03-21-2008 07:10 AM - edited 03-11-2019 05:20 AM
We have a new ASA, there are no firewall rules associated to the inside interface. Our finance department has to run the AT&T net client to connect with Medicare, this now fails. On the ASA I get an error that says 3|Mar 20 2008|10:41:39|305006|12.64.175.2||regular translation creation failed for protocol 50 src inside:10.0.50.30 dst outside:12.64.175.2
NAT-T is on the firewall and I also tried the inspect ipsec pass through to no avail. Any other suggestions?
03-21-2008 08:02 AM
on the remote VPN server either enable NAT-T or on create a 1-1 static on the firewall opening ESP and UDP-500 on the firewall
03-21-2008 08:53 AM
I don't have control of the remote end, it's medicare. Is there anything else I can do on my end to make this work short of doing static NAT's? It used to work on my netscreen firewall somehow only since switching to the ASA has it broke.
03-21-2008 09:47 AM
In your VPN client,ATT connection properties, transport tab, where you have checked off if you do Enable Transparent Tunneling choose Ipsec over UDP (NAT/PAT).
03-21-2008 10:06 AM
Jorge..this would still not work..by default enable transparent tunneling is enabled..here the problem is since the remote server doesn't want to enable NAT-TRansparency therefore the ESP packet would never be encapsulated over udp 4500 and there ESP would not be able to PAT...
only way to get this working is 1-1 static or NAT traversal
03-21-2008 10:33 AM
completely agree, you are right.. wander what happened to my cup of coffey..
03-21-2008 12:50 PM
One of the things to keep in mind when switching from one firewall vendor, Juniper,
to another firewall vendor, Cisco, is that
different device can handle things
differently. Devices such as juniper or
netscreen has the ability to do "IPSec
pass-through" that devices such as Pix or
ASA can NOT.
That being said, if you replace the ASA
with a Cisco IOS router with the ability
to do this:
ip nat inside source static udp 192.168.1.1 500 interface F0/0 500
ip nat inside source static esp 192.168.1.1 interface F0/0
where 192.168.1.1 is the host beind the router.
That will enable the client to connect via
ESP.
It is very unfortunate that ASA can not do
this.
CCIE Security
03-21-2008 01:14 PM
"IPSec pass-through" that devices such as Pix or
ASA can NOT.
ASA can do IPSEC pass through but you cannot port address translate an ESP packet, thats the reason NAT-Transparency came in picture which means if VPN server has it enabled it detects the client to be behind PAT device and the clients starts encapsulating ESP over UDP which can PATTED now...
hope it answers !
03-21-2008 01:17 PM
what I meant to say is:
ip nat inside source static udp 192.168.1.1 500 interface F0/0 500
ip nat inside source static esp 192.168.1.1 interface F0/0
Can ASA do this?
03-22-2008 06:31 PM
ASA does support IPSec pass-through.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1522169
03-22-2008 06:34 PM
Oh, and also, run 7.2 software, i think i remember something about some bugs with the ipsec inspect before this release.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide