Solved: regular translation creation failed for protocol 47

mahesh18 · ‎09-24-2013

Hi Everyone,

We have external user on dmz and he is trying to connect to their company network over VPN.

HEre is log from internet firewall

i can see the firewall is allowing the rule.

%ASA-6-302013: Built outbound TCP connection 6931561 for outside:200.x.x.x

%ASA-3-305006: regular translation creation failed for protocol 47 src dmz 192.x.x.x

What should i do to fix this issue ?

Regards

MAhesh

Luis Silva Benavides · ‎09-25-2013

Hi,

The problem is that GRE is portless. It is just an IP protocol. Not something that we can PAT using a TCP/UDP.

You can try this command. This will add PPTP to the global inspection.

fixup protocol pptp

If this doesn't work an static nat for that host should be required.

HTH

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach us"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva

Luis Silva Benavides · ‎09-25-2013

Hi,

The problem is that GRE is portless. It is just an IP protocol. Not something that we can PAT using a TCP/UDP.

You can try this command. This will add PPTP to the global inspection.

fixup protocol pptp

If this doesn't work an static nat for that host should be required.

HTH

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach us"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva

mahesh18 · ‎09-25-2013

Hi Luis,

Thanks for reply.

I added inspect pptp under global inspection policy and after that ASA allowed GRE tunnel.

Seems pptp is not inspected by default.

Best Regards

Mahesh

Luis Silva Benavides · ‎09-25-2013

Yes you are right it is not .

I am glad it helps.

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach us"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva