I'm stomped with this issue...I have read up all possibilities referencing to this error: regular translation creation failed for protocol 50. I have search online where enabling crypto isakmp nat-traversal 20 on my local Cisco PIX 535 and far end ASA and still doesn't resolve the problem.
Below is my config on the local PIX:
PIX Version 7.2(4)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password XXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXX encrypted
names
!
interface GigabitEthernet0
description XXXXXXXXXXXXXXX
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet1
description XXXXXXXXXXXXXXX
nameif outside_2
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface Ethernet0
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet1
shutdown
no nameif
no security-level
no ip address
!
boot system flash:/pix724.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service tcp_47 tcp
port-object eq 47
object-group service tcp_51 tcp
port-object eq 51
object-group service tcp_709 tcp
port-object eq 709
object-group service tcp500 tcp
port-object eq 500
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any eq 51 log
access-list outside_access_in extended permit udp any any eq isakmp log
access-list outside_access_in extended permit gre any any log
access-list outside_access_in extended permit esp any any log
access-list outside_access_in extended permit ah any any log
access-list outside_access_in extended permit tcp any any eq 709 log
access-list outside_access_in extended permit tcp any any eq ldap log
access-list outside_access_in extended permit tcp any any eq pptp log
access-list outside_access_in extended permit tcp any any eq 47 log
access-list outside_access_in extended permit tcp any any eq 500 log
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap notifications
logging asdm informational
mtu outside 1500
mtu outside_2 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-525.bin
asdm history enable
arp timeout 14400
global (outside) 2 X.X.X.X-X.X.X.X netmask 255.255.255.128
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 NEXT HOP INTERFACE 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp enable outside
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 192.168.20.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 192.168.20.100-192.168.20.199 inside
dhcpd dns x.x.x.x x.x.x.x interface inside
dhcpd enable inside
!
class-map class_sip_tcp
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect pptp
inspect rsh
inspect rtsp
inspect esmtp
inspect tftp
inspect ipsec-pass-thru
class class_sip_tcp
inspect sip
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:490d1d88ccf94e5c4fcb856a7c6f9f34
: end
I have verified my client VPN application utilizies "Enable Transparent Tunneling" feature and still no luck.
I even added this code to see if it works:
crypto isakmp ipsec-over-tcp port 10000 <----default tcp port
and still no luck.
Any and all suggestions are appreciated.
Thanks,
Stomped dude!
Below is my config on the local PIX:
PIX Version 7.2(4)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password XXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXX encrypted
names
!
interface GigabitEthernet0
description XXXXXXXXXXXXXXX
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet1
description XXXXXXXXXXXXXXX
nameif outside_2
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface Ethernet0
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet1
shutdown
no nameif
no security-level
no ip address
!
boot system flash:/pix724.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service tcp_47 tcp
port-object eq 47
object-group service tcp_51 tcp
port-object eq 51
object-group service tcp_709 tcp
port-object eq 709
object-group service tcp500 tcp
port-object eq 500
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any eq 51 log
access-list outside_access_in extended permit udp any any eq isakmp log
access-list outside_access_in extended permit gre any any log
access-list outside_access_in extended permit esp any any log
access-list outside_access_in extended permit ah any any log
access-list outside_access_in extended permit tcp any any eq 709 log
access-list outside_access_in extended permit tcp any any eq ldap log
access-list outside_access_in extended permit tcp any any eq pptp log
access-list outside_access_in extended permit tcp any any eq 47 log
access-list outside_access_in extended permit tcp any any eq 500 log
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap notifications
logging asdm informational
mtu outside 1500
mtu outside_2 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-525.bin
asdm history enable
arp timeout 14400
global (outside) 2 X.X.X.X-X.X.X.X netmask 255.255.255.128
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 NEXT HOP INTERFACE 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp enable outside
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 192.168.20.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 192.168.20.100-192.168.20.199 inside
dhcpd dns x.x.x.x x.x.x.x interface inside
dhcpd enable inside
!
class-map class_sip_tcp
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect pptp
inspect rsh
inspect rtsp
inspect esmtp
inspect tftp
inspect ipsec-pass-thru
class class_sip_tcp
inspect sip
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:490d1d88ccf94e5c4fcb856a7c6f9f34
: end
I have verified my client VPN application utilizies "Enable Transparent Tunneling" feature and still no luck.
I even added this code to see if it works:
crypto isakmp ipsec-over-tcp port 10000 <----default tcp port
and still no luck.
Any and all suggestions are appreciated.
Thanks,
Stomped dude!