hachemp
asked on
Cisco 5505 ASA - Error msg "regular translation creation failed for protocol 50" when trying to VPN
Hello,
I have been googling this issue for a while now and I can't seem to find a straight answer on what fixes this issue. We have a 5505 ASA connecting our corporate network to the internet. When we try to establish a VPN connection from inside our network to a PIX 501 using the VPN client (using IPsec over UDP), I get the following error in the logs (X.X.X.X being the outside IP address of the remote PIX 501, 192.168.8.77 being the inside host attempting to establish the VPN connection):
2009-07-13 16:22:51 Local4.Error 192.168.8.9 %ASA-3-305006: regular translation creation failed for protocol 50 src inside:192.168.8.77 dst outside:X.X.X.X
We can connect to the VPN but then can't go anywhere on the remote network. I have been looking for a fix for this and seen many messages about enabling NAT traversal and 'inspect ipsec-pass-thru' commands but I haven't found anyone confirming the correct way to fix the issue, at least not for an ASA. I'm hesitant to do too much testing because this is a production ASA and I don't want to break anything by testing different methods. If anyone can give me the exact fix for this issue, or at least what has personally worked for you, I would be very grateful....plus I'll give you 500 points. The ASA config is below....please advise if any changes need to be made to the PIX 501.
Thanks
I have been googling this issue for a while now and I can't seem to find a straight answer on what fixes this issue. We have a 5505 ASA connecting our corporate network to the internet. When we try to establish a VPN connection from inside our network to a PIX 501 using the VPN client (using IPsec over UDP), I get the following error in the logs (X.X.X.X being the outside IP address of the remote PIX 501, 192.168.8.77 being the inside host attempting to establish the VPN connection):
2009-07-13 16:22:51 Local4.Error 192.168.8.9 %ASA-3-305006: regular translation creation failed for protocol 50 src inside:192.168.8.77 dst outside:X.X.X.X
We can connect to the VPN but then can't go anywhere on the remote network. I have been looking for a fix for this and seen many messages about enabling NAT traversal and 'inspect ipsec-pass-thru' commands but I haven't found anyone confirming the correct way to fix the issue, at least not for an ASA. I'm hesitant to do too much testing because this is a production ASA and I don't want to break anything by testing different methods. If anyone can give me the exact fix for this issue, or at least what has personally worked for you, I would be very grateful....plus I'll give you 500 points. The ASA config is below....please advise if any changes need to be made to the PIX 501.
Thanks
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name XXX
enable password encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.8.9 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.2 255.255.255.240
!
interface Vlan3
no nameif
no security-level
no ip address
!
interface Ethernet0/0
switchport access vlan 2
switchport trunk allowed vlan 2-3
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network new-network
network-object 192.168.10.0 255.255.254.0
access-list outside_access_in extended deny icmp any host X.X.X.5 timestamp-request
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any eq smtp host 192.168.11.225 eq smtp inactive
access-list outside_access_in extended permit icmp any host X.X.X.14
access-list outside_access_in extended permit tcp any host X.X.X.14 eq ftp
access-list outside_access_in extended permit tcp any host X.X.X.14 eq imap4
access-list outside_access_in extended permit tcp any host X.X.X.14 eq 585
access-list outside_access_in extended permit tcp any host X.X.X.14 eq 993
access-list outside_access_in extended permit tcp any host X.X.X.14 eq pop3
access-list outside_access_in extended permit tcp any host X.X.X.14 eq 995
access-list outside_access_in extended permit tcp any host X.X.X.14 eq www
access-list outside_access_in extended permit tcp any host X.X.X.14 eq https
access-list outside_access_in extended permit tcp any host X.X.X.14 eq 115
access-list outside_access_in extended permit tcp any host X.X.X.14 eq pptp
access-list outside_access_in extended permit tcp any host X.X.X.14 eq smtp
access-list outside_access_in extended permit gre any host X.X.X.14
access-list outside_access_in extended permit gre any host X.X.X.5
access-list outside_access_in extended permit tcp any host X.X.X.5 eq pptp
access-list outside_access_in extended permit tcp any host X.X.X.6 eq telnet
access-list outside_access_in extended permit tcp any host X.X.X.6 eq 59002
access-list outside_access_in extended permit udp any host X.X.X.6 eq 59002
access-list outside_access_in extended permit tcp any host X.X.X.7 eq www
access-list outside_access_in extended permit tcp any host X.X.X.7 eq https
access-list outside_access_in extended permit tcp any host X.X.X.7 eq smtp
access-list outside_access_in extended permit tcp any host X.X.X.7 eq imap4
access-list outside_access_in extended permit tcp any host X.X.X.7 eq pop3
access-list outside_access_in extended permit udp any host X.X.X.8 eq 58002
access-list outside_access_in extended permit tcp any host X.X.X.8 eq 58002
access-list outside_access_in extended permit tcp any host X.X.X.8 eq telnet
access-list outside_access_in extended permit tcp any host X.X.X.9 eq 59002
access-list outside_access_in extended permit udp any host X.X.X.9 eq 59002
access-list outside_access_in extended permit tcp any host X.X.X.9 eq telnet
access-list outside_access_in extended permit tcp any host X.X.X.10 eq 5400
access-list outside_access_in extended permit tcp any host X.X.X.11 eq 5400
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.254.0 10.30.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.254.0 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging console errors
logging trap notifications
logging asdm notifications
logging host inside 192.168.8.250
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp inside 192.168.10.41 001e.52f2.2d01
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) X.X.X.5 192.168.8.32 netmask 255.255.255.255
static (inside,outside) X.X.X.14 192.168.12.248 netmask 255.255.255.255
static (inside,outside) X.X.X.6 192.168.14.19 netmask 255.255.255.255
static (inside,outside) X.X.X.7 192.168.8.20 netmask 255.255.255.255
static (inside,outside) X.X.X.9 192.168.12.250 netmask 255.255.255.255
static (inside,outside) X.X.X.8 192.168.15.19 netmask 255.255.255.255
static (inside,outside) X.X.X.10 192.168.12.72 netmask 255.255.255.255
static (inside,outside) X.X.X.11 192.168.10.22 netmask 255.255.255.255
access-group outside_access_in in interface outside
route inside 192.168.10.0 255.255.254.0 192.168.8.29 1
route inside 192.168.12.0 255.255.254.0 192.168.8.29 1
route inside 192.168.14.0 255.255.254.0 192.168.8.29 1
route inside 192.168.16.0 255.255.254.0 192.168.8.29 1
route outside 0.0.0.0 0.0.0.0 X.X.X.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.9.0 255.255.255.0 inside
http 192.168.8.0 255.255.255.0 inside
snmp-server host inside 192.168.10.21 poll community xxxxx version 2c
no snmp-server location
no snmp-server contact
snmp-server community xxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.8.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.254.0 inside
telnet timeout 5
ssh 192.168.8.0 255.255.255.0 inside
ssh 192.168.9.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server X.X.X.X source outside
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key
prompt hostname context
Cryptochecksum:
: end
ASKER
I apologize, that's actually not correct...I tore down two VPN tunnels today (just before I copied that config actually) of two companies that we had a persistent site to site VPN tunnel with, and hadn't yet removed those entries, which is why they don't match.. Those 10.x.x.x IP ranges were their trusted networks inside the VPN tunnel...has nothing to do with the current issue. The remote network we're trying to connect to on the PIX 501 is on a 192.168.1.x scope, and just to be clear, we are not setting up a firewall to firewall tunnel, someone is using a VPN client on a host inside our network to establish a tunnel to the 501. I apologize for the confusion; I should have removed those before I posted. Thanks for your quick response. Do you have any advice now that I've cleared things up a little?
Look at the ASA logging as they connect see if it is being blocked by your outside in ACL. If so adjust accordingly.
ASKER
I have checked the ASA logs at the debug level and here are the pertinent messages:
2009-07-13 16:22:48 Local4.Debug 192.168.8.9 %ASA-7-710006: IGMP request discarded from 192.168.8.77 to inside:224.0.0.22
2009-07-13 16:22:48 Local4.Debug 192.168.8.9 %ASA-7-710005: UDP request discarded from 192.168.8.77/65329 to inside:239.255.255.250/370 2
2009-07-13 16:22:51 Local4.Error 192.168.8.9 %ASA-3-305006: regular translation creation failed for protocol 50 src inside:192.168.8.77 dst outside:X.X.X.X
It doesn't look to me like an ACL is blocking that traffic or it would specify the ACL in the logs, wouldn't it? Also, I'm not sure why the UDP and IGMP traffic is destined for inside multicast addresses...shouldn't it be destined for outside X.X.X.X (the outside IP of the PIX)? Maybe those logs aren't even related to this... Either way, it doesn't seem like an ACL issue, most have suggested that it is either a UDP encap issue or an IPsec inspection issue that causes the protocol 50 error... Thanks for any help you can give.
2009-07-13 16:22:48 Local4.Debug 192.168.8.9 %ASA-7-710006: IGMP request discarded from 192.168.8.77 to inside:224.0.0.22
2009-07-13 16:22:48 Local4.Debug 192.168.8.9 %ASA-7-710005: UDP request discarded from 192.168.8.77/65329 to inside:239.255.255.250/370
2009-07-13 16:22:51 Local4.Error 192.168.8.9 %ASA-3-305006: regular translation creation failed for protocol 50 src inside:192.168.8.77 dst outside:X.X.X.X
It doesn't look to me like an ACL is blocking that traffic or it would specify the ACL in the logs, wouldn't it? Also, I'm not sure why the UDP and IGMP traffic is destined for inside multicast addresses...shouldn't it be destined for outside X.X.X.X (the outside IP of the PIX)? Maybe those logs aren't even related to this... Either way, it doesn't seem like an ACL issue, most have suggested that it is either a UDP encap issue or an IPsec inspection issue that causes the protocol 50 error... Thanks for any help you can give.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
bkepford, I tried the inspect-pass-thru command, and still get the same errors. I also tried the 'isakmp nat-traversal' command, and that didn't work either. I'm wondering if I need to put a certain number in after the nat-traversal command (if I put it in with no number it defaults to '20'), and if the nat-traversal would also need to be enabled on the PIX 501. Any other ideas on what I could try?
ASKER
On second thought...after rereading your post, I realize that I haven't reloaded the device yet...will have to wait until after business hours to do that. I'll post back once tomorrow once that's done, and if you have any other ideas, please let me know.
ASKER
bkepford, update on this...I finally got it to work. Once I added the 'isakmp nat-traversal' command to the remote PIX 501 as well, everything starting working. So to summarize, I added the following to the config:
On my 5505:
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
isakmp nat-traversal
On the PIX 501:
isakmp nat-traversal
...and all is working well. Even though you didn't have the exact answer, I'm awarding you the points for working with me on this...I appreciate it.
On my 5505:
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
isakmp nat-traversal
On the PIX 501:
isakmp nat-traversal
...and all is working well. Even though you didn't have the exact answer, I'm awarding you the points for working with me on this...I appreciate it.
Glad it worked for you.
and it looks like these commands actually tell it where the PIX is and how to connect but will not send traffic back and forth.
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
The below configuration should finish it up for you. You don't have to paste in any lines with a !--- in front these are just comments.
lifetime 86400
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key
Open in new window