VPN problem behind ASA5505 -regular translation creation failed

Zoltan Adler · ‎10-04-2011

Dear All,

I have to connect behind my ASA5505 with an VPN klient to an other site.

First time i got this failure.

"Deny protocol 50 src inside:192.168.50.X dst outside:x.x.x.x by access-group "acl_in" [0x0, 0x0]"

Than I opened our inside (src 192.168.50.0) network the UDP 500,4500 TCP 500,4500,10000 and ESP (dest x.x.x.x remote firewall ip).

access-list acl_in extended permit esp host 192.168.50.0 host x.x.x.x eq isakmp

access-list acl_in extended permit udp host 192.168.50.0 host x.x.x.x eq 500

access-list acl_in extended permit eudp host 192.168.50.0 host x.x.x.x eq 4500

etc.

After that i could connect for the remote firewall with vpn client but i couldn't reach any PC1s on there side and ping gives back no anwser.

Deny protocol 50 was solved but i got an other problem:

"regular translation creation failed for protocol 50 src inside:192.168.50.X dst outside:x.x.x.x"

I found somewhere thet lines can help:

crypto isakmp nat-traversal

inspect ipsec-pass-thru

.

But this wasn't usefull.

I tried a many thing but i'm stuck.

Could somebody help me what can i do to solve this problem?

Thanks for all anwsers!

andrew.prince · ‎10-04-2011

The issue is the remote end - have them enable IPSec Pass-Thru/NAT Traversal.

Zoltan Adler · ‎10-06-2011

Thank you for your aswer and i will forward it for the remote side administrator!

Zoltan Adler · ‎10-12-2011

The solution was the following for one IP!

object network x.x.x.x (inside IP)

host x.x.x.x (inside IP)

nat (inside,outside) static y.y.y.y (remote IP)

VPN problem behind ASA5505 -regular translation creation failed for protocol 50