Re: %ASA-3-305006: regular translation creation failed for protocol 50 src inside:172.31.1.3 dst outside:x.y.z.t

Re: %ASA-3-305006: regular translation creation failed for protocol 50 src inside:172.31.1.3 dst outside:x.y.z.t
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Re: %ASA-3-305006: regular translation creation failed for protocol 50 src inside:172.31.1.3 dst outside:x.y.z.t dt1649651@yahoo.com 04-28-2008
Posted by dt1649651@yahoo.com on April 28, 2008, 11:57 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
wrote:
> Hi,
>
> This has nothing to do with your config....
> But walter is right - you need IPSEC nat-traversal - just in the other end !
> and/or you need to checkmark UDP encap in your VPN Dialer !
>
> As you do not use VPN in the ASA, you can also configure a fixup for ESP...
>
> ahh whats the ASA syntax ....
>
> hmm maybe
>
> policy-map global_policy
> class inspection_default
> inspect ipsec-pass-thru
>
> But I really think it's your VPN dialer you need to fix ..
>

Thanks, Martin.
When I add the command "isakmp nat traversal " to my ASA, it does fix
the problem.
When I add that command to the remote ASA ( VPN gateway ) I cannot
make the VPN connection.
Also tried the inspect ipsec-pass-thru.

I notice that this happens when I make the vpn connection to a remote
ASA. If the remote VPN gateway is an IOS router then the local ASA
does not complain anything.


Dt

Spring Sale Save 20% Banner - Sale Ended 5/3/07 So Updated to NonPromo Ad
Posted by dt1649651@yahoo.com on April 29, 2008, 12:10 am
If you were  Registered and logged in, you could reply and use other advanced thread options
A little bit more. I am trying to tackle this problem on that NAT
side. I put the ASA5505 behind a Cisco router and let the this router
does the NAT translation and take the nat function out of the ASA. My
PC is behind the ASA ( and the Cisco router ). In this situation, the
Cisco VPN Client on my PC works just fine. The connection is ok and I
can access the remote network just fine.

So what is the difference in NAT translation bewteen an IOS and a
ASA ?

Dt

Posted by Tosh on April 29, 2008, 2:02 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> When I add the command "isakmp nat traversal " to my ASA, it does fix
> the problem.
> When I add that command to the remote ASA ( VPN gateway ) I cannot
> make the VPN connection.
> Also tried the inspect ipsec-pass-thru.
>

This sounds completely insane to me, anyway I don't know where the issue
lies, but I can see a couple of things in your config you can try to change,
providing that you posted the entire config and not a chunk.
The access list out_in is redundant, you simply don't need it.
Try to change this "nat (inside) 1 access-list nat_conversion" with this
"nat (inside) 1 172.31.1.0 255.255.255.0"
Remove "crypto isakmp enable outside"
The upstream dhcp server provides the asa with a public ip address or a
private one?
Bye,
Tosh.




Posted by dt1649651@yahoo.com on April 29, 2008, 9:14 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
wrote:
> Thanks, Martin.
> When I add the command "isakmp nat traversal " to my ASA, it does fix
> the problem.
> When I add that command to the remote ASA ( VPN gateway ) I cannot
> make the VPN connection.
> Also tried the inspect ipsec-pass-thru.
>
> I notice that this happens when I make the vpn connection to a remote
> ASA. If the remote VPN gateway is an IOS router then the local ASA
> does not complain anything.

I just re-read my post andam very sorry for my missing important word
( I worked a lot of hours yesterday ).
> When I add the command "isakmp nat traversal " to my ASA, it does ***NOT*** fix
> the problem.

In other words, all the nat traversal does not fix the problem, no
matter where it is on the remote or local ASA.

I am very sorry for my typp.

Dt

Posted by Martin Bilgrav on May 1, 2008, 1:14 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> wrote:

> In other words, all the nat traversal does not fix the problem, no
> matter where it is on the remote or local ASA.

Did you verify that you actually HAVE the setting enabled in your VPN client
software ?



Similar ThreadsPosted
Re: %ASA-3-305006: regular translation creation failed for protocol 50 src inside:172.31.1.3 dst outside:x.y.z.t April 27, 2008, 10:38 am
Re: %ASA-3-305006: regular translation creation failed for protocol 50 src inside:172.31.1.3 dst outside:x.y.z.t April 27, 2008, 12:45 pm
Re: %ASA-3-305006: regular translation creation failed for protocol 50 src inside:172.31.1.3 dst outside:x.y.z.t April 28, 2008, 1:04 am
PIX PPTP VPN Passthrough: regular translation creation failed for protocol 47 February 13, 2007, 5:07 pm
Translation Creation Failed November 16, 2004, 7:07 am
CallForward outside->inside->outside failed after one ring. April 13, 2007, 5:16 am
PING to inside address goes thru translation and timesout August 22, 2005, 1:44 pm
No translation group found for tcp src dmz1 to an inside address March 1, 2007, 2:21 am
I'm looking for ethernet 0, heard he is a regular. May 10, 2007, 9:58 pm
regular expression in bgp configuration August 1, 2007, 4:29 am

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map