[c-nsp] ASA5520 > Pix 501, NO_ERR_NO_TRANS error on VPN tunnel
Ryan West
rwest at zyedge.com
Sat Oct 17 20:36:50 EDT 2009
Scott,
Can you post your 'show ipsec sa' and 'show isakmp sa' output on both firewall, as well as 'show nat' and the associated nat 0 entries? Also please post the contents of the 4 transforms on the ASA as well as the transforms on the PIX.
-ryan
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
Sent: Saturday, October 17, 2009 8:23 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA5520 > Pix 501, NO_ERR_NO_TRANS error on VPN tunnel
Hi, I'm having the following problem.
I have an ASA5520 running ASA724-33-k8 and a Pix 501 running 6.3. I have
the following on the asa
access-list test-vpn extended permit ip 10.18.0.0 255.255.255.0 10.18.15.128
255.255.255.240
access-list test-vpn extended permit ip 10.18.1.0 255.255.255.0 10.18.15.128
255.255.255.240
crypto map vpn-ra-map 20 match test-vpn
crypto map vpn-ra-map 20 peer 75.x.x.28
crypto map vpn-ra-map 20 transform vpn-transform1 vpn-transform2
vpn-transform3 vpn-transform4
crypto map vpn-ra-map 20 reverse-route
the transforms are simply aes and aes-256 des and 3des each with an md5 or
sha hash
isakmp policies exist and match as well
on the pix
access-list test-vpn permit ip 10.18.15.128 255.255.255.240 10.18.0.0
255.255.255.0
access-list test-vpn permit ip 10.18.15.128 255.255.255.240 10.18.1.0
255.255.255.0
crypto map map1 match test-vpn
crypto map map1 interface outside
crypto map map1 peer 206.x.x.232
isakmp policy 20 preshare
isakmp policy 20 group 2
isakmp policy 20 encrypt aes-256
isakmp policy 20 hash sha
isakmp policy 20 life 28800
A show isakmp sa and show crypto ipsec on both sides seems to show a tunnel
up. With a debug crypto isakmp and debug crypto ipsec on the pix 501 I keep
getting
IKMP_NO_ERR_NO_TRANS
The 5520 side shows a tunnel active and the pix a tunnel idle.
Pings or traffic of any form can't traverse the tunnel. What have I missed?
Any pointers would be appreciated.
Thanks
Scott
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list