Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1166
Views
0
Helpful
3
Replies

regular translation creation failed for protocol 50 src inside:192.168.254.53 dst External:x.x.x.x

bgl-group
Level 1
Level 1

‎09-07-2011 02:29 AM

Hi,

I'm setting up a site to site VPN from an internal firewall and doing 'pass-thru' on our external firewall to the customers site. I have set a number of these up and they work fine, but for this one I get an error on the External firewall when the VPN establishes : 'regular translation creation failed for protocol 50 src inside 192.168.253.53 dst external x.x.x.x'  I've used dummy public address in the diagram below:

Drawing3.jpg

I've checked the NAT statement and ACL on the 'pass-thru' firewall and they look fine. Has anyone got any ideas' why this is happening? I'm guessing it's something to do with NAT, but I cant work out whats going wrong.

Regards, Stewart

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎09-07-2011 04:21 AM

What type of NAT have you configured on the firewall? and also what is the version of the firewall?

It would need to be static 1:1 NAT instead of static PAT. Unless if both ends of the VPN supports NAT-T, which would typically encapsulate the ESP (protocol 50) packet to UDP/4500.

From the error, it seems that it is failing on ESP and NAT-T has not been negotiated.

0 Helpful

bgl-group
Level 1
Level 1
In response to Jennifer Halim

‎09-07-2011 06:19 AM

Hi thanks for the quick response.

The NAT I've configured on the 'pass-thru' firewall is a Dynamic Policy NAT because i need to specifiy the source & destination as I dont want everything being NAT'd from that source.

The firewall Im using is a ASA5510 v8.2(4)

I have asked the customer if they support NAT-T and they said it's disabled on their PIX and have asked if there is a work around on our side.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to bgl-group

‎09-08-2011 12:30 AM

Dynamic PAT will not work as it will translate the port as well. ESP is a protocol not a TCP/UDP with port, therefore PAT will not work.

You can configure static policy NAT for the VPN traffic.

Can you please share what is being configured at the moment, or basically, you can use static policy NAT to configure the translation. Let me know if you need help with that.

0 Helpful
Customers Also Viewed These Support Documents