Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > %ASA-3-305006: regular translation creation failed for protocol 50

Reply
Thread Tools

%ASA-3-305006: regular translation creation failed for protocol 50

 
 
dt1649651@yahoo.com
Guest
Posts: n/a
 
      04-27-2008
I have a ASA5505 as the router to the internet for my home PC. The
config is just to NAT the private addresses to the public on the
outside interface.

I can go to the Internet just fine. ( I am writing this post thru that
configuration right now ). The problem is when I making the vpn
connection ( with Cisco VPN Client ) to my office, although the Vpn
Client reports "Connected", I cannot access anything there and the log
on the ASA keeps showing

%ASA-3-305006: regular translation creation failed for protocol 50 src
inside:172.31.1.3 dst outside.y.z.t
%ASA-3-305006: regular translation creation failed for protocol 50 src
inside:172.31.1.3 dst outside.y.z.t
%ASA-3-305006: regular translation creation failed for protocol 50 src
inside:172.31.1.3 dst outside.y.z.t

When I replace the ASA5505 with a Cisco 871, everything works fine.

Below is my configuration
ASA Version 7.2(3)
!
hostname a5505-1
enable password xYzTxYzT encrypted
names
!
interface Vlan1
nameif inside
security-level 1
ip address 172.31.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
dhcp client update dns
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xYzT encrypted
ftp mode passive
dns domain-lookup outside
access-list out_in extended permit esp any any
access-list out_in extended permit udp any any eq isakmp
access-list out_in extended permit udp any any eq 4500
access-list out_in extended permit tcp any any eq ssh
access-list out_in extended permit icmp any any
access-list nat_conversion extended permit ip 172.31.1.0 255.255.255.0
any
access-list nat_conversion extended permit ip 192.168.0.0
255.255.255.0 any
pager lines 24
logging console notifications
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list nat_conversion
access-group out_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp enable outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 172.31.1.2-172.31.1.15 inside
dhcpd update dns interface inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username nov_ezvpn_user2 password Qr4CR53E2Slxxx encrypted
username nov_ezvpn_user1 password .c9X1tUCiUaJxxx encrypted
prompt hostname context
Cryptochecksum:be358d2bc37be11be0477ed7f8b61764
: end
a5505-1(config)#


Any adive is greatly appreciated.

Dt
 
Reply With Quote
 
 
 
 
dt1649651@yahoo.com
Guest
Posts: n/a
 
      04-27-2008
After adding this line

static (inside,outside) interface 172.31.1.3

with 172.31.1.3 being my PC's ip, then my PC can access the company
network thru Cisco VPN but this command applies to only one IP
address.

Trying this
static (inside,outside) interface 172.31.1.0 netmask 255.255.255.0
gives me an error.

My other PCs on the internal network still cannot use the Cisco VPN
Client.

Any advice is greatly appreciated.

Dt
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      04-27-2008
In article <(E-Mail Removed)>,
http://www.velocityreviews.com/forums/(E-Mail Removed) <(E-Mail Removed)> wrote:
>I have a ASA5505 as the router to the internet for my home PC. The
>config is just to NAT the private addresses to the public on the
>outside interface.


>I can go to the Internet just fine. ( I am writing this post thru that
>configuration right now ). The problem is when I making the vpn
>connection ( with Cisco VPN Client ) to my office, although the Vpn
>Client reports "Connected", I cannot access anything there and the log
>on the ASA keeps showing


>%ASA-3-305006: regular translation creation failed for protocol 50 src
>inside:172.31.1.3 dst outside.y.z.t


crypto isakmp nat-traversal
 
Reply With Quote
 
dt1649651@yahoo.com
Guest
Posts: n/a
 
      04-27-2008
On Apr 27, 11:45 am, (E-Mail Removed) (Walter Roberson) wrote:
> In article <(E-Mail Removed)>,
>
> (E-Mail Removed) <(E-Mail Removed)> wrote:
> >I have a ASA5505 as the router to the internet for my home PC. The
> >config is just to NAT the private addresses to the public on the
> >outside interface.
> >I can go to the Internet just fine. ( I am writing this post thru that
> >configuration right now ). The problem is when I making the vpn
> >connection ( with Cisco VPN Client ) to my office, although the Vpn
> >Client reports "Connected", I cannot access anything there and the log
> >on the ASA keeps showing
> >%ASA-3-305006: regular translation creation failed for protocol 50 src
> >inside:172.31.1.3 dst outside.y.z.t

>
> crypto isakmp nat-traversal


Thanks, Walter. I just tried that but it did not fix the problem.

Dt
 
Reply With Quote
 
Darren
Guest
Posts: n/a
 
      04-27-2008
(E-Mail Removed) wrote:
> On Apr 27, 11:45 am, (E-Mail Removed) (Walter Roberson) wrote:
>> In article <(E-Mail Removed)>,
>>
>> (E-Mail Removed) <(E-Mail Removed)> wrote:
>>> I have a ASA5505 as the router to the internet for my home PC. The
>>> config is just to NAT the private addresses to the public on the
>>> outside interface.
>>> I can go to the Internet just fine. ( I am writing this post thru that
>>> configuration right now ). The problem is when I making the vpn
>>> connection ( with Cisco VPN Client ) to my office, although the Vpn
>>> Client reports "Connected", I cannot access anything there and the log
>>> on the ASA keeps showing
>>> %ASA-3-305006: regular translation creation failed for protocol 50 src
>>> inside:172.31.1.3 dst outside.y.z.t

>> crypto isakmp nat-traversal

>
> Thanks, Walter. I just tried that but it did not fix the problem.
>
> Dt


Found this on the Cisco WWW site.

It was for ASA version 7.2, you may want to refine the search. The error
seems to suggest that you may have been trying to reach a network or
broadcast address. The WWW page I looked at was:

http://www.cisco.com/en/US/docs/secu...html#wp1280915

Error: 305006

Error Message %PIX|ASA-3-305006: {outbound
static|identity|portmap|regular)
translation creation failed for protocol src
interface_name:source_address/source_port
dst interface_name:dest_address/dest_port

Explanation A protocol (UDP, TCP, or ICMP) failed to create a
translation through the security appliance. This message appears as a
fix to caveat CSCdr00663 that requested that security appliance not
allow packets that are destined for network or broadcast addresses. The
security appliance provides this checking for addresses that are
explicitly identified with static command statements. With the change,
for inbound traffic, the security appliance denies translations for a
destined IP address identified as a network or broadcast address.

The security appliance does not apply PAT to all ICMP message types; it
only applies PAT ICMP echo and echo-reply packets (types 8 and 0).
Specifically, only ICMP echo or echo-reply packets create a PAT xlate.
So, when the other ICMP messages types are dropped, system log message
305006 (on the security appliance) is generated.

The security appliance utilizes the global IP and mask from configured
static command statements to differ regular IP addresses from network or
broadcast IP addresses. If the global IP address is a valid network
address with a matching network mask, then the security appliance does
not create a translation for network or broadcast IP addresses with
inbound packets.

For example:

static (inside,outside) 10.2.2.128 10.1.1.128 netmask 255.255.255.128

Regards

Darren

 
Reply With Quote
 
sigideba sigideba is offline
Junior Member
Join Date: Apr 2008
Posts: 6
 
      04-28-2008
Hi Darren,

From what i see it looks like you're missing the NAT traversal command Walter mentioned as well as a NAT pool for the VPN clients to grab an IP from. The access-list allows the pool but doesn't create it... just throwing that out there. I'm still pretty new to client VPNs but it seems to be missing and that would explain the NATing error message you're seeing...

ip local pool vpn-client-pool x.x.x.x-y.y.y.y {matched to the ACL}

along with the NAT traversal command Walter mentioned might take care of it?? Got my fingers crossed.

Quote:
Originally Posted by Darren
(E-Mail Removed) wrote:
> On Apr 27, 11:45 am, (E-Mail Removed) (Walter Roberson) wrote:
>> In article <(E-Mail Removed)>,
>>
>> (E-Mail Removed) <(E-Mail Removed)> wrote:
>>> I have a ASA5505 as the router to the internet for my home PC. The
>>> config is just to NAT the private addresses to the public on the
>>> outside interface.
>>> I can go to the Internet just fine. ( I am writing this post thru that
>>> configuration right now ). The problem is when I making the vpn
>>> connection ( with Cisco VPN Client ) to my office, although the Vpn
>>> Client reports "Connected", I cannot access anything there and the log
>>> on the ASA keeps showing
>>> %ASA-3-305006: regular translation creation failed for protocol 50 src
>>> inside:172.31.1.3 dst outside.y.z.t

>> crypto isakmp nat-traversal

>
> Thanks, Walter. I just tried that but it did not fix the problem.
>
> Dt


Found this on the Cisco WWW site.

It was for ASA version 7.2, you may want to refine the search. The error
seems to suggest that you may have been trying to reach a network or
broadcast address. The WWW page I looked at was:

http://www.cisco.com/en/US/docs/secu...html#wp1280915

Error: 305006

Error Message %PIX|ASA-3-305006: {outbound
static|identity|portmap|regular)
translation creation failed for protocol src
interface_name:source_address/source_port
dst interface_name:dest_address/dest_port

Explanation A protocol (UDP, TCP, or ICMP) failed to create a
translation through the security appliance. This message appears as a
fix to caveat CSCdr00663 that requested that security appliance not
allow packets that are destined for network or broadcast addresses. The
security appliance provides this checking for addresses that are
explicitly identified with static command statements. With the change,
for inbound traffic, the security appliance denies translations for a
destined IP address identified as a network or broadcast address.

The security appliance does not apply PAT to all ICMP message types; it
only applies PAT ICMP echo and echo-reply packets (types 8 and 0).
Specifically, only ICMP echo or echo-reply packets create a PAT xlate.
So, when the other ICMP messages types are dropped, system log message
305006 (on the security appliance) is generated.

The security appliance utilizes the global IP and mask from configured
static command statements to differ regular IP addresses from network or
broadcast IP addresses. If the global IP address is a valid network
address with a matching network mask, then the security appliance does
not create a translation for network or broadcast IP addresses with
inbound packets.

For example:

static (inside,outside) 10.2.2.128 10.1.1.128 netmask 255.255.255.128

Regards

Darren
 
Reply With Quote
 
sigideba sigideba is offline
Junior Member
Join Date: Apr 2008
Posts: 6
 
      04-28-2008
Hi Darren,

I'm pretty new to client VPNs but it looks you're missing a NAT pool for VPN clients to grab an IP from... throw in the NAT traversal command Walter recommend plus the pool and the application of the pool and cross your fingers

crypto isakmp nat-traversal X
ip local pool client-vpn-pool x.x.x.x-y.y.y.y.y

tunnel-group-policy {tunnel name}
address-pool client-vpn-pool

I really have no clue what I'm doing but those commands seem to be missing so maybe it'll help...

sigideba
 
Reply With Quote
 
Martin Bilgrav
Guest
Posts: n/a
 
      04-28-2008
Hi,

This has nothing to do with your config....
But walter is right - you need IPSEC nat-traversal - just in the other end !
and/or you need to checkmark UDP encap in your VPN Dialer !

As you do not use VPN in the ASA, you can also configure a fixup for ESP...

ahh whats the ASA syntax ....


hmm maybe

policy-map global_policy
class inspection_default
inspect ipsec-pass-thru

But I really think it's your VPN dialer you need to fix ..


HTH
Martin


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have a ASA5505 as the router to the internet for my home PC. The
> config is just to NAT the private addresses to the public on the
> outside interface.
>
> I can go to the Internet just fine. ( I am writing this post thru that
> configuration right now ). The problem is when I making the vpn
> connection ( with Cisco VPN Client ) to my office, although the Vpn
> Client reports "Connected", I cannot access anything there and the log
> on the ASA keeps showing
>
> %ASA-3-305006: regular translation creation failed for protocol 50 src
> inside:172.31.1.3 dst outside.y.z.t
> %ASA-3-305006: regular translation creation failed for protocol 50 src
> inside:172.31.1.3 dst outside.y.z.t
> %ASA-3-305006: regular translation creation failed for protocol 50 src
> inside:172.31.1.3 dst outside.y.z.t
>
> When I replace the ASA5505 with a Cisco 871, everything works fine.
>
> Below is my configuration
> ASA Version 7.2(3)
> !
> hostname a5505-1
> enable password xYzTxYzT encrypted
> names
> !
> interface Vlan1
> nameif inside
> security-level 1
> ip address 172.31.1.1 255.255.255.0
> !
> interface Vlan2
> nameif outside
> security-level 0
> dhcp client update dns
> ip address dhcp setroute
> !
> interface Ethernet0/0
> switchport access vlan 2
> !
> interface Ethernet0/1
> !
> interface Ethernet0/2
> !
> interface Ethernet0/3
> !
> interface Ethernet0/4
> !
> interface Ethernet0/5
> !
> interface Ethernet0/6
> !
> interface Ethernet0/7
> !
> passwd xYzT encrypted
> ftp mode passive
> dns domain-lookup outside
> access-list out_in extended permit esp any any
> access-list out_in extended permit udp any any eq isakmp
> access-list out_in extended permit udp any any eq 4500
> access-list out_in extended permit tcp any any eq ssh
> access-list out_in extended permit icmp any any
> access-list nat_conversion extended permit ip 172.31.1.0 255.255.255.0
> any
> access-list nat_conversion extended permit ip 192.168.0.0
> 255.255.255.0 any
> pager lines 24
> logging console notifications
> logging monitor debugging
> logging asdm informational
> mtu inside 1500
> mtu outside 1500
> icmp unreachable rate-limit 1 burst-size 1
> icmp permit any inside
> icmp permit any outside
> asdm image disk0:/asdm-523.bin
> no asdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 access-list nat_conversion
> access-group out_in in interface outside
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
> disconnect 0:02:00
> timeout uauth 0:05:00 absolute
> http server enable
> http 192.168.0.0 255.255.0.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto isakmp enable outside
> telnet timeout 5
> ssh 0.0.0.0 0.0.0.0 inside
> ssh 0.0.0.0 0.0.0.0 outside
> ssh timeout 5
> console timeout 0
> dhcp-client client-id interface outside
> dhcpd auto_config outside
> !
> dhcpd address 172.31.1.2-172.31.1.15 inside
> dhcpd update dns interface inside
> dhcpd enable inside
> !
>
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 512
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect rsh
> inspect rtsp
> inspect esmtp
> inspect sqlnet
> inspect skinny
> inspect sunrpc
> inspect xdmcp
> inspect sip
> inspect netbios
> inspect tftp
> !
> service-policy global_policy global
> username nov_ezvpn_user2 password Qr4CR53E2Slxxx encrypted
> username nov_ezvpn_user1 password .c9X1tUCiUaJxxx encrypted
> prompt hostname context
> Cryptochecksum:be358d2bc37be11be0477ed7f8b61764
> : end
> a5505-1(config)#
>
>
> Any adive is greatly appreciated.
>
> Dt



 
Reply With Quote
 
dt1649651@yahoo.com
Guest
Posts: n/a
 
      04-29-2008
On Apr 27, 3:57 pm, Darren <(E-Mail Removed)>
wrote:
> It was for ASA version 7.2, you may want to refine the search. The error
> seems to suggest that you may have been trying to reach a network or
> broadcast address. The WWW page I looked at was:
>
> http://www.cisco.com/en/US/docs/secu...em/message/log...
>
> Error: 305006
>


Thanks, Daren.

I also looked at that page and tried the static command. See my
previous post. It does work, but only for one ip address. I need to
allow a whole (internal) network and that command does not allow me to
do it.

Dt
 
Reply With Quote
 
dt1649651@yahoo.com
Guest
Posts: n/a
 
      04-29-2008
On Apr 28, 12:19 pm, "Martin Bilgrav" <(E-Mail Removed)>
wrote:
> Hi,
>
> This has nothing to do with your config....
> But walter is right - you need IPSEC nat-traversal - just in the other end !
> and/or you need to checkmark UDP encap in your VPN Dialer !
>
> As you do not use VPN in the ASA, you can also configure a fixup for ESP...
>
> ahh whats the ASA syntax ....
>
> hmm maybe
>
> policy-map global_policy
> class inspection_default
> inspect ipsec-pass-thru
>
> But I really think it's your VPN dialer you need to fix ..
>


Thanks, Martin.
When I add the command "isakmp nat traversal " to my ASA, it does fix
the problem.
When I add that command to the remote ASA ( VPN gateway ) I cannot
make the VPN connection.
Also tried the inspect ipsec-pass-thru.

I notice that this happens when I make the vpn connection to a remote
ASA. If the remote VPN gateway is an IOS router then the local ASA
does not complain anything.


Dt
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
regular/portmap translation creation failed Sam Wilson Cisco 0 10-18-2012 05:08 PM
PIX PPTP VPN Passthrough: regular translation creation failed for protocol 47 armyadam@gmail.com Cisco 2 04-17-2012 08:03 PM
regular translation creation failed for protocol 50 src inside:172.16.0.105 M Cisco 3 03-05-2009 04:50 PM
Translation Creation Failed Bruce Cisco 5 11-18-2004 06:32 PM
X.25 to TCP protocol translation Sascha E. Pollok Cisco 4 12-02-2003 04:23 PM



Advertisments