ASA 5505 as hw vpn client to PIX501 or ASA5505 w network extension mode

Unanswered Question
Jun 20th, 2007
User Badges:


We have been using a PIX 501 for a couple of years now to access a

local network with Cisco VPN software client. However we now need

access from another site with multiple users so I decided to buy two

ASA 5505 UL bundle to do the job. First i tried to just hook up the

new ASA at the remote site and connect to the PIX 501 with easy vpn.

In went fine. I configured the new ASA right from the box with the old

vpn profile settings and it worked right away. But as we also need the

remote site to be accessed from the main site (PIX side) i tried to

enable "network extension mode" but then the tunnel didnt work

anymore. it connects but no traffic is coming through. I set it back

to normal mode (only client) and it worked again.

Is there anything else I need to do to be able to use network

extension mode than just enabling it in ASDM ?

The samt thing happens when using two ASA 5505 the same way.

Software versions are:

PIX: 6.3

ASA 5505: 7.2.1 (used to be 7.2.2 but I had to downgrade because of a bug in 7.2.2 - vpnclient fails after reboot)

I also did try the latest 8.2 with very little success. Seemed a bit buggy.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kumlait2004 Fri, 06/22/2007 - 01:24
User Badges:


Thought I could add some info. Our Head unit is and the connecting ASA 5505 is When I try to ping a machine ( from the remote site I get this in the ASA log:

With network extension mode

302020 Built ICMP connection for faddr gaddr laddr

With only client mode

302020 Built ICMP connection for faddr gaddr laddr

It seemes to me (quite the newbie here on ASA) that the unit does not handle the gateway address correctly when using network extension mode. The PC i use to ping from is

Any ideas from the experts ?




This Discussion