Thanks lrmoore,
RE: Static No, their PIX purely provides mine with PATing - Is this required for NAT-T to work?
RE Incoming ACL, I belive so, but I will check.
Thanks.
Main Topics
Browse All TopicsHi,
I used to have a PIX to PIX VPN tunnel - When I set it up, it was quite straight forward with both PIXs having public Internet IPs.
Due to a change at one site (they've run out of external IPs) I have to move my PIX behind their PIX which provides PAT for the hosts behind it.
I enabled nat-translation on both of my PIXs and moved my PIX behind theirs. They've given my PIX on their network unrestricted access to my (still) Internet exposed PIX - however, my tunnel will not come up.
To summarise, the network is now my PIX with 172.16.20.x on its internal interface and 10.10.10.10 on its external. It sits behind their PIX with 10.10.10.1 on its internal and THEIR-PIX-WITH-INTERNET-AD
The debug on the Internet exposed PIX shows:
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 1000
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
Which, until this points looks pretty good...
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for <THEIR-PIX-WITH-INTERNET-A
Which is where it appears to fall down. At the same time, my PIX behind theirs shows:
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_bloc
ISAKMP: sa not found for ike msg
(10.10.10.10 is the external address of my PIX behind theirs, it serves 172.16.20.x on its internal)
I'm confused by the two PIXs not using the same ports. In fact, I'm confused why it's not working in general, any thoughts?
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
That was the original config, to debug I've asked for (and, I'm told received) unfettered access both to and from the address of my publicly exposed PIX.
I don't know if it's changed or I only just spotted it but the publicly exposed PIX will, at times, believe it has created a tunnel. It will report success with Peers: 1 and then immediately afterwards tear it down. (This appears perhaps once every 5 to 10 minutes)
In the mean time the PIX on the private LAN continues to attempt IKE negotiation.
Are you still working on this?
Have you found a solution?
Do you need more information?
This question will be classified as abandoned soon if we don't get some feedback from you.
Can you close out this question? See here for details:
http://www.experts-exchang
Thanks for your attention!
Business Accounts
Answer for Membership
by: lrmoorePosted on 2005-04-25 at 15:51:21ID: 13862815
Does the PIX in front of yours with the "real" public IP address have a static 1-1 NAT for a public IP address for your PIX. i.e.
static (inside,outside) a.b.c.d 10.10.10.10 netmask 255.255.255.255
and an accompanying acl entry:
access-list outside_in permit ip any host a.b.c.d