1. The acl's shouldn't be a problem as it works when you have the 1 to 1 static. You are allowing the appropriate ports outbound (acl 120).

2. You actually do not need to specify the ports in acl 100. But if you still want to you have it written in reverse. This acl is applied into the outside interface, so the source would be any and the destination would be ATT_VPN_GIGS, like so...

access-list 100 extended permit esp any object-group ATT_VPN_GIGS

access-list 100 extended permit udp any object-group ATT_VPN_GIGS eq isakmp

access-list 100 extended permit udp any object-group ATT_VPN_GIGS eq 4500

but like I said, you shouldn't need this.

3. Leave crypto isakmp nat-traversal. This is so the ASA will do nat-t for your vpn clients terminating on the ASA.

4. Other than that, if the AT&T is truly doing nat-t, I'm at a loss. Try to get some logging going on the ASA.

I took out the 1 to 1 STATIC NAT command and I

get the following message when I try to connect the AT&T VPN client.

regular translation creation failed for protocol 50 src inside:172.16.3.31 dst outside:12.65.191.2

172.16.3.31 is the ip address of the client pc

12.65.191.2 is one on the GIGS ip addresses from AT&T

I copied the definition of the error msg I'm getting right from Cisco's SYSLOG ID MESSAGES

PDF. Hopefully you can interpret it for me?

Error Message %FWSM-3-305006: {outbound static|identity|portmap|regular)

translation creation failed for protocol src interface_name:source_address/source_port

dst interface_name:dest_address/dest_port

Explanation A protocol (UDP, TCP, or ICMP) failed to create a translation through the security appliance.

This message appears as a fix to caveat CSCdr00663 that requested that security

appliance not allow packets that are destined for network or broadcast addresses. The security appliance provides this checking for addresses that are explicitly identified with static command statements. With the change, for inbound traffic, the security appliance denies translations for a destined IP address identified as a network or broadcast address.

The security appliance does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT xlate. So, when the other ICMP messages types are dropped, system log message 305006 (on the security appliance) is generated. The security appliance utilizes the global IP and mask from configured static command statements to differ regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the security appliance does not create a translation for network or broadcast IP addresses with inbound packets.

For example:

static (inside,outside) 10.2.2.128 10.1.1.128 netmask 255.255.255.128

Global address 10.2.2.128 is responded to as a network address and 10.2.2.255 is responded to as the broadcast address. Without an existing translation, security appliance denies inbound packets destined for 10.2.2.128 or 10.2.2.255, and logs this system log message.

Recommended Action If the packet that was denied was destined for a valid host IP address, change the netmask of the static translation, so that the host IP address is not the same as a network or

broadcast address.

Those aren't always very helpful at all. I still don't think the remote peer is doing nat-t over udp 4500.

Type this in Search NetPro and have a look what other people have done.

"regular translation creation failed for protocol 50"

It didn't return any hits as all. I doubled checked the AT&T VPN setting for NAT-T it is turned on. What are we missing?

When I type that in here...

http://forums.cisco.com/eforum/servlet/NetProf?page=advancedSearch

I get several hits.

My Bad.......I was using a website called NetPro. Thanks for clearing that up for me.

Well, it looks like it's an AT&T issue and they won't be fixing it anytime soon.

https://www.qtso.com/download/broadband_limitations.pdf