extended permit ip 192.168.1.0 255.255.255.0 host 216.168.244.6 inactive (hitcnt=0) (inactive) 0x2d24d638
access-list 150 line 2 extended permit ip host 216.168.244.6 192.168.1.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0xf6dd74a5
access-list 150 line 3 extended permit ip host 192.168.1.2 any inactive (hitcnt=0) (inactive) 0xaeec8824
access-list 150 line 4 extended permit object-group SigtranVPNProtocols 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_3 0xa5d24631
access-list 150 line 4 extended permit ip 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x489ca84d
access-list 150 line 4 extended permit ip 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x6438eda9
access-list 150 line 4 extended permit icmp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0xe8545e6b
access-list 150 line 4 extended permit icmp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0xbc5ffcd3
access-list 150 line 4 extended permit udp 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0x7679dc3c
access-list 150 line 4 extended permit udp 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0x932584ce
access-list 150 line 4 extended permit 132 192.168.1.0 255.255.255.0 216.168.245.0 255.255.255.192 (hitcnt=0) 0xa50350c8
access-list 150 line 4 extended permit 132 192.168.1.0 255.255.255.0 216.168.244.0 255.255.255.192 (hitcnt=0) 0xac3dfd84
access-list 150 line 5 extended permit object-group SigtranVPNProtocols object-group DM_INLINE_NETWORK_4 192.168.1.0 255.255.255.0 0xd929a972
access-list 150 line 5 extended permit ip 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x336b8bb6
access-list 150 line 5 extended permit ip 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0xa77a1170
access-list 150 line 5 extended permit icmp 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x61e4ef71
access-list 150 line 5 extended permit icmp 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x7d762d9
access-list 150 line 5 extended permit udp 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x26031807
access-list 150 line 5 extended permit udp 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x4c64675
access-list 150 line 5 extended permit 132 216.168.245.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0x4ff91f93
access-list 150 line 5 extended permit 132 216.168.244.0 255.255.255.192 192.168.1.0 255.255.255.0 (hitcnt=0) 0xa2adb250
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
can you post the clean access lists and what the first and last are used fo:

sh run | i access-list

and if using object-groups, that information, as well.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:authentify
Comment Utility
I appreciate your help so far, but could you first just expalin what the error message means.  I realize you gave some explanation earlier but it makes no sesne that ping works but nothing else does.  If ICMP traffic can initiate the tunnel and ping across then why can't UDP Protocol 132?
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
I would be interested in each access list having a 'deny any any log' at the end so that we can see why protocol 132 is not hitting where it should.

And, can you verify that the crypto ACL at the remote end is an inverse match of  yours?
0
 
LVL 1

Accepted Solution

by:
authentify earned 0 total points
Comment Utility
Just so all you know, the official answer from Cisco is that thy do not support SCTP.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now