cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

8138
Views
0
Helpful
11
Replies
brad.gocken
Beginner

regular translation creation failed for protocol 50 src inside: dst outside:

Hello,

I'm looking for some guidance on how to get a Cisco 2801, that sits behind a Cisco ASA5510 firewall, setup for ipsec tunneling capabilities to an Amazon VPC\VPN. The basic network flow is external to internal ciscoasa5510-->cisco6509-->cisco2801. I'm having issues getting the BGP peering to establish properly which is stopping the ipsec tunnel from coming up.

I have verified that on the 2801 that the bgp summary is showing as active and I have enabled debugging which is producing the following messages:

*Sep  2 18:01:34.099: BGP: 169.254.255.5 open active, local address 169.254.255.6

*Sep  2 18:01:36.047: BGP: 169.254.255.1 open active, local address 169.254.255.2

*Sep  2 18:02:04.099: BGP: 169.254.255.5 read request no-op

*Sep  2 18:02:04.099: BGP: 169.254.255.5 open failed: Connection timed out; remote host not responding, open active delayed 23394ms (35000ms max, 60% jitter)

*Sep  2 18:02:06.047: BGP: 169.254.255.1 read request no-op

*Sep  2 18:02:06.047: BGP: 169.254.255.1 open failed: Connection timed out; remote host not responding, open active delayed 18005ms (35000ms max, 60% jitter)

I then checked the ASA's syslogs and I'm getting the the following messages:

3Sep 02 201113:01:1630500672.21.209.225


regular translation creation failed for protocol 50 src inside:10.12.45.254 dst outside:72.21.209.225
3Sep 02 201113:01:0730500672.21.209.193


regular translation creation failed for protocol 50 src inside:10.12.45.254 dst outside:72.21.209.193

Can someone please shed some light on what could potentially be wrong?

Thanks,

Brad

11 REPLIES 11
Anu M Chacko
Cisco Employee

Hi Brad,

Could you please verify if nat-t is enabled on the router and ASA?

Please post the output of "sh run" from the ASA here.

Regards,

Anu

Anu,

it appears that nat-t is not enabled on the ASA. My understanding is that enabeling it is global right? Since I have a L2L currently setup to between the ASA and another remote ASA will enabling Nat-T have any affect on that established tunnel?

Here is the current running config:

ASA Version 8.4(1)

!

!

interface Ethernet0/0

speed 100

duplex full

nameif inside

security-level 100

ip address 10.12.35.2 255.255.255.0 standby 10.12.35.3

!

interface Ethernet0/1

speed 100

duplex full

nameif outside

security-level 0

ip address 66.191.64.126 255.255.255.240 standby 66.191.64.125

!

interface Ethernet0/2

description LAN Failover Interface

!

interface Ethernet0/3

description STATE Failover Interface

!

interface Management0/0

shutdown

no nameif

security-level 100

no ip address

!

boot system disk0:/asa841-k8.bin

boot system disk0:/asa832-k8.bin

boot system disk0:/asa821-k8.bin

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.12.34.11

name-server 10.12.34.12

domain-name

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj-10.10.0.0

subnet 10.10.0.0 255.255.0.0

object network obj-10.15.0.0

subnet 10.15.0.0 255.255.0.0

object network obj-10.12.0.0

subnet 10.12.0.0 255.255.0.0

object network obj-10.12.12.0

subnet 10.12.12.0 255.255.255.128

object network obj-10.12.30.15

host 10.12.30.15

object network obj-66.191.64.115

host 66.191.64.115

object network obj-66.191.64.124

host 66.191.64.124

object network obj-10.12.45.254

host 10.12.45.254

object network obj-10.12.45.254-01

host 10.12.45.254

object-group network DM_INLINE_NETWORK_1

network-object host 10.15.45.254

network-object host 66.191.64.124

object-group network DM_INLINE_NETWORK_2

network-object host 72.21.209.193

network-object host 72.21.209.225

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object udp destination eq isakmp

object-group service DM_INLINE_SERVICE_2

service-object ip

service-object udp destination eq isakmp

object-group service DM_INLINE_SERVICE_3

service-object ip

service-object udp destination eq isakmp

object-group service DM_INLINE_SERVICE_4

service-object ip

service-object udp destination eq isakmp

access-list AllLocal standard permit host 216.113.190.154

access-list AllLocal standard permit 10.12.0.0 255.255.0.0

access-list AllLocal standard permit host 216.113.190.149

access-list AllLocal standard permit 10.15.0.0 255.255.0.0

access-list VPN_Client_Local_Lan standard permit any

access-list private_nat0_outbound extended permit ip any any

access-list inside_access_out extended permit ip any any

access-list outside_cryptomap extended permit ip 10.12.0.0 255.255.0.0 10.15.0.0 255.255.0.0

access-list outside_cryptomap extended permit ip 10.10.0.0 255.255.0.0 10.15.0.0 255.255.0.0

access-list global_mpc extended permit tcp any any

access-list nat_exempt extended permit ip 10.10.0.0 255.255.0.0 10.15.0.0 255.255.0.0

access-list nat_exempt extended permit ip 10.12.0.0 255.255.0.0 10.15.0.0 255.255.0.0

access-list nat_exempt extended permit ip any 10.12.12.0 255.255.255.128

access-list nat_overload extended permit ip 10.10.0.0 255.255.0.0 any

access-list nat_overload extended permit ip 10.12.0.0 255.255.0.0 any

access-list capi extended permit tcp host 10.12.30.15 host 10.12.35.252 eq ssh

access-list capi extended permit tcp host 10.15.100.252 eq ssh host 10.12.30.15

access-list capo extended permit tcp host 10.12.30.15 host 10.12.35.252 eq ssh

access-list capo extended permit tcp host 10.15.100.252 eq ssh host 10.12.30.15

access-list capO extended permit ip host 66.77.96.250 host 66.191.64.126

access-list capO extended permit ip host 66.191.64.126 host 66.77.96.250

access-list global_mpc_1 extended permit ip any any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host 72.21.209.193 host 66.191.64.124

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 host 72.21.209.225 host 66.191.64.124

access-list outside_access_in extended permit esp host 72.21.209.193 host 66.191.64.124

access-list outside_access_in extended permit esp host 72.21.209.225 host 66.191.64.124

access-list outside_access_in extended permit esp host 72.21.209.193 host 10.12.45.254

access-list outside_access_in extended permit esp host 72.21.209.225 host 10.12.45.254

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 host 72.21.209.193 host 10.12.45.254

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 host 72.21.209.225 host 10.12.45.254

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq ssh

access-list outside_access_in extended deny ip any any

access-list inside_access_out_1 extended permit ip any object-group DM_INLINE_NETWORK_2

!

tcp-map AllowProbes

  reserved-bits clear

  tcp-options range 76 78 allow

!

pager lines 24

logging enable

logging timestamp

logging asdm-buffer-size 512

logging trap informational

logging asdm informational

logging mail debugging

logging facility 23

logging host inside 10.15.0.249

no logging message 106015

no logging message 106007

no logging message 313001

no logging message 313008

no logging message 106023

no logging message 305012

no logging message 305011

no logging message 710003

no logging message 106100

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302018

no logging message 302017

no logging message 302016

no logging message 302021

no logging message 302020

flow-export destination inside 10.15.0.249 2055

flow-export template timeout-rate 10

mtu inside 1500

mtu outside 1500

failover

failover lan unit primary

failover lan interface HA_Failover_INT Ethernet0/2

failover key

failover replication http

failover link HA_State_INT Ethernet0/3

failover interface ip HA_Failover_INT 10.12.36.2 255.255.255.0 standby 10.12.36.3

failover interface ip HA_State_INT 10.12.37.2 255.255.255.0 standby 10.12.37.3

icmp unreachable rate-limit 1 burst-size 1

icmp permit host 10.15.0.249 echo-reply inside

icmp permit any inside

icmp permit host 10.15.0.1 echo-reply inside

icmp permit any time-exceeded inside

icmp permit any outside

icmp permit any time-exceeded outside

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

nat (inside,any) source static obj-10.10.0.0 obj-10.10.0.0 destination static obj-10.15.0.0 obj-10.15.0.0

nat (inside,any) source static obj-10.12.0.0 obj-10.12.0.0 destination static obj-10.15.0.0 obj-10.15.0.0

nat (inside,any) source static any any destination static obj-10.12.12.0 obj-10.12.12.0

nat (inside,outside) source static obj-10.12.30.15 obj-66.191.64.115

nat (inside,outside) source dynamic obj-10.10.0.0 interface

nat (inside,outside) source dynamic obj-10.12.0.0 interface

!

object network obj-10.12.45.254-01

nat (inside,outside) static 66.191.64.124

access-group inside_access_out_1 out interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 66.191.64.113 1

route inside 10.12.0.0 255.255.0.0 10.12.35.1 1

route inside 10.20.0.0 255.255.0.0 10.12.45.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server DCRADIUS protocol radius

reactivation-mode depletion deadtime 1

aaa-server DCRADIUS (inside) host 10.12.34.11

retry-interval 3

key

authentication-port 1812

accounting-port 1813

radius-common-pw

aaa-server DCRADIUS (inside) host 10.12.34.12

retry-interval 3

key

authentication-port 1812

accounting-port 1813

radius-common-pw

aaa authentication ssh console DCRADIUS LOCAL

aaa authentication http console DCRADIUS LOCAL

aaa authentication serial console DCRADIUS LOCAL

http server enable

http 10.0.0.0 255.0.0.0 inside

http 10.12.0.0 255.255.0.0 inside

service resetoutside

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set Secure esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Public_map 9 match address outside_cryptomap

crypto map Public_map 9 set pfs

crypto map Public_map 9 set peer 66.77.96.250

crypto map Public_map 9 set ikev1 transform-set Secure

crypto map Public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Public_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

no crypto isakmp nat-traversal

crypto ikev1 enable inside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

telnet timeout 5

ssh 10.0.0.0 255.0.0.0 inside

ssh timeout 15

ssh version 2

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 10.0.0.0 255.0.0.0

threat-detection scanning-threat shun duration 3600

threat-detection statistics host number-of-rate 3

threat-detection statistics port number-of-rate 3

threat-detection statistics protocol number-of-rate 3

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.12.34.11 source inside prefer

ntp server 10.12.34.12 source inside

tftp-server inside 10.12.30.19 asdm-635.bin

webvpn

enable outside

anyconnect image disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1

anyconnect enable

!

class-map global-class

match access-list global_mpc_1

class-map inspection_default

match default-inspection-traffic

class-map Riverbed

match access-list global_mpc

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp

class Riverbed

  set connection advanced-options AllowProbes

class global-class

  flow-export event-type all destination 10.15.0.249

!

service-policy global_policy global

smtp-server 10.15.20.84

prompt hostname context

hpm topN enable

Thanks,

Brad

Hi Brad,

Enabling NAT-T should not affect the VPN tunnels that are already up. Make sure it is enabled at both the VPN end points. Here is a guide:

http://secret-epedemiology-statistic.org.ua/1587052091/ch15lev1sec3.html#ch15lev2sec13

Let me know if you have more queries.

Regards,

Anu

Anu,

I have enabled it on the ASA5510 and from what I can tell and have read its enabled by default on the 2801 as its running a IOS later than 12.2(13)T or later.

After making the change I'm still seeing the same regular translation creation failed for protocol 50 src inside:10.12.45.254 dst outside:72.21.209.225 messages in my syslogs.

Please advise.

thanks,

Brad

Hi Brad,

Who is 10.12.45.254 and who is 72.21.209.225? Clearly there are some ESP packets passing through the ASA between these two addresses, this is why you are getting the drops.

You mention BGP and VPN... so I am kind of confused. What type of VPN is it? Which are the IP addresses involved?

Once I have this info, I think I will be able to provide you a better explanation of what is going on.

Mike

Mike

Mike,

10.12.45.254 is the inside interface of our 2801 and the 72.21.209.225 is the Gateway device on Amazon's end.

Amazon's VPC setup requires BGP peering and creates a IPSEC tunnel for the VPN.

After doing much troubleshooting and digging I discovered that Amazon doesn't allow the customer gateway device ( in our case the 2801) to sit behind a NAT. I had to create a public interface on the 2801 and bypassed the ASA and the peering and tunnel came up and I'm now passing traffic.

Thanks for your input in this.

-Brad

Anu,

I have figured out what the hang up is. It appears that Amazon VPC doesn't support a customer Gatway device setup behind a NAT as they don't support NAT-T.

I have moved the ISR outside of our firewall and gave it a public IP on a outside interface. Once I did that the BGP peering came up and the Tunnel was established. I'm now passing traffic through the tunnel.

Thanks for you help in this.

-Brad

Brad,

That was the other option, if the gateway does not support Nat traversal, the only option you had is to create a 1 to 1 translation and permit ESP towards the public IP of the inside device that is going to participate into the VPN.

I am glad that everything worked.

Mike

Mike

Is this the right thing to do? Isnt it a faulty configuration and hence you neede to do this?

Nope, Not really. Is just a matter of understanding how IPsec tunnels work across NAT devices. I mean, if you are running  PAT (port address translation) thats where the problem kicks in. Since GRE AH and ESP does not have ports, you cannot create a translation for them.

What NAT-Traversal do, is just to put a UDP header with port 4500 so it can create a proper translation on the NAT device (not only the ASA)

Hope this makes sense.

Mike

Mike

Hi Brad,

Glad to hear that it works now!

Regards,

Anu

Content for Community-Ad