1. Home
  2. Cisco Systems
  3. %ASA-3-305006: regular translation creation failed for protocol 50 src inside:172.31.1.3 dst outside:x.y.z.t

%ASA-3-305006: regular translation creation failed for protocol 50 src inside:172.31.1.3 dst outside:x.y.z.t

I have a ASA5505 as the router to the internet for my home PC. The config is just to NAT the private addresses to the public on the outside interface.

I can go to the Internet just fine. ( I am writing this post thru that configuration right now ). The problem is when I making the vpn connection ( with Cisco VPN Client ) to my office, although the Vpn Client reports "Connected", I cannot access anything there and the log on the ASA keeps showing

%ASA-3-305006: regular translation creation failed for protocol 50 src inside:172.31.1.3 dst outside:x.y.z.t %ASA-3-305006: regular translation creation failed for protocol 50 src inside:172.31.1.3 dst outside:x.y.z.t %ASA-3-305006: regular translation creation failed for protocol 50 src inside:172.31.1.3 dst outside:x.y.z.t

When I replace the ASA5505 with a Cisco 871, everything works fine.

Below is my configuration ASA Version 7.2(3) ! hostname a5505-1 enable password xYzTxYzT encrypted names ! interface Vlan1 nameif inside security-level 1 ip address 172.31.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 dhcp client update dns ip address dhcp setroute ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd xYzT encrypted ftp mode passive dns domain-lookup outside access-list out_in extended permit esp any any access-list out_in extended permit udp any any eq isakmp access-list out_in extended permit udp any any eq 4500 access-list out_in extended permit tcp any any eq ssh access-list out_in extended permit icmp any any access-list nat_conversion extended permit ip 172.31.1.0 255.255.255.0 any access-list nat_conversion extended permit ip 192.168.0.0

255.255.255.0 any pager lines 24 logging console notifications logging monitor debugging logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any outside asdm image disk0:/asdm-523.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 access-list nat_conversion access-group out_in in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto isakmp enable outside telnet timeout 5 ssh 0.0.0.0 0.0.0.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 console timeout 0 dhcp-client client-id interface outside dhcpd auto_config outside ! dhcpd address 172.31.1.2-172.31.1.15 inside dhcpd update dns interface inside dhcpd enable inside !

! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global username nov_ezvpn_user2 password Qr4CR53E2Slxxx encrypted username nov_ezvpn_user1 password .c9X1tUCiUaJxxx encrypted prompt hostname context Cryptochecksum:be358d2bc37be11be0477ed7f8b61764 : end a5505-1(config)#

Any adive is greatly appreciated.

Dt

Reply to
dt1649651
Loading thread data ...

After adding this line

static (inside,outside) interface 172.31.1.3

with 172.31.1.3 being my PC's ip, then my PC can access the company network thru Cisco VPN but this command applies to only one IP address.

Trying this static (inside,outside) interface 172.31.1.0 netmask 255.255.255.0 gives me an error.

My other PCs on the internal network still cannot use the Cisco VPN Client.

Any advice is greatly appreciated.

Dt

Reply to
dt1649651

crypto isakmp nat-traversal

Reply to
Walter Roberson

Thanks, Walter. I just tried that but it did not fix the problem.

Dt

Reply to
dt1649651

Found this on the Cisco WWW site.

It was for ASA version 7.2, you may want to refine the search. The error seems to suggest that you may have been trying to reach a network or broadcast address. The WWW page I looked at was:

formatting link
Error: 305006

Error Message %PIX|ASA-3-305006: {outbound static|identity|portmap|regular) translation creation failed for protocol src interface_name:source_address/source_port dst interface_name:dest_address/dest_port

Explanation A protocol (UDP, TCP, or ICMP) failed to create a translation through the security appliance. This message appears as a fix to caveat CSCdr00663 that requested that security appliance not allow packets that are destined for network or broadcast addresses. The security appliance provides this checking for addresses that are explicitly identified with static command statements. With the change, for inbound traffic, the security appliance denies translations for a destined IP address identified as a network or broadcast address.

The security appliance does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT xlate. So, when the other ICMP messages types are dropped, system log message

305006 (on the security appliance) is generated.

The security appliance utilizes the global IP and mask from configured static command statements to differ regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the security appliance does not create a translation for network or broadcast IP addresses with inbound packets.

For example:

static (inside,outside) 10.2.2.128 10.1.1.128 netmask 255.255.255.128

Regards

Darren

Reply to
Darren

If I can recall correctly protocol 50 is gre, if this is true you are not using cisco vpn but microsoft vpn, to fix the issue just add. inspect pptp Bye, Tosh.

Reply to
Tosh

My mistake, protocol 50 is esp, please disregard my previuos post. Bye, Tosh.

Reply to
Tosh

Hi,

This has nothing to do with your config.... But walter is right - you need IPSEC nat-traversal - just in the other end ! and/or you need to checkmark UDP encap in your VPN Dialer !

As you do not use VPN in the ASA, you can also configure a fixup for ESP...

ahh whats the ASA syntax ....

hmm maybe

policy-map global_policy class inspection_default inspect ipsec-pass-thru

But I really think it's your VPN dialer you need to fix ..

HTH Martin

Reply to
Martin Bilgrav

Thanks, Daren.

I also looked at that page and tried the static command. See my previous post. It does work, but only for one ip address. I need to allow a whole (internal) network and that command does not allow me to do it.

Dt

Reply to
dt1649651

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.