Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1105
Views
0
Helpful
1
Replies

PIX to PIX tunnel with NAT-T

jamescork
Level 1
Level 1

‎04-25-2005 02:51 PM

Hi,

I used to have a PIX to PIX VPN tunnel - When I set it up, it was quite straight forward with both PIXs having public Internet IPs.

Due to a change at one site (they've run out of external IPs) I have to move my PIX behind their PIX which provides PAT for the hosts behind it.

I enabled nat-translation on both of my PIXs and moved my PIX behind theirs. They've given my PIX on their network unrestricted access to my (still) Internet exposed PIX - however, my tunnel will not come up.

To summarise, the network is now my PIX with 172.16.20.x on its internal interface and 10.10.10.10 on its external. It sits behind their PIX with 10.10.10.1 on its internal and THEIR-PIX-WITH-INTERNET-ADDRESS on it’s outside. And the tunnel from my PIX on their network is supposed to terminate on my PIX (as it used to) with external address MY-PIX-INTERNET-ADDRESS.

The debug on the Internet exposed PIX shows:

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 1000

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3

ISAKMP (0:0): Detected port floating

return status is IKMP_NO_ERROR

Which, until this points looks pretty good...

crypto_isakmp_process_block:src:<THEIR-PIX-WITH-INTERNET-ADDRESS>, dest:<MY-PIX-INTERNET-ADDRESS> spt:1 dpt:500

VPN Peer:ISAKMP: Peer Info for <THEIR-PIX-WITH-INTERNET-ADDRESS>/500 not found - peers:0

Which is where it appears to fall down. At the same time, my PIX behind theirs shows:

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:<MY-PIX-WITH-INTERNET-ADDRESS>, dest:10.10.10.10 spt:500 dpt:500

ISAKMP: sa not found for ike msg

(10.10.10.10 is the external address of my PIX behind theirs, it serves 172.16.20.x on its internal)

One thing I note is the two PIXs show different ports (500 vs. 1) – although I can’t explain this or why the tunnel won’t come up.

Any thoughts?

Labels:
0 Helpful
1 Reply 1

rmihalcin
Level 1
Level 1

‎05-01-2005 12:12 PM

James,

I set this up and it works. I think the message

ISAKMP: sa not found for ike msg means the pix

can't match the peer. Your peer statement on MY-PIX-INTERNET should be THEIR-PIX-WITH-INTERNET-ADDRESS

The 10.10.10.10 should never show up. It's natted.I would upgrade the code on both of your pix's if the peering is ok. I did the test with 6.3(3) code.

Bob

0 Helpful
Customers Also Viewed These Support Documents