|
Posted by Darren on April 27, 2008, 4:57 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> On Apr 27, 11:45 am, rober...@hushmail.com (Walter Roberson) wrote:
>>
>>> I have a ASA5505 as the router to the internet for my home PC. The
>>> config is just to NAT the private addresses to the public on the
>>> outside interface.
>>> I can go to the Internet just fine. ( I am writing this post thru that
>>> configuration right now ). The problem is when I making the vpn
>>> connection ( with Cisco VPN Client ) to my office, although the Vpn
>>> Client reports "Connected", I cannot access anything there and the log
>>> on the ASA keeps showing
>>> %ASA-3-305006: regular translation creation failed for protocol 50 src
>>> inside:172.31.1.3 dst outside:x.y.z.t
>> crypto isakmp nat-traversal
>
> Thanks, Walter. I just tried that but it did not fix the problem.
>
> Dt
Found this on the Cisco WWW site.
It was for ASA version 7.2, you may want to refine the search. The error
seems to suggest that you may have been trying to reach a network or
broadcast address. The WWW page I looked at was:
http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1280915
Error: 305006
Error Message %PIX|ASA-3-305006: {outbound
static|identity|portmap|regular)
translation creation failed for protocol src
interface_name:source_address/source_port
dst interface_name:dest_address/dest_port
Explanation A protocol (UDP, TCP, or ICMP) failed to create a
translation through the security appliance. This message appears as a
fix to caveat CSCdr00663 that requested that security appliance not
allow packets that are destined for network or broadcast addresses. The
security appliance provides this checking for addresses that are
explicitly identified with static command statements. With the change,
for inbound traffic, the security appliance denies translations for a
destined IP address identified as a network or broadcast address.
The security appliance does not apply PAT to all ICMP message types; it
only applies PAT ICMP echo and echo-reply packets (types 8 and 0).
Specifically, only ICMP echo or echo-reply packets create a PAT xlate.
So, when the other ICMP messages types are dropped, system log message
305006 (on the security appliance) is generated.
The security appliance utilizes the global IP and mask from configured
static command statements to differ regular IP addresses from network or
broadcast IP addresses. If the global IP address is a valid network
address with a matching network mask, then the security appliance does
not create a translation for network or broadcast IP addresses with
inbound packets.
For example:
static (inside,outside) 10.2.2.128 10.1.1.128 netmask 255.255.255.128
Regards
Darren
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map