ASA 5505: Regular translation creation failed

I've never set up a site to site tunnel and then let one of the sites be remote access to another vpn server somewhere. That's not saying it can't be done. If your egress point is on the same asa that terminates the site to site tunnel you will have to allow split tunnel so that traffic to the remote access vpn server is allowed. If the egress is another point, then there shouldn't be any issue and there is no config on the local device.

From your description, I think you're egress are the same point at which point you need to allow split tunnelling.

Okay,
I thought I had made the right changes to my Access list statements, but still no go. Below is the current config (minus all the crap-ola. My inside network is a.b.c.0 and I'm trying to get to the x.y.z.0 network using a CISCO VPN Client (inside my network). I have a site to site vpn tunnel to EE.FF.GG.HH network that is working fine.

ASA Version 7.2(3)
!
interface Vlan1
nameif inside
security-level 100
ip address a.b.c.5 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.8 255.255.255.0
!

access-list outside_1_cryptomap extended permit ip a.b.c.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip a.b.c..0 255.255.255.0 192.168.50.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip a.b.c.0 255.255.255.0 x.y.z.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip a.b.c..0 255.255.255.0 x.y.z.0 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
!
router rip
default-information originate
version 2
!
http server enable
http 192.168.1.0 255.255.255.0 inside
http a.b.c.0 255.255.255.0 inside

snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer EE.FF.GG.HH
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400

dhcpd auto_config outside
!

tunnel-group EE.FF.GG.HH type ipsec-l2l
tunnel-group EE.FF.GG.HH ipsec-attributes
pre-shared-key *
prompt hostname context

asdm image disk0:/asdm-523.bin
no asdm history enable

He's not the VPN server so he doesn't need any VPN pool.

I have never setup a vpn for remote users on a ASA but don't you need to also define a VPN pool in the config?

Correct,
I'm not the server. I'm trying to utilize the CISCO VPNClient software from inside my network to a VPN server outside my network across the internet.

As I don't know much about configuring Acess Lists, if the following are the appropriate variables, what would an appropriate ACL be?

If the public ip address of the outside server is A.B.C.D and the internal IP network for that server is aa.bb.cc.0. My internal network ip for this example will be 10.10.10.0.


access-list outside_2 extended permit ip 10.10.10.0 255.255.255.0 aa.bb.cc.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 aa.bb.cc.0 255.255.255.0

Where does the '50' go (from the error message -- I assume I have to permit that protocol/port somehow?)

Is your egress point for this remote access VPN (using the vpn client) the same interface as the one used to established a site to site VPN? If it is, you need to allow split tunnelling on the ASA. otherwise please draw a picture of what you are trying to do.

Correct,
I'm not the server. I'm trying to utilize the CISCO VPNClient software from inside my network to a VPN server outside my network across the internet.

As I don't know much about configuring Acess Lists, if the following are the appropriate variables, what would an appropriate ACL be?

If the public ip address of the outside server is A.B.C.D and the internal IP network for that server is aa.bb.cc.0. My internal network ip for this example will be 10.10.10.0.


access-list outside_2 extended permit ip 10.10.10.0 255.255.255.0 aa.bb.cc.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 aa.bb.cc.0 255.255.255.0

Where does the '50' go (from the error message -- I assume I have to permit that protocol/port somehow?)

I've drawn a picture of the network topology and what I'm trying to do. I don't know how to upload an image to this forum. Any instructions anywhere?[/img]

Upload it somewhere and point to the URL with the img tag.

I've drawn a picture of the network topology and what I'm trying to do. I don't know how to upload an image to this forum. Any instructions anywhere?[/img]