Re: Pix2ASA Vpn - Page 2

s_colombo · ‎12-21-2009

We have a pix 515 (6.3.5) and a ASA5510 (8.2.1)

We must set up a site2site vpn but seems to have problems which cannot find

It seems that even the ISAKMP phase has got problem

Below an extract of the debug crypto isakmp taken from the PIX

The strange thing I noticed is that it thinks it connect to a VPN concentrator

ISAKMP (0): Checking ISAKMP transform 1 against priority 5 policy
ISAKMP:      default group 2
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0:0): Detected NAT-D payload

can anyone tell me if there are problem with pix 6.3 and ASA 8.x or if there 's something in the configuration ?

thanks

s_colombo · ‎12-29-2009

That's what I noticed too . I found that for some reason the ASA didn't treat the traffic as interesting and so it was encrypted.

I made the configuration again , this time I didn't use network objects in the access list used in the crypto map.

I don't know it that was the problem but now it's working

Thanks