Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
0
Helpful
3
Replies

"regular translation creation failed" - Nortel Contivity Client

cobbc
Level 1
Level 1

‎05-11-2004 02:08 AM - edited ‎03-09-2019 07:20 AM

Trying to get a Nortel Contivity client to connect via VPN through a pix firewall. The error I keep getting is "regular translation creation failed for protocol 50". I have version 6.2(3) and I downgraded from 6.3(3) because it would reboot if I tried to go through the PIX with the contivity Client. Any suggestions?

Labels:
0 Helpful
3 Replies 3

ehirsel
Level 6
Level 6

‎05-11-2004 08:09 AM

I assume that you have these acl entries applied along with others on the pix outside interface:

permit udp any eq 500 inside-host-ip-as-seen-by-remote-host eq 500

permit esp any inside-host-ip-as-seen-by-remote-host

Insure that your static statement is a static nat, not a static pat, or global pat.

Code your static like this:

static (in, out) global-ip inside-ip

ESP is ip protocol 50, it is a separate protocol from tcp and udp. So if your static is coded for tcp or udp, it will not work.

Let me know if you need more help.

I don't know why you had the issue with pix 6.3.3; do a search on the cisco bug list to see if it is a known issue.

0 Helpful

cobbc
Level 1
Level 1
In response to ehirsel

‎05-30-2004 05:11 PM

I've done it to no avail. I've upgraded back to 6.3.3 and its working better now. However, I still can't connect to the Nortel VPN switch through the pix 501 firewall.

Now I'm getting something slightly different.

May 30 2004 17:54:39 305006: portmap translation creation failed for protocol 50 src inside: (inside address) dst outside:(VPN server address)

Here are my access-lists

access-list inside_access_in permit ip inside range any

access-list inside_access_in permit udp inside range eq isakmp any

access-list inside_access_in permit esp any any

access-list inside_access_in permit udp any eq 445 any

access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 eq 500 any

access-list inside_access_in permit udp host mine eq isakmp host VPN eq isakmp

access-list inside_access_in permit esp host mine host vpn

access-list outside_in permit esp host mine host VPN

access-list outside_in permit udp host mine eq isakmp host VPN eq isakmp

access-list outside_in permit tcp host mine eq www host VPN eq www

0 Helpful

ehirsel
Level 6
Level 6
In response to cobbc

‎06-01-2004 04:27 AM

I've noticed that the outside_in acl has the same source and dest as the inside_access_in acl. To allow the Nortel vpn switch to send the esp and udp port 500 (isakmp) traffic you need to reverse the source and dest in the outside_in acl. You should not have to code this: access-list outside_in permit tcp host mine eq www host VPN eq www as the www traffic (to manage the switch?) is within IPSec which is only what the pix will see.

I assume that the Nortel client is on the inside of the pix and the switch is on the outside - is that correct? If so, are you NAT or PATing your inside client to connect to the switch? If you are using PAT then you need to add this: fixup protocol esp-ike to the pix config to allow proper pat of the esp traffic.

As far as the pix 6.3.3 causing your pix to reboot, you state that it is fine now. There was a post to this group some time back that had a similar issue - it was fixed by reloading the 6.3.3 code which is what you did.

0 Helpful
Customers Also Viewed These Support Documents