regular translation creation failed for protocol 50 src inside:172.16.0.105

Discussion in 'Cisco' started by M, Mar 4, 2009.

  1. M

    M Guest

    Hi,

    I have a ASA5505 and behind this firewall I have some users that uses a
    Cisco VPN client to connect to a remote firewall.

    The VPN connection goes well, but nothing can be contacted on the remote
    site. I see this error in the ASA's log:

    regular translation creation failed for protocol 50 src
    inside:172.16.0.105 dst outside:85.xx.xx.9

    If I change the ASA with a Linksys router, everything works, so it must
    have something to do with the configuration on my ASA.

    IPSec is the problem, but how do I allow that traffic?

    I have added this, but still no luck.
    -----------
    access-list test-udp-acl extended permit udp any any eq 500
    !
    class-map test-udp-class
    match access-list test-udp-acl
    !
    policy-map type inspect IPSec-pass-thru IPsec-map
    parameters
    esp per-client-max 32 timeout 00:06:00
    !
    policy-map test-udp-policy
    class test-udp-class
    inspect IPSec-pass-thru IPSec-map
    service-policy test-udp-policy interface outside
    -----------

    What am I missing?



    This is the Complete Configuration:
    hostname ASA-ADSL
    enable password Pp9dsdsdrReyAl7Qn encrypted
    passwd Pp9dBZ1cdsyAl7Qn encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.16.0.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 80.xx.xx.34 255.255.255.252
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    regex domainlist1 "\.dating\.dk"
    regex domainlist2 "\.facebook\.dk"
    regex domainlist3 "\.facebook\.com"
    boot system disk0:/asa804-k8.bin
    ftp mode passive
    access-list inside_mpc extended permit tcp any any eq www
    access-list inside_mpc extended permit tcp any any eq 8080
    access-list test-udp-acl extended permit udp any any eq isakmp
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-61551.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 80.164.234.34 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 85.xx.xx.2 255.255.255.255 outside
    http 172.16.0.0 255.255.255.0 inside
    http 87.xx.xx.42 255.255.255.255 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh 172.16.0.0 255.255.255.0 inside
    ssh 87.xx.xx.42 255.255.255.255 outside
    ssh 85.xx.xx.2 255.255.255.255 outside
    ssh timeout 60
    console timeout 60
    dhcpd dns 194.xx.xx.83 193.xx.xx.164
    dhcpd auto_config outside
    !
    dhcpd address 172.16.0.100-172.16.0.130 inside
    dhcpd dns 194.xx.xx.83 193.xx.xx.164 interface inside
    dhcpd enable inside
    !

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    !
    class-map type regex match-any DomainBlockList
    match regex domainlist1
    match regex domainlist2
    match regex domainlist3
    class-map type inspect http match-all BlockDomainsClass
    match request header host regex class DomainBlockList
    class-map test-udp-class
    match access-list test-udp-acl
    class-map inspection_default
    match default-inspection-traffic
    class-map httptraffic
    match access-list inside_mpc
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map type inspect http http_inspection_policy
    parameters
    protocol-violation action drop-connection
    match request method connect
    drop-connection log
    class BlockDomainsClass
    reset log
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect pptp
    policy-map inside-policy
    class httptraffic
    inspect http http_inspection_policy
    policy-map test-udp-policy
    class test-udp-class
    policy-map type inspect ipsec-pass-thru IPsec-map
    parameters
    esp per-client-max 32 timeout 0:06:00
    !
    service-policy global_policy global
    service-policy inside-policy interface inside
    service-policy test-udp-policy interface outside
    prompt hostname context
    Cryptochecksum:40a82b3bc1c8fee8a486410bdca082df
     
    M, Mar 4, 2009
    #1
    1. Advertising

  2. M

    Thrill5 Guest

    Re: regular translation creation failed for protocol 50 src inside:172.16.0.105 dst outside:85.xx.xx.9

    If you google "regular translation creation failed for protocol 50" you will
    find several articles about this. Looks like one solution is to ensure that
    "UDP encap" is enabled on the Cisco VPN client. Also "inspect
    ipsec-pass-thru ipseec-map" might need to be change to just "inspect
    ipsec-pass-thru". Don't know what "ipsec-map" does, but it could be
    breaking this.


    "M" <> wrote in message
    news:49ae5917$0$90265$...
    > Hi,
    >
    > I have a ASA5505 and behind this firewall I have some users that uses a
    > Cisco VPN client to connect to a remote firewall.
    >
    > The VPN connection goes well, but nothing can be contacted on the remote
    > site. I see this error in the ASA's log:
    >
    > regular translation creation failed for protocol 50 src
    > inside:172.16.0.105 dst outside:85.xx.xx.9
    >
    > If I change the ASA with a Linksys router, everything works, so it must
    > have something to do with the configuration on my ASA.
    >
    > IPSec is the problem, but how do I allow that traffic?
    >
    > I have added this, but still no luck.
    > -----------
    > access-list test-udp-acl extended permit udp any any eq 500
    > !
    > class-map test-udp-class
    > match access-list test-udp-acl
    > !
    > policy-map type inspect IPSec-pass-thru IPsec-map
    > parameters
    > esp per-client-max 32 timeout 00:06:00
    > !
    > policy-map test-udp-policy
    > class test-udp-class
    > inspect IPSec-pass-thru IPSec-map
    > service-policy test-udp-policy interface outside
    > -----------
    >
    > What am I missing?
    >
    >
    >
    > This is the Complete Configuration:
    > hostname ASA-ADSL
    > enable password Pp9dsdsdrReyAl7Qn encrypted
    > passwd Pp9dBZ1cdsyAl7Qn encrypted
    > names
    > !
    > interface Vlan1
    > nameif inside
    > security-level 100
    > ip address 172.16.0.1 255.255.255.0
    > !
    > interface Vlan2
    > nameif outside
    > security-level 0
    > ip address 80.xx.xx.34 255.255.255.252
    > !
    > interface Ethernet0/0
    > switchport access vlan 2
    > !
    > interface Ethernet0/1
    > !
    > interface Ethernet0/2
    > !
    > interface Ethernet0/3
    > !
    > interface Ethernet0/4
    > !
    > interface Ethernet0/5
    > !
    > interface Ethernet0/6
    > !
    > interface Ethernet0/7
    > !
    > regex domainlist1 "\.dating\.dk"
    > regex domainlist2 "\.facebook\.dk"
    > regex domainlist3 "\.facebook\.com"
    > boot system disk0:/asa804-k8.bin
    > ftp mode passive
    > access-list inside_mpc extended permit tcp any any eq www
    > access-list inside_mpc extended permit tcp any any eq 8080
    > access-list test-udp-acl extended permit udp any any eq isakmp
    > pager lines 24
    > logging enable
    > logging asdm informational
    > mtu inside 1500
    > mtu outside 1500
    > icmp unreachable rate-limit 1 burst-size 1
    > asdm image disk0:/asdm-61551.bin
    > no asdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 1 0.0.0.0 0.0.0.0
    > route outside 0.0.0.0 0.0.0.0 80.164.234.34 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    > 0:05:00
    > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    > 0:02:00
    > timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    > dynamic-access-policy-record DfltAccessPolicy
    > http server enable
    > http 85.xx.xx.2 255.255.255.255 outside
    > http 172.16.0.0 255.255.255.0 inside
    > http 87.xx.xx.42 255.255.255.255 outside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server enable traps snmp authentication linkup linkdown coldstart
    > crypto ipsec security-association lifetime seconds 28800
    > crypto ipsec security-association lifetime kilobytes 4608000
    > telnet timeout 5
    > ssh 172.16.0.0 255.255.255.0 inside
    > ssh 87.xx.xx.42 255.255.255.255 outside
    > ssh 85.xx.xx.2 255.255.255.255 outside
    > ssh timeout 60
    > console timeout 60
    > dhcpd dns 194.xx.xx.83 193.xx.xx.164
    > dhcpd auto_config outside
    > !
    > dhcpd address 172.16.0.100-172.16.0.130 inside
    > dhcpd dns 194.xx.xx.83 193.xx.xx.164 interface inside
    > dhcpd enable inside
    > !
    >
    > threat-detection basic-threat
    > threat-detection statistics access-list
    > no threat-detection statistics tcp-intercept
    > !
    > class-map type regex match-any DomainBlockList
    > match regex domainlist1
    > match regex domainlist2
    > match regex domainlist3
    > class-map type inspect http match-all BlockDomainsClass
    > match request header host regex class DomainBlockList
    > class-map test-udp-class
    > match access-list test-udp-acl
    > class-map inspection_default
    > match default-inspection-traffic
    > class-map httptraffic
    > match access-list inside_mpc
    > !
    > !
    > policy-map type inspect dns preset_dns_map
    > parameters
    > message-length maximum 512
    > policy-map type inspect http http_inspection_policy
    > parameters
    > protocol-violation action drop-connection
    > match request method connect
    > drop-connection log
    > class BlockDomainsClass
    > reset log
    > policy-map global_policy
    > class inspection_default
    > inspect dns preset_dns_map
    > inspect ftp
    > inspect h323 h225
    > inspect h323 ras
    > inspect rsh
    > inspect rtsp
    > inspect esmtp
    > inspect sqlnet
    > inspect skinny
    > inspect sunrpc
    > inspect xdmcp
    > inspect sip
    > inspect netbios
    > inspect tftp
    > inspect pptp
    > policy-map inside-policy
    > class httptraffic
    > inspect http http_inspection_policy
    > policy-map test-udp-policy
    > class test-udp-class
    > policy-map type inspect ipsec-pass-thru IPsec-map
    > parameters
    > esp per-client-max 32 timeout 0:06:00
    > !
    > service-policy global_policy global
    > service-policy inside-policy interface inside
    > service-policy test-udp-policy interface outside
    > prompt hostname context
    > Cryptochecksum:40a82b3bc1c8fee8a486410bdca082df
     
    Thrill5, Mar 5, 2009
    #2
    1. Advertising

  3. M

    M Guest

    I simply can not get it working :-(

    Is it possible to send me en configuration example of an ASA that have
    IPsec clients working?

    Best regards
    Martin




    Thrill5 skrev:
    > If you google "regular translation creation failed for protocol 50" you will
    > find several articles about this. Looks like one solution is to ensure that
    > "UDP encap" is enabled on the Cisco VPN client. Also "inspect
    > ipsec-pass-thru ipseec-map" might need to be change to just "inspect
    > ipsec-pass-thru". Don't know what "ipsec-map" does, but it could be
    > breaking this.
    >
    >
    > "M" <> wrote in message
    > news:49ae5917$0$90265$...
    >> Hi,
    >>
    >> I have a ASA5505 and behind this firewall I have some users that uses a
    >> Cisco VPN client to connect to a remote firewall.
    >>
    >> The VPN connection goes well, but nothing can be contacted on the remote
    >> site. I see this error in the ASA's log:
    >>
    >> regular translation creation failed for protocol 50 src
    >> inside:172.16.0.105 dst outside:85.xx.xx.9
    >>
    >> If I change the ASA with a Linksys router, everything works, so it must
    >> have something to do with the configuration on my ASA.
    >>
    >> IPSec is the problem, but how do I allow that traffic?
    >>
    >> I have added this, but still no luck.
    >> -----------
    >> access-list test-udp-acl extended permit udp any any eq 500
    >> !
    >> class-map test-udp-class
    >> match access-list test-udp-acl
    >> !
    >> policy-map type inspect IPSec-pass-thru IPsec-map
    >> parameters
    >> esp per-client-max 32 timeout 00:06:00
    >> !
    >> policy-map test-udp-policy
    >> class test-udp-class
    >> inspect IPSec-pass-thru IPSec-map
    >> service-policy test-udp-policy interface outside
    >> -----------
    >>
    >> What am I missing?
    >>
    >>
    >>
    >> This is the Complete Configuration:
    >> hostname ASA-ADSL
    >> enable password Pp9dsdsdrReyAl7Qn encrypted
    >> passwd Pp9dBZ1cdsyAl7Qn encrypted
    >> names
    >> !
    >> interface Vlan1
    >> nameif inside
    >> security-level 100
    >> ip address 172.16.0.1 255.255.255.0
    >> !
    >> interface Vlan2
    >> nameif outside
    >> security-level 0
    >> ip address 80.xx.xx.34 255.255.255.252
    >> !
    >> interface Ethernet0/0
    >> switchport access vlan 2
    >> !
    >> interface Ethernet0/1
    >> !
    >> interface Ethernet0/2
    >> !
    >> interface Ethernet0/3
    >> !
    >> interface Ethernet0/4
    >> !
    >> interface Ethernet0/5
    >> !
    >> interface Ethernet0/6
    >> !
    >> interface Ethernet0/7
    >> !
    >> regex domainlist1 "\.dating\.dk"
    >> regex domainlist2 "\.facebook\.dk"
    >> regex domainlist3 "\.facebook\.com"
    >> boot system disk0:/asa804-k8.bin
    >> ftp mode passive
    >> access-list inside_mpc extended permit tcp any any eq www
    >> access-list inside_mpc extended permit tcp any any eq 8080
    >> access-list test-udp-acl extended permit udp any any eq isakmp
    >> pager lines 24
    >> logging enable
    >> logging asdm informational
    >> mtu inside 1500
    >> mtu outside 1500
    >> icmp unreachable rate-limit 1 burst-size 1
    >> asdm image disk0:/asdm-61551.bin
    >> no asdm history enable
    >> arp timeout 14400
    >> global (outside) 1 interface
    >> nat (inside) 1 0.0.0.0 0.0.0.0
    >> route outside 0.0.0.0 0.0.0.0 80.164.234.34 1
    >> timeout xlate 3:00:00
    >> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    >> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    >> 0:05:00
    >> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    >> 0:02:00
    >> timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    >> dynamic-access-policy-record DfltAccessPolicy
    >> http server enable
    >> http 85.xx.xx.2 255.255.255.255 outside
    >> http 172.16.0.0 255.255.255.0 inside
    >> http 87.xx.xx.42 255.255.255.255 outside
    >> no snmp-server location
    >> no snmp-server contact
    >> snmp-server enable traps snmp authentication linkup linkdown coldstart
    >> crypto ipsec security-association lifetime seconds 28800
    >> crypto ipsec security-association lifetime kilobytes 4608000
    >> telnet timeout 5
    >> ssh 172.16.0.0 255.255.255.0 inside
    >> ssh 87.xx.xx.42 255.255.255.255 outside
    >> ssh 85.xx.xx.2 255.255.255.255 outside
    >> ssh timeout 60
    >> console timeout 60
    >> dhcpd dns 194.xx.xx.83 193.xx.xx.164
    >> dhcpd auto_config outside
    >> !
    >> dhcpd address 172.16.0.100-172.16.0.130 inside
    >> dhcpd dns 194.xx.xx.83 193.xx.xx.164 interface inside
    >> dhcpd enable inside
    >> !
    >>
    >> threat-detection basic-threat
    >> threat-detection statistics access-list
    >> no threat-detection statistics tcp-intercept
    >> !
    >> class-map type regex match-any DomainBlockList
    >> match regex domainlist1
    >> match regex domainlist2
    >> match regex domainlist3
    >> class-map type inspect http match-all BlockDomainsClass
    >> match request header host regex class DomainBlockList
    >> class-map test-udp-class
    >> match access-list test-udp-acl
    >> class-map inspection_default
    >> match default-inspection-traffic
    >> class-map httptraffic
    >> match access-list inside_mpc
    >> !
    >> !
    >> policy-map type inspect dns preset_dns_map
    >> parameters
    >> message-length maximum 512
    >> policy-map type inspect http http_inspection_policy
    >> parameters
    >> protocol-violation action drop-connection
    >> match request method connect
    >> drop-connection log
    >> class BlockDomainsClass
    >> reset log
    >> policy-map global_policy
    >> class inspection_default
    >> inspect dns preset_dns_map
    >> inspect ftp
    >> inspect h323 h225
    >> inspect h323 ras
    >> inspect rsh
    >> inspect rtsp
    >> inspect esmtp
    >> inspect sqlnet
    >> inspect skinny
    >> inspect sunrpc
    >> inspect xdmcp
    >> inspect sip
    >> inspect netbios
    >> inspect tftp
    >> inspect pptp
    >> policy-map inside-policy
    >> class httptraffic
    >> inspect http http_inspection_policy
    >> policy-map test-udp-policy
    >> class test-udp-class
    >> policy-map type inspect ipsec-pass-thru IPsec-map
    >> parameters
    >> esp per-client-max 32 timeout 0:06:00
    >> !
    >> service-policy global_policy global
    >> service-policy inside-policy interface inside
    >> service-policy test-udp-policy interface outside
    >> prompt hostname context
    >> Cryptochecksum:40a82b3bc1c8fee8a486410bdca082df

    >
    >
     
    M, Mar 5, 2009
    #3
  4. Re: regular translation creation failed for protocol 50 src inside:172.16.0.105 dst outside:85.xx.xx.9

    In article <49aff28b$0$90264$>,
    M <> wrote:
    > I simply can not get it working :-(


    > Is it possible to send me en configuration example of an ASA that have
    > IPsec clients working?


    > Best regards
    > Martin


    Try adding "inspect ipsec-pass-thru" to an inspection policy applied
    inbound to the inside interface - where you're initiating the connection
    from (you could probably add it to the global_policy).

    The "inspect ipsec-pass-thru" allows ESP through by default, so that
    should be fine; no manipulation through an IPSec-map should be required.
    Another consideration is enabling UDP (or TCP) encapsulation on the VPN
    Client, so the firewall sees the packets as UDP/TCP, rather than ESP
    (protocol 50) traffic.

    Cheers,

    Matt

    --
    Matthew Melbourne
     
    Matthew Melbourne, Mar 5, 2009
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bruce

    Translation Creation Failed

    Bruce, Nov 16, 2004, in forum: Cisco
    Replies:
    5
    Views:
    10,906
    Bruce
    Nov 18, 2004
  2. Replies:
    2
    Views:
    14,622
    milkboy33
    Apr 17, 2012
  3. Scooty
    Replies:
    1
    Views:
    6,447
    Walter Roberson
    Mar 2, 2007
  4. Replies:
    16
    Views:
    19,503
    javijavi
    May 5, 2009
  5. Sam Wilson
    Replies:
    0
    Views:
    908
    Sam Wilson
    Oct 18, 2012
Loading...

Share This Page