Skip to main content

ASA 5505: Regular translation creation failed

More
16 years 7 months ago #25802 by grenadadoc
I have recently installed an ASA 5505 and created a 'box to box VPN tunnel for purposes of electronic prescription. I have a VPN client app that I use to access a radiology image database at my hospital. When I click the VPN Client app (Cisco VPN Client version 4.8.01.0300), the client app states that the tunnel is created. I then try to access the radiology website using IE7 and no response. When I view the ASA 5505 syslog, I get the following error message:
Syslog: 305006
Source IP: 216.xxx.xxx.xxx
Description: regular translation creation failed for protocol 50 src inside: 10.qqq.qqq.qqq dst outside: 216.xxx.xxx.xxx.

My current config is as follows:
: Saved
:
ASA Version 7.2(3)
!
hostname Grenada
domain-name yourdomainname.com
enable password xxxxxxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 999.999.999.5 255.255.255.0 (* 999.999.999.5 is the inside address for my ASA 5505)
!
interface Vlan2
nameif outside
security-level 0
ip address 888.888.1.8 255.255.255.0 (* 888.888.1.8 is my router's outside interface address)
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxxxxxxx encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name gmmpc.local
access-list outside_1_cryptomap extended permit ip 999.999.999.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 999.999.999.0 255.255.255.0 192.168.50.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 888.888.1.1 1 (* 888.888.1.1 is on the building's router)
!
router rip
default-information originate
version 2
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 888.888.1.0 255.255.255.0 inside
http 999.999.999.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 66.eee.eee.eee
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
!
username administrator password xxxxxxxxxxxxxxxxxxxxxx encrypted
tunnel-group 66.eee.eee.eee type ipsec-l2l
tunnel-group 66.eee.eee.eee ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
asdm image disk0:/asdm-523.bin
no asdm history enable



Any ideas to allow the CISCO VPN Client app to function correctly?

Thanks in advance
More
16 years 7 months ago #25804 by Elohim
Your config tries to setup site to site VPN but you are describing remote access vpn and you don't have any configuration for remote access VPN. Your ACL is not complete. YOu need to allow the inside subnetworks through the VPN tunnel through to the subnetwork that the servers are on and vice versa.
More
16 years 7 months ago #25823 by grenadadoc
Correct, I have a site to site VPN created that I need to maintain. How do I create the specific ACLs to permit the vpn client software in my network to communicate w/ the server? I did the Site to site w/ the GUI interface.
Thanks

Your config tries to setup site to site VPN but you are describing remote access vpn and you don't have any configuration for remote access VPN. Your ACL is not complete. YOu need to allow the inside subnetworks through the VPN tunnel through to the subnetwork that the servers are on and vice versa.

More
16 years 7 months ago #25824 by Elohim
Assume this:

Inside network(192.168.0.0/24)----asa
asa----(192.168.1.0/24)

If you have a layout like above, you need at least 2 ACL entries, one to bring up the tunnel between the ASAs (tunnel peers) and one to allow interesting traffic between the two subnetworks behind the ASAs.

Correct, I have a site to site VPN created that I need to maintain. How do I create the specific ACLs to permit the vpn client software in my network to communicate w/ the server? I did the Site to site w/ the GUI interface.
Thanks

Your config tries to setup site to site VPN but you are describing remote access vpn and you don't have any configuration for remote access VPN. Your ACL is not complete. YOu need to allow the inside subnetworks through the VPN tunnel through to the subnetwork that the servers are on and vice versa.

More
16 years 6 months ago #26185 by grenadadoc
Okay,
I thought I had made the right changes to my Access list statements, but still no go. Below is the current config (minus all the crap-ola. My inside network is a.b.c.0 and I'm trying to get to the x.y.z.0 network using a CISCO VPN Client (inside my network). I have a site to site vpn tunnel to EE.FF.GG.HH network that is working fine.

ASA Version 7.2(3)
!
interface Vlan1
nameif inside
security-level 100
ip address a.b.c.5 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.8 255.255.255.0
!

access-list outside_1_cryptomap extended permit ip a.b.c.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip a.b.c..0 255.255.255.0 192.168.50.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip a.b.c.0 255.255.255.0 x.y.z.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip a.b.c..0 255.255.255.0 x.y.z.0 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
!
router rip
default-information originate
version 2
!
http server enable
http 192.168.1.0 255.255.255.0 inside
http a.b.c.0 255.255.255.0 inside

snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer EE.FF.GG.HH
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400

dhcpd auto_config outside
!

tunnel-group EE.FF.GG.HH type ipsec-l2l
tunnel-group EE.FF.GG.HH ipsec-attributes
pre-shared-key *
prompt hostname context

asdm image disk0:/asdm-523.bin
no asdm history enable
More
16 years 6 months ago #26188 by sp1k3tou
I have never setup a vpn for remote users on a ASA but don't you need to also define a VPN pool in the config?
Time to create page: 0.132 seconds