VPN between PIX501 and PIX506E

Unanswered Question
Sep 20th, 2007

Dear all,

I am a newbie for PIX.

I have a problem with the VPN formed by a PIX501 and a PIX506E.

I have attached the config of the two PIX, but after I enter the config to the PIX, no VPN was formed, do anyone know what's wrong with my setting?

Thank you very much.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mfreijser Thu, 09/20/2007 - 23:58

Do you use NAT in your configuration? Because i don't see any No-NAT configuration in your script for the VPN Tunnel.

Could you post the outputs from a 'show run' command from both Pix Firewalls?



mfreijser Fri, 09/21/2007 - 00:15

The NAT configuration should look like this:

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.xxx.xxx

Did you check if the Firewalls can reach eachother?



bennychow Fri, 09/21/2007 - 21:07

I am now get a error massage like

- ISAKMP malformed payload received (local 202.155.xxx.xxx (responder), reote 116.48.xxx.xxx)

Do you what's wrong this time?

Thank you very much

ajagadee Sat, 09/22/2007 - 21:50


Looks like the problem is with your crypto map peer x.x.x.x address. Make sure that both the crypto end points are configured for the correct peer address.

If you have configured the correct crypto address and still seeing problem.

Do a "clear cry isa sa" and "clear cry ipsec sa" and then try to bring up the tunnel.

I hope it helps.



bennychow Sun, 09/23/2007 - 17:00

Thanks, Arul.

But the VPN still can not form and the error message still appear.

Do you have any other idea?

I have checked that the password is matched at both PIX

ajagadee Mon, 09/24/2007 - 05:11


From the logs that you had posted earlier, the issue was related to mismatch in crypto peer IP Addresses.

Can you post the sanitized version of configuration and full logs, if possible.




This Discussion