PIX501 vpnclient with ASA

Unanswered Question
Sep 9th, 2009
User Badges:

I'm trying to establish a VPN connection between an (old) PIX501 running 6.3(5)

and an ASA5550 (which i don't control). The PIX501 operates in vpnclient mode.

I don't seem to get passed phase 1. I have a feeling it's because of NAT-T/NAT-D (see debug from PIX501) :

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): recalc my hash for NAT-D

ISAKMP (0:0): NAT match MINE hash

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): recalc his hash for NAT-D

ISAKMP (0:0): NAT match HIS hash

shortly after this statement, the phase 1 negotiations start all over again..

Any ideas?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
slmansfield Thu, 09/10/2009 - 09:38
User Badges:
  • Silver, 250 points or more

I believe these messages indicate that there is no NAT between the two VPN peers. This does not highlight a NAT problem.

Perhaps you could provide more details, including the remainder of your debug output.

My own experience is when two different parties manage two different VPN endpoint devices it is worthwhile to meticulously review all the VPN settings to ensure that they match. Just a single small discrepancy could result in a failure to tunnel.


g.raymakers Fri, 09/11/2009 - 07:35
User Badges:


here's the full debug output (see file). = central gateway = pix501

Thanks for your help,




This Discussion