01-27-2009 07:45 AM - edited 02-21-2020 03:14 AM
I have recently installed a Cisco 5505 and have problems with some of the Cisco VPN Hosts I connect to using the Cisco VPN dialer. The Cisco Dialer connects fine but I am unable to connect to any computers on the remote network.
I have tracked the issue down to the ones that work & the ones that don't. If the remote Cisco is on the same sub-net as the computers I am connecting to it works fine. If the remote Cisco is on a differant sub-net then the computer I am trying to connect to it won't work unless I set up a static nat for a given pc on my network.
When I run through the dynamic Nat for my network I get the following error on the 5505.
regular translation creation failed for protocol 50 src inside:192.168.97.215 dst outside:xx.xxx.xx.xxx
I have been trying to find a solution to this issue ever since I installed the router and have not had any luck with any of the suggestions I have found on the Web. I have attached my config.
Any help would be appreciated.
Mike
01-27-2009 08:58 AM
What you are saying is that this 5505 is the firewall that hosts the PC that uses the vpn client, and the vpn servers are outside this firewall?
regular translation creation failed for protocol 50 src inside:192.168.97.215 dst outside:xx.xxx.xx.xxx
This message means that the firewall is not allowing ESP to go through PAT, please go ahead and make sure that the remote server has NAT-T enabled.
01-27-2009 09:13 AM
Thanks for your response.
Yes that exactly the setup we are trying to get to work.
I have a call into them now and will check on their set up but I have no control over how they configure their routers I can only make requests.
I was hoping there was something causing it on my side as I deal with Hospitals and they can get very picky about their security.
I guess what is confusing me is it works if it goes through a Static Nat but not if it runs through our dynamic Nat.
Mike
01-27-2009 09:15 AM
Problem is, ESP does not work or passes through PAT since it is a portless protocol, the inspect IPSec pass through, is used only for Dynamic one to one nat, so your only choice is to allow them to enable nat-t or to have a static one to one
01-27-2009 09:19 AM
Ok,
Thank you for the information, that is what I was trying to find out.
Thanks,
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide