Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIx VPN NAT question

I have this scenario with a PIX 525 6.3, this has worked for months and suddenly stopped.

I have a device on the inside network that needs to access a remote site network through a VPN tunnel.

Inside network device is, needs to access remote device

The remote side is supposed to see my device as a address, I am supposed to see his as my destination.

Debugs show the tunnel never attempts to come up, but I see hits on all of the access-lists associated with this config.

My question is, if something happened to the peer (according to them nothing has changed) config, or it is not accessable from my end, would the access-lists show hits and the traffic just get dropped?

crypto map p 30 ipsec-isakmp

crypto map p 30 match address Translate

crypto map p 30 set peer

crypto map p 30 set transform-set 3dessha

static (inside,outside) access-list translation 0 0

access-list Translation permit ip host

access-list Translate permit ip

Hall of Fame Super Blue

Re: PIx VPN NAT question


When you initiate the connection can you run

i) debug crypto isa

2) debug crypto ipsec

That will at least tell you whether your firewall is trying to initiate the tunnel or not and should help narrow down the problem.


Edit - should have said, i agree that if it has been working for last 4 months and now it doesn't if you haven't changed angthing chances are they have :-)