cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
768
Views
0
Helpful
2
Replies

Cisco 851 behind PIX 515

ALIAOF_
Level 6
Level 6

Hello everyone.  I have an issue that I'm hoping some one can give me some kind of feedback on.  Here is the setup

Cisco IOS router 851 --> PIX 515 --> Internet --> ASA 5520

There  is a VPN setup from the router to the ASA 5520, Cisco IOS router is  sitting behind a PIX 515.  Now PIX 515 is not managed by me.  Person who  manges it told me that he has the udp ports 500 and 4500 open.  I have  wireshark running on the 5520 side and when I look at the traffic I see  the source port as 389(LDAP) and destination as 500 and ofcourse VPN is  not coming up. 

Does he need to enable like 'isakmp  enable outside" and "isakmp enable inside" on his PIX 515 or add  anything other than just UDP 4500 and 500?  I'm assuming esp?  But then  again he told me that from our IP he enabled any traffic to our internal  IP.

2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

You would need to make sure that NAT-T is enabled on both the Cisco IOS router and ASA 5520, so the ESP gets encapsulated in UDP/4500.

Which phase is failing? Phase 1 or Phase 2?

PIX does not need to be enabled with any of the ISAKMP because PIX is not terminating the VPN session.

Please share the output of:

show cry isa sa

show cry ipsec sa

Also run debugs on the VPN end points to see which phase it is failing.

It is enabled, and I'm not even getting to phase 1.  When I try initiate the VPN from the Cisco router and ping a network behind ASA 5520 it is not even getting there.  There is something not setup right on the PIX.  I'm going to see if I can get the config from the pix.     

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: