PIX501 vpnclient with ASA

g.raymakers · ‎09-09-2009

I'm trying to establish a VPN connection between an (old) PIX501 running 6.3(5)

and an ASA5550 (which i don't control). The PIX501 operates in vpnclient mode.

I don't seem to get passed phase 1. I have a feeling it's because of NAT-T/NAT-D (see debug from PIX501) :

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): recalc my hash for NAT-D

ISAKMP (0:0): NAT match MINE hash

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): recalc his hash for NAT-D

ISAKMP (0:0): NAT match HIS hash

shortly after this statement, the phase 1 negotiations start all over again..

Any ideas?

Thanks,

Guy

slmansfield · ‎09-10-2009

I believe these messages indicate that there is no NAT between the two VPN peers. This does not highlight a NAT problem.

Perhaps you could provide more details, including the remainder of your debug output.

My own experience is when two different parties manage two different VPN endpoint devices it is worthwhile to meticulously review all the VPN settings to ensure that they match. Just a single small discrepancy could result in a failure to tunnel.

HTH

g.raymakers · ‎09-11-2009

Hi,

here's the full debug output (see file).

10.1.1.43 = central gateway

172.16.3.3 = pix501

Thanks for your help,

Guy