regular translation creation failed for protocol 46

Christie Brinker · ‎05-24-2013

Can anyone assist with this error message?

regular translation creation failed for protocol 46 src inside: 172.16.16.179 dst outside: 192.168.1.50

I am attempting to make a video call with a Polycom unit. I have a Cisco ASA and the remote unit has a Cisco 800 series router. I am not sure why the 192.168.1.50 IP of the remote device shows up since I am calling it's public IP address.

sokakkar · ‎05-24-2013

Hi Christie,

Can you post some more details like what protocol is used to make voice call ex SIP?

Can you post the 'show run' from ASA (hide public IP detail if you want) along with complete logs for a call attempt instead of only message which showed up above?

IP protocol 46 is RSVP:

http://en.wikipedia.org/wiki/Resource_Reservation_Protocol

May be inside device is picking up IP of remote router from layer 7 header of frames travelling on control channel.

Can you get bidirectional captures on inside and outside of ASA for this flow? Here are the commands to do it:

access-l cpi permit ip host 172.16.16.179 any

access-l cpi permit ip any host 172.16.16.179

capture capi int inside access-l cpi buffer 3123456

access-l cpo permit ip host mapped_IP_of_172.16.16.179 host Public_IP_of_remote_device

access-l cpo permit ip host Public_IP_of_remote_device host Mapped_IP_of_172.16.16.179

capture capi int inside access-l cpi buffer 3123456

Download captures from a machine which has ASDM access using browser as follows:

https://IP_OF_ASA/capture/capi/pcap <- Save file as inside.pcap

https://IP_OF_ASA/capture/capo/pcap <- Save file as outside.pcap

-

Sourav

Christie Brinker · ‎05-29-2013

I have set both video conferencing units to use the fixed port 3230, but they also use 5060 and 1720. I will work on the captures as well but wanted to go ahead and post the other information.

My video device is 192.168.16.179

This is a stripped down configuration from the ASA:

ASA Version 8.2(5)
!

multicast-routing
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
description INTERFACE TO LAN
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description INTERFACE TO ETHERNET 0/1 AND LAN
nameif inside
security-level 100
ip address 192.168.16.4 255.255.255.0
!
interface Vlan2
description INTERFACE TO ETHERNET 0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.240
!
ftp mode passive
access-list Outside_Access_In extended permit tcp any host 1.1.1.1 eq sip
access-list Outside_Access_In extended permit tcp any host 1.1.1.1 eq 3230
access-list Outside_Access_In extended permit tcp any host 1.1.1.1 eq h323
access-list Outside_Access_In extended permit udp any host 1.1.1.1 eq sip
access-list Outside_Access_In extended permit udp any host 1.1.1.1 eq 3230
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1

no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3230 192.168.16.179 3230 netmask 255.255.255.255
static (inside,outside) udp interface 3230 192.168.16.179 3230 netmask 255.255.255.255
static (inside,outside) tcp interface sip 192.168.16.179 sip netmask 255.255.255.255

static (inside,outside) udp interface sip 192.168.16.179 sip netmask 255.255.255.255
static (inside,outside) tcp interface h323 192.168.16.179 h323 netmask 255.255.255.255
access-group Outside_Access_In in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.16.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.16.0 255.255.255.0 inside
telnet timeout 5

ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect ip-options router
parameters
nop action allow
router-alert action allow
policy-map global_policy
class inspection_default
inspect ip-options router
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

sokakkar · ‎05-29-2013

Hi Christie,

Ok, device is using SIP (5060) and H323 (1720). Generally inspection is needed on ASA to fix the SIP and H323 headers to make these protocol work through (since ASA does NAT). So, I would recommend that you enable the inspection for both protocols and see if that makes a difference, if not, get us the captures and we will troubleshoot this further. With the limited info that we have, I would recommend that you add following to the config:

Hostname(config)# policy-map global_policy

Hostname(config-pmap)# class inspection_default

Hostname(config-pmap-c)# inspect sip

Hostname(config-pmap-c)# inspect h323 h225

Hostname(config-pmap-c)# inspect h323 ras

Hostname(config-pmap-c)# end

Hostname# write memory

Check these links for more understanding on what above inspect statements do:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1743169

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1735531

-

Sourav