Solved

Cisco 5505 ASA - Error msg "regular translation creation failed for protocol 50" when trying to VPN

Posted on 2009-07-14
9
6,918 Views
Last Modified: 2012-06-21
Hello,

I have been googling this issue for a while now and I can't seem to find a straight answer on what fixes this issue.  We have a 5505 ASA connecting our corporate network to the internet.  When we try to establish a VPN connection from inside our network to a PIX 501 using the VPN client (using IPsec over UDP), I get the following error in the logs (X.X.X.X being the outside IP address of the remote PIX 501, 192.168.8.77 being the inside host attempting to establish the VPN connection):

2009-07-13 16:22:51      Local4.Error      192.168.8.9      %ASA-3-305006: regular translation creation failed for protocol 50 src inside:192.168.8.77 dst outside:X.X.X.X

We can connect to the VPN but then can't go anywhere on the remote network.  I have been looking for a fix for this and seen many messages about enabling NAT traversal and 'inspect ipsec-pass-thru' commands but I haven't found anyone confirming the correct way to fix the issue, at least not for an ASA.  I'm hesitant to do too much testing because this is a production ASA and I don't want to break anything by testing different methods.  If anyone can give me the exact fix for this issue, or at least what has personally worked for you, I would be very grateful....plus I'll give you 500 points.  The ASA config is below....please advise if any changes need to be made to the PIX 501.

Thanks

ASA Version 7.2(3) 

!

hostname ciscoasa

domain-name XXX

enable password encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.8.9 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address X.X.X.2 255.255.255.240 

!

interface Vlan3

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/0

 switchport access vlan 2

 switchport trunk allowed vlan 2-3

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd encrypted

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

 domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network new-network

 network-object 192.168.10.0 255.255.254.0

access-list outside_access_in extended deny icmp any host X.X.X.5 timestamp-request 

access-list outside_access_in extended permit icmp any any 

access-list outside_access_in extended permit tcp any eq smtp host 192.168.11.225 eq smtp inactive 

access-list outside_access_in extended permit icmp any host X.X.X.14 

access-list outside_access_in extended permit tcp any host X.X.X.14 eq ftp 

access-list outside_access_in extended permit tcp any host X.X.X.14 eq imap4 

access-list outside_access_in extended permit tcp any host X.X.X.14 eq 585 

access-list outside_access_in extended permit tcp any host X.X.X.14 eq 993 

access-list outside_access_in extended permit tcp any host X.X.X.14 eq pop3 

access-list outside_access_in extended permit tcp any host X.X.X.14 eq 995 

access-list outside_access_in extended permit tcp any host X.X.X.14 eq www 

access-list outside_access_in extended permit tcp any host X.X.X.14 eq https 

access-list outside_access_in extended permit tcp any host X.X.X.14 eq 115 

access-list outside_access_in extended permit tcp any host X.X.X.14 eq pptp 

access-list outside_access_in extended permit tcp any host X.X.X.14 eq smtp 

access-list outside_access_in extended permit gre any host X.X.X.14 

access-list outside_access_in extended permit gre any host X.X.X.5 

access-list outside_access_in extended permit tcp any host X.X.X.5 eq pptp 

access-list outside_access_in extended permit tcp any host X.X.X.6 eq telnet 

access-list outside_access_in extended permit tcp any host X.X.X.6 eq 59002 

access-list outside_access_in extended permit udp any host X.X.X.6 eq 59002 

access-list outside_access_in extended permit tcp any host X.X.X.7 eq www 

access-list outside_access_in extended permit tcp any host X.X.X.7 eq https 

access-list outside_access_in extended permit tcp any host X.X.X.7 eq smtp 

access-list outside_access_in extended permit tcp any host X.X.X.7 eq imap4 

access-list outside_access_in extended permit tcp any host X.X.X.7 eq pop3 

access-list outside_access_in extended permit udp any host X.X.X.8 eq 58002 

access-list outside_access_in extended permit tcp any host X.X.X.8 eq 58002 

access-list outside_access_in extended permit tcp any host X.X.X.8 eq telnet 

access-list outside_access_in extended permit tcp any host X.X.X.9 eq 59002 

access-list outside_access_in extended permit udp any host X.X.X.9 eq 59002 

access-list outside_access_in extended permit tcp any host X.X.X.9 eq telnet 

access-list outside_access_in extended permit tcp any host X.X.X.10 eq 5400 

access-list outside_access_in extended permit tcp any host X.X.X.11 eq 5400 

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.254.0 10.30.0.0 255.255.0.0 

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.254.0 10.0.0.0 255.255.255.0 

pager lines 24

logging enable

logging console errors

logging trap notifications

logging asdm notifications

logging host inside 192.168.8.250

mtu inside 1500

mtu outside 1500

no failover

monitor-interface inside

monitor-interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp inside 192.168.10.41 001e.52f2.2d01 

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) X.X.X.5 192.168.8.32 netmask 255.255.255.255 

static (inside,outside) X.X.X.14 192.168.12.248 netmask 255.255.255.255 

static (inside,outside) X.X.X.6 192.168.14.19 netmask 255.255.255.255 

static (inside,outside) X.X.X.7 192.168.8.20 netmask 255.255.255.255 

static (inside,outside) X.X.X.9 192.168.12.250 netmask 255.255.255.255 

static (inside,outside) X.X.X.8 192.168.15.19 netmask 255.255.255.255 

static (inside,outside) X.X.X.10 192.168.12.72 netmask 255.255.255.255 

static (inside,outside) X.X.X.11 192.168.10.22 netmask 255.255.255.255 

access-group outside_access_in in interface outside

route inside 192.168.10.0 255.255.254.0 192.168.8.29 1

route inside 192.168.12.0 255.255.254.0 192.168.8.29 1

route inside 192.168.14.0 255.255.254.0 192.168.8.29 1

route inside 192.168.16.0 255.255.254.0 192.168.8.29 1

route outside 0.0.0.0 0.0.0.0 X.X.X.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.9.0 255.255.255.0 inside

http 192.168.8.0 255.255.255.0 inside

snmp-server host inside 192.168.10.21 poll community xxxxx version 2c

no snmp-server location

no snmp-server contact

snmp-server community xxxxx

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

telnet 192.168.8.0 255.255.255.0 inside

telnet 192.168.10.0 255.255.254.0 inside

telnet timeout 5

ssh 192.168.8.0 255.255.255.0 inside

ssh 192.168.9.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

ntp server X.X.X.X source outside

tunnel-group X.X.X.X type ipsec-l2l

tunnel-group X.X.X.X ipsec-attributes

 pre-shared-key 

prompt hostname context 

Cryptochecksum:

: end

Open in new window

0
Comment
Question by:hachemp
  • 5
  • 4
9 Comments
 
LVL 15

Expert Comment

by:bkepford
ID: 24851116
What looks like your problem is that you are not matching traffic to be sent through the tunnel. I take it that 10.30.0.0/16 and 10.0.0.0/24 are your remote networks where the PIX is?

and it looks like these commands actually tell it where the PIX is and how to connect but will not send traffic back and forth.

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2

The below configuration should finish it up for you. You don't have to paste in any lines with a !--- in front these are just comments.
 lifetime 86400
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 pre-shared-key


access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.254.0 10.30.0.0 255.255.0.0

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.254.0 10.0.0.0 255.255.255.0
 

!--- This access list (outside_cryptomap) is used 

!--- with the crypto map outside_map 

!--- to determine which traffic should be encrypted and sent 

!--- across the tunnel.

!--- This ACL is intentionally the same as (inside_nat0_outbound).  

!--- Two separate access lists should always be used in this configuration.
 
 

crypto map outside_map 1 match address outside_1_cryptomap
 

!--- Define which traffic should be sent to the IPsec peer.
 
 

crypto map outside_map 1 set peer x.x.x.x
 

!--- Sets the IPsec peer
 

crypto map outside_map 1 set transform-set ESP-3DES-MD5 
 

!--- Sets the IPsec transform set "ESP-3DES-MD5 "

!--- to be used with the crypto map entry "outside_map".
 
 

crypto map outside_map interface outside

Open in new window

0
 

Author Comment

by:hachemp
ID: 24851284
I apologize, that's actually not correct...I tore down two VPN tunnels today (just before I copied that config actually) of two companies that we had a persistent site to site VPN tunnel with, and hadn't yet removed those entries, which is why they don't match..  Those 10.x.x.x IP ranges were their trusted networks inside the VPN tunnel...has nothing to do with the current issue.  The remote network we're trying to connect to on the PIX 501 is on a 192.168.1.x scope, and just to be clear, we are not setting up a firewall to firewall tunnel, someone is using a VPN client on a host inside our network to establish a tunnel to the 501.  I apologize for the confusion; I should have removed those before I posted.  Thanks for your quick response.  Do you have any advice now that I've cleared things up a little?
0
 
LVL 15

Expert Comment

by:bkepford
ID: 24851348
Look at the ASA logging as they connect see if it is being blocked by your outside in ACL. If so adjust accordingly.
0
 

Author Comment

by:hachemp
ID: 24851478
I have checked the ASA logs at the debug level and here are the pertinent messages:

2009-07-13 16:22:48      Local4.Debug      192.168.8.9      %ASA-7-710006: IGMP request discarded from 192.168.8.77 to inside:224.0.0.22

2009-07-13 16:22:48      Local4.Debug      192.168.8.9      %ASA-7-710005: UDP request discarded from 192.168.8.77/65329 to inside:239.255.255.250/3702

2009-07-13 16:22:51      Local4.Error      192.168.8.9      %ASA-3-305006: regular translation creation failed for protocol 50 src inside:192.168.8.77 dst outside:X.X.X.X

It doesn't look to me like an ACL is blocking that traffic or it would specify the ACL in the logs, wouldn't it?  Also, I'm not sure why the UDP and IGMP traffic is destined for inside multicast addresses...shouldn't it be destined for outside X.X.X.X (the outside IP of the PIX)?  Maybe those logs aren't even related to this...  Either way, it doesn't seem like an ACL issue, most have suggested that it is either a UDP encap issue or an IPsec inspection issue that causes the protocol 50 error...   Thanks for any help you can give.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 15

Accepted Solution

by:
bkepford earned 500 total points
ID: 24854431
I know you have read about this but did you try to add the inspec-pass-thru to your global policy? See below if not it is real easy and it won't hurt anything if it doesn't work. Be aware policy changes may require a restart of the interface or even the ASA to take affect. So if it doesn't work right away reload the asa and try again.


policy-map global_policy

  class inspection_default

     inspect ipsec-pass-thru 

Open in new window

0
 

Author Comment

by:hachemp
ID: 24864231
bkepford, I tried the inspect-pass-thru command, and still get the same errors.  I also tried the 'isakmp nat-traversal' command, and that didn't work either.  I'm wondering if I need to put a certain number in after the nat-traversal command (if I put it in with no number it defaults to '20'), and if the nat-traversal would also need to be enabled on the PIX 501.  Any other ideas on what I could try?
0
 

Author Comment

by:hachemp
ID: 24864245
On second thought...after rereading your post, I realize that I haven't reloaded the device yet...will have to wait until after business hours to do that.  I'll post back once tomorrow once that's done, and if you have any other ideas, please let me know.
0
 

Author Comment

by:hachemp
ID: 24864385
bkepford, update on this...I finally got it to work.  Once I added the 'isakmp nat-traversal' command to the remote PIX 501 as well, everything starting working.  So to summarize, I added the following to the config:

On my 5505:

policy-map global_policy
  class inspection_default
     inspect ipsec-pass-thru

isakmp nat-traversal

On the PIX 501:

isakmp nat-traversal

...and all is working well.  Even though you didn't have the exact answer, I'm awarding you the points for working with me on this...I appreciate it.
0
 
LVL 15

Expert Comment

by:bkepford
ID: 24864986
Glad it worked for you.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now