Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX501 vpnclient with ASA

I'm trying to establish a VPN connection between an (old) PIX501 running 6.3(5)

and an ASA5550 (which i don't control). The PIX501 operates in vpnclient mode.

I don't seem to get passed phase 1. I have a feeling it's because of NAT-T/NAT-D (see debug from PIX501) :

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): recalc my hash for NAT-D

ISAKMP (0:0): NAT match MINE hash

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): recalc his hash for NAT-D

ISAKMP (0:0): NAT match HIS hash

shortly after this statement, the phase 1 negotiations start all over again..

Any ideas?

Thanks,

Guy

2 REPLIES
Silver

Re: PIX501 vpnclient with ASA

I believe these messages indicate that there is no NAT between the two VPN peers. This does not highlight a NAT problem.

Perhaps you could provide more details, including the remainder of your debug output.

My own experience is when two different parties manage two different VPN endpoint devices it is worthwhile to meticulously review all the VPN settings to ensure that they match. Just a single small discrepancy could result in a failure to tunnel.

HTH

Community Member

Re: PIX501 vpnclient with ASA

Hi,

here's the full debug output (see file).

10.1.1.43 = central gateway

172.16.3.3 = pix501

Thanks for your help,

Guy

121
Views
0
Helpful
2
Replies
CreatePlease to create content