asked on

Cisco 5505 ASA - Error msg "regular translation creation failed for protocol 50" when trying to VPN

Hello,

I have been googling this issue for a while now and I can't seem to find a straight answer on what fixes this issue. We have a 5505 ASA connecting our corporate network to the internet. When we try to establish a VPN connection from inside our network to a PIX 501 using the VPN client (using IPsec over UDP), I get the following error in the logs (X.X.X.X being the outside IP address of the remote PIX 501, 192.168.8.77 being the inside host attempting to establish the VPN connection):

2009-07-13 16:22:51 Local4.Error 192.168.8.9 %ASA-3-305006: regular translation creation failed for protocol 50 src inside:192.168.8.77 dst outside:X.X.X.X

We can connect to the VPN but then can't go anywhere on the remote network. I have been looking for a fix for this and seen many messages about enabling NAT traversal and 'inspect ipsec-pass-thru' commands but I haven't found anyone confirming the correct way to fix the issue, at least not for an ASA. I'm hesitant to do too much testing because this is a production ASA and I don't want to break anything by testing different methods. If anyone can give me the exact fix for this issue, or at least what has personally worked for you, I would be very grateful....plus I'll give you 500 points. The ASA config is below....please advise if any changes need to be made to the PIX 501.

Thanks

ASA Version 7.2(3) 
!
hostname ciscoasa
domain-name XXX
enable password encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.8.9 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address X.X.X.2 255.255.255.240 
!
interface Vlan3
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
 switchport trunk allowed vlan 2-3
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network new-network
 network-object 192.168.10.0 255.255.254.0
access-list outside_access_in extended deny icmp any host X.X.X.5 timestamp-request 
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit tcp any eq smtp host 192.168.11.225 eq smtp inactive 
access-list outside_access_in extended permit icmp any host X.X.X.14 
access-list outside_access_in extended permit tcp any host X.X.X.14 eq ftp 
access-list outside_access_in extended permit tcp any host X.X.X.14 eq imap4 
access-list outside_access_in extended permit tcp any host X.X.X.14 eq 585 
access-list outside_access_in extended permit tcp any host X.X.X.14 eq 993 
access-list outside_access_in extended permit tcp any host X.X.X.14 eq pop3 
access-list outside_access_in extended permit tcp any host X.X.X.14 eq 995 
access-list outside_access_in extended permit tcp any host X.X.X.14 eq www 
access-list outside_access_in extended permit tcp any host X.X.X.14 eq https 
access-list outside_access_in extended permit tcp any host X.X.X.14 eq 115 
access-list outside_access_in extended permit tcp any host X.X.X.14 eq pptp 
access-list outside_access_in extended permit tcp any host X.X.X.14 eq smtp 
access-list outside_access_in extended permit gre any host X.X.X.14 
access-list outside_access_in extended permit gre any host X.X.X.5 
access-list outside_access_in extended permit tcp any host X.X.X.5 eq pptp 
access-list outside_access_in extended permit tcp any host X.X.X.6 eq telnet 
access-list outside_access_in extended permit tcp any host X.X.X.6 eq 59002 
access-list outside_access_in extended permit udp any host X.X.X.6 eq 59002 
access-list outside_access_in extended permit tcp any host X.X.X.7 eq www 
access-list outside_access_in extended permit tcp any host X.X.X.7 eq https 
access-list outside_access_in extended permit tcp any host X.X.X.7 eq smtp 
access-list outside_access_in extended permit tcp any host X.X.X.7 eq imap4 
access-list outside_access_in extended permit tcp any host X.X.X.7 eq pop3 
access-list outside_access_in extended permit udp any host X.X.X.8 eq 58002 
access-list outside_access_in extended permit tcp any host X.X.X.8 eq 58002 
access-list outside_access_in extended permit tcp any host X.X.X.8 eq telnet 
access-list outside_access_in extended permit tcp any host X.X.X.9 eq 59002 
access-list outside_access_in extended permit udp any host X.X.X.9 eq 59002 
access-list outside_access_in extended permit tcp any host X.X.X.9 eq telnet 
access-list outside_access_in extended permit tcp any host X.X.X.10 eq 5400 
access-list outside_access_in extended permit tcp any host X.X.X.11 eq 5400 
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.254.0 10.30.0.0 255.255.0.0 
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.254.0 10.0.0.0 255.255.255.0 
pager lines 24
logging enable
logging console errors
logging trap notifications
logging asdm notifications
logging host inside 192.168.8.250
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp inside 192.168.10.41 001e.52f2.2d01 
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) X.X.X.5 192.168.8.32 netmask 255.255.255.255 
static (inside,outside) X.X.X.14 192.168.12.248 netmask 255.255.255.255 
static (inside,outside) X.X.X.6 192.168.14.19 netmask 255.255.255.255 
static (inside,outside) X.X.X.7 192.168.8.20 netmask 255.255.255.255 
static (inside,outside) X.X.X.9 192.168.12.250 netmask 255.255.255.255 
static (inside,outside) X.X.X.8 192.168.15.19 netmask 255.255.255.255 
static (inside,outside) X.X.X.10 192.168.12.72 netmask 255.255.255.255 
static (inside,outside) X.X.X.11 192.168.10.22 netmask 255.255.255.255 
access-group outside_access_in in interface outside
route inside 192.168.10.0 255.255.254.0 192.168.8.29 1
route inside 192.168.12.0 255.255.254.0 192.168.8.29 1
route inside 192.168.14.0 255.255.254.0 192.168.8.29 1
route inside 192.168.16.0 255.255.254.0 192.168.8.29 1
route outside 0.0.0.0 0.0.0.0 X.X.X.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.9.0 255.255.255.0 inside
http 192.168.8.0 255.255.255.0 inside
snmp-server host inside 192.168.10.21 poll community xxxxx version 2c
no snmp-server location
no snmp-server contact
snmp-server community xxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet 192.168.8.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.254.0 inside
telnet timeout 5
ssh 192.168.8.0 255.255.255.0 inside
ssh 192.168.9.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
ntp server X.X.X.X source outside
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 pre-shared-key 
prompt hostname context 
Cryptochecksum:
: end

Open in new window

bkepford

What looks like your problem is that you are not matching traffic to be sent through the tunnel. I take it that 10.30.0.0/16 and 10.0.0.0/24 are your remote networks where the PIX is?

and it looks like these commands actually tell it where the PIX is and how to connect but will not send traffic back and forth.

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2

The below configuration should finish it up for you. You don't have to paste in any lines with a !--- in front these are just comments.
lifetime 86400
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.254.0 10.30.0.0 255.255.0.0
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.254.0 10.0.0.0 255.255.255.0
 
!--- This access list (outside_cryptomap) is used 
!--- with the crypto map outside_map 
!--- to determine which traffic should be encrypted and sent 
!--- across the tunnel.
!--- This ACL is intentionally the same as (inside_nat0_outbound).  
!--- Two separate access lists should always be used in this configuration.
 
 
crypto map outside_map 1 match address outside_1_cryptomap
 
!--- Define which traffic should be sent to the IPsec peer.
 
 
crypto map outside_map 1 set peer x.x.x.x
 
!--- Sets the IPsec peer
 
crypto map outside_map 1 set transform-set ESP-3DES-MD5 
 
!--- Sets the IPsec transform set "ESP-3DES-MD5 "
!--- to be used with the crypto map entry "outside_map".
 
 
crypto map outside_map interface outside

Open in new window

hachemp

ASKER

I apologize, that's actually not correct...I tore down two VPN tunnels today (just before I copied that config actually) of two companies that we had a persistent site to site VPN tunnel with, and hadn't yet removed those entries, which is why they don't match.. Those 10.x.x.x IP ranges were their trusted networks inside the VPN tunnel...has nothing to do with the current issue. The remote network we're trying to connect to on the PIX 501 is on a 192.168.1.x scope, and just to be clear, we are not setting up a firewall to firewall tunnel, someone is using a VPN client on a host inside our network to establish a tunnel to the 501. I apologize for the confusion; I should have removed those before I posted. Thanks for your quick response. Do you have any advice now that I've cleared things up a little?

bkepford

Look at the ASA logging as they connect see if it is being blocked by your outside in ACL. If so adjust accordingly.

hachemp

ASKER

I have checked the ASA logs at the debug level and here are the pertinent messages:

2009-07-13 16:22:48      Local4.Debug      192.168.8.9      %ASA-7-710006: IGMP request discarded from 192.168.8.77 to inside:224.0.0.22

2009-07-13 16:22:48      Local4.Debug      192.168.8.9      %ASA-7-710005: UDP request discarded from 192.168.8.77/65329 to inside:239.255.255.250/3702

2009-07-13 16:22:51      Local4.Error      192.168.8.9      %ASA-3-305006: regular translation creation failed for protocol 50 src inside:192.168.8.77 dst outside:X.X.X.X

It doesn't look to me like an ACL is blocking that traffic or it would specify the ACL in the logs, wouldn't it? Also, I'm not sure why the UDP and IGMP traffic is destined for inside multicast addresses...shouldn't it be destined for outside X.X.X.X (the outside IP of the PIX)? Maybe those logs aren't even related to this... Either way, it doesn't seem like an ACL issue, most have suggested that it is either a UDP encap issue or an IPsec inspection issue that causes the protocol 50 error... Thanks for any help you can give.

ASKER CERTIFIED SOLUTION

bkepford

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

hachemp

ASKER

bkepford, I tried the inspect-pass-thru command, and still get the same errors. I also tried the 'isakmp nat-traversal' command, and that didn't work either. I'm wondering if I need to put a certain number in after the nat-traversal command (if I put it in with no number it defaults to '20'), and if the nat-traversal would also need to be enabled on the PIX 501. Any other ideas on what I could try?

hachemp

ASKER

On second thought...after rereading your post, I realize that I haven't reloaded the device yet...will have to wait until after business hours to do that. I'll post back once tomorrow once that's done, and if you have any other ideas, please let me know.

hachemp

ASKER

bkepford, update on this...I finally got it to work. Once I added the 'isakmp nat-traversal' command to the remote PIX 501 as well, everything starting working. So to summarize, I added the following to the config:

On my 5505:

policy-map global_policy
class inspection_default
inspect ipsec-pass-thru

isakmp nat-traversal

On the PIX 501:

isakmp nat-traversal

...and all is working well. Even though you didn't have the exact answer, I'm awarding you the points for working with me on this...I appreciate it.

bkepford

Glad it worked for you.

Cisco 5505 ASA - Error msg &quot;regular translation creation failed for protocol 50&quot; when trying to VPN

Cisco 5505 ASA - Error msg "regular translation creation failed for protocol 50" when trying to VPN