[c-nsp] ASA5520 > Pix 501, NO_ERR_NO_TRANS error on VPN tunnel
Scott Granados
gsgranados at comcast.net
Sat Oct 17 20:22:31 EDT 2009
Hi, I'm having the following problem.
I have an ASA5520 running ASA724-33-k8 and a Pix 501 running 6.3. I have
the following on the asa
access-list test-vpn extended permit ip 10.18.0.0 255.255.255.0 10.18.15.128
255.255.255.240
access-list test-vpn extended permit ip 10.18.1.0 255.255.255.0 10.18.15.128
255.255.255.240
crypto map vpn-ra-map 20 match test-vpn
crypto map vpn-ra-map 20 peer 75.x.x.28
crypto map vpn-ra-map 20 transform vpn-transform1 vpn-transform2
vpn-transform3 vpn-transform4
crypto map vpn-ra-map 20 reverse-route
the transforms are simply aes and aes-256 des and 3des each with an md5 or
sha hash
isakmp policies exist and match as well
on the pix
access-list test-vpn permit ip 10.18.15.128 255.255.255.240 10.18.0.0
255.255.255.0
access-list test-vpn permit ip 10.18.15.128 255.255.255.240 10.18.1.0
255.255.255.0
crypto map map1 match test-vpn
crypto map map1 interface outside
crypto map map1 peer 206.x.x.232
isakmp policy 20 preshare
isakmp policy 20 group 2
isakmp policy 20 encrypt aes-256
isakmp policy 20 hash sha
isakmp policy 20 life 28800
A show isakmp sa and show crypto ipsec on both sides seems to show a tunnel
up. With a debug crypto isakmp and debug crypto ipsec on the pix 501 I keep
getting
IKMP_NO_ERR_NO_TRANS
The 5520 side shows a tunnel active and the pix a tunnel idle.
Pings or traffic of any form can't traverse the tunnel. What have I missed?
Any pointers would be appreciated.
Thanks
Scott
More information about the cisco-nsp
mailing list