Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Cisco 851 behind PIX 515

Hello everyone.  I have an issue that I'm hoping some one can give me some kind of feedback on.  Here is the setup

Cisco IOS router 851 --> PIX 515 --> Internet --> ASA 5520

There  is a VPN setup from the router to the ASA 5520, Cisco IOS router is  sitting behind a PIX 515.  Now PIX 515 is not managed by me.  Person who  manges it told me that he has the udp ports 500 and 4500 open.  I have  wireshark running on the 5520 side and when I look at the traffic I see  the source port as 389(LDAP) and destination as 500 and ofcourse VPN is  not coming up. 

Does he need to enable like 'isakmp  enable outside" and "isakmp enable inside" on his PIX 515 or add  anything other than just UDP 4500 and 500?  I'm assuming esp?  But then  again he told me that from our IP he enabled any traffic to our internal  IP.

Cisco Employee

Cisco 851 behind PIX 515

You would need to make sure that NAT-T is enabled on both the Cisco IOS router and ASA 5520, so the ESP gets encapsulated in UDP/4500.

Which phase is failing? Phase 1 or Phase 2?

PIX does not need to be enabled with any of the ISAKMP because PIX is not terminating the VPN session.

Please share the output of:

show cry isa sa

show cry ipsec sa

Also run debugs on the VPN end points to see which phase it is failing.

Cisco 851 behind PIX 515

It is enabled, and I'm not even getting to phase 1.  When I try initiate the VPN from the Cisco router and ping a network behind ASA 5520 it is not even getting there.  There is something not setup right on the PIX.  I'm going to see if I can get the config from the pix.     

CreatePlease to create content