1. Home
  2. Cisco Systems
  3. regular translation creation failed for protocol 50 src inside:172.16.0.105 dst outside:85.xx.xx.9

regular translation creation failed for protocol 50 src inside:172.16.0.105 dst outside:85.xx.xx.9

Hi,

I have a ASA5505 and behind this firewall I have some users that uses a Cisco VPN client to connect to a remote firewall.

The VPN connection goes well, but nothing can be contacted on the remote site. I see this error in the ASA's log:

regular translation creation failed for protocol 50 src inside:172.16.0.105 dst outside:85.xx.xx.9

If I change the ASA with a Linksys router, everything works, so it must have something to do with the configuration on my ASA.

IPSec is the problem, but how do I allow that traffic?

I have added this, but still no luck.

----------- access-list test-udp-acl extended permit udp any any eq 500 ! class-map test-udp-class match access-list test-udp-acl ! policy-map type inspect IPSec-pass-thru IPsec-map parameters esp per-client-max 32 timeout 00:06:00 ! policy-map test-udp-policy class test-udp-class inspect IPSec-pass-thru IPSec-map service-policy test-udp-policy interface outside

-----------

What am I missing?

This is the Complete Configuration: hostname ASA-ADSL enable password Pp9dsdsdrReyAl7Qn encrypted passwd Pp9dBZ1cdsyAl7Qn encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 172.16.0.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 80.xx.xx.34 255.255.255.252 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! regex domainlist1 "\\.dating\\.dk" regex domainlist2 "\\.facebook\\.dk" regex domainlist3 "\\.facebook\\.com" boot system disk0:/asa804-k8.bin ftp mode passive access-list inside_mpc extended permit tcp any any eq www access-list inside_mpc extended permit tcp any any eq 8080 access-list test-udp-acl extended permit udp any any eq isakmp pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-61551.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 80.164.234.34 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat

0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 85.xx.xx.2 255.255.255.255 outside http 172.16.0.0 255.255.255.0 inside http 87.xx.xx.42 255.255.255.255 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh 172.16.0.0 255.255.255.0 inside ssh 87.xx.xx.42 255.255.255.255 outside ssh 85.xx.xx.2 255.255.255.255 outside ssh timeout 60 console timeout 60 dhcpd dns 194.xx.xx.83 193.xx.xx.164 dhcpd auto_config outside ! dhcpd address 172.16.0.100-172.16.0.130 inside dhcpd dns 194.xx.xx.83 193.xx.xx.164 interface inside dhcpd enable inside !

threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! class-map type regex match-any DomainBlockList match regex domainlist1 match regex domainlist2 match regex domainlist3 class-map type inspect http match-all BlockDomainsClass match request header host regex class DomainBlockList class-map test-udp-class match access-list test-udp-acl class-map inspection_default match default-inspection-traffic class-map httptraffic match access-list inside_mpc ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map type inspect http http_inspection_policy parameters protocol-violation action drop-connection match request method connect drop-connection log class BlockDomainsClass reset log policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect pptp policy-map inside-policy class httptraffic inspect http http_inspection_policypolicy-map test-udp-policy class test-udp-class policy-map type inspect ipsec-pass-thru IPsec-map parameters esp per-client-max 32 timeout 0:06:00 ! service-policy global_policy global service-policy inside-policy interface inside service-policy test-udp-policy interface outside prompt hostname context Cryptochecksum:40a82b3bc1c8fee8a486410bdca082df

Reply to
M
Loading thread data ...

Try this

sysopt connection permit-vpn

Reply to
Artie Lange

If you google "regular translation creation failed for protocol 50" you will find several articles about this. Looks like one solution is to ensure that "UDP encap" is enabled on the Cisco VPN client. Also "inspect ipsec-pass-thru ipseec-map" might need to be change to just "inspect ipsec-pass-thru". Don't know what "ipsec-map" does, but it could be breaking this.

Reply to
Thrill5

I simply can not get it working :-(

Is it possible to send me en configuration example of an ASA that have IPsec clients working?

Best regards Martin

Thrill5 skrev:

Reply to
M

Try adding "inspect ipsec-pass-thru" to an inspection policy applied inbound to the inside interface - where you're initiating the connection from (you could probably add it to the global_policy).

The "inspect ipsec-pass-thru" allows ESP through by default, so that should be fine; no manipulation through an IPSec-map should be required. Another consideration is enabling UDP (or TCP) encapsulation on the VPN Client, so the firewall sees the packets as UDP/TCP, rather than ESP (protocol 50) traffic.

Cheers,

Matt

Reply to
Matthew Melbourne

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.