VPN between PIX501 and PIX506E

bennychow · ‎09-20-2007

Dear all,

I am a newbie for PIX.

I have a problem with the VPN formed by a PIX501 and a PIX506E.

I have attached the config of the two PIX, but after I enter the config to the PIX, no VPN was formed, do anyone know what's wrong with my setting?

Thank you very much.

mfreijser · ‎09-20-2007

Do you use NAT in your configuration? Because i don't see any No-NAT configuration in your script for the VPN Tunnel.

Could you post the outputs from a 'show run' command from both Pix Firewalls?

Regards,

Michael

bennychow · ‎09-21-2007

I have atteched the running config

Thank you very much for your help

mfreijser · ‎09-21-2007

The NAT configuration should look like this:

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.xxx.xxx 255.255.255.0

Did you check if the Firewalls can reach eachother?

Regards,

Michael

bennychow · ‎09-21-2007

I am now get a error massage like

- ISAKMP malformed payload received (local 202.155.xxx.xxx (responder), reote 116.48.xxx.xxx)

Do you what's wrong this time?

Thank you very much

ajagadee · ‎09-22-2007

Hi,

Looks like the problem is with your crypto map peer x.x.x.x address. Make sure that both the crypto end points are configured for the correct peer address.

If you have configured the correct crypto address and still seeing problem.

Do a "clear cry isa sa" and "clear cry ipsec sa" and then try to bring up the tunnel.

I hope it helps.

Regards,

Arul

bennychow · ‎09-23-2007

Thanks, Arul.

But the VPN still can not form and the error message still appear.

Do you have any other idea?

I have checked that the password is matched at both PIX

ajagadee · ‎09-24-2007

Hi,

From the logs that you had posted earlier, the issue was related to mismatch in crypto peer IP Addresses.

Can you post the sanitized version of configuration and full logs, if possible.

Thanks,

Arul