Scott, Can you post your 'show ipsec sa' and 'show isakmp sa' output on both firewall, as well as 'show nat' and the associated nat 0 entries? Also please post the contents of the 4 transforms on the ASA as well as the transforms on the PIX.
-ryan -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Scott Granados Sent: Saturday, October 17, 2009 8:23 PM To: [email protected] Subject: [c-nsp] ASA5520 > Pix 501, NO_ERR_NO_TRANS error on VPN tunnel Hi, I'm having the following problem. I have an ASA5520 running ASA724-33-k8 and a Pix 501 running 6.3. I have the following on the asa access-list test-vpn extended permit ip 10.18.0.0 255.255.255.0 10.18.15.128 255.255.255.240 access-list test-vpn extended permit ip 10.18.1.0 255.255.255.0 10.18.15.128 255.255.255.240 crypto map vpn-ra-map 20 match test-vpn crypto map vpn-ra-map 20 peer 75.x.x.28 crypto map vpn-ra-map 20 transform vpn-transform1 vpn-transform2 vpn-transform3 vpn-transform4 crypto map vpn-ra-map 20 reverse-route the transforms are simply aes and aes-256 des and 3des each with an md5 or sha hash isakmp policies exist and match as well on the pix access-list test-vpn permit ip 10.18.15.128 255.255.255.240 10.18.0.0 255.255.255.0 access-list test-vpn permit ip 10.18.15.128 255.255.255.240 10.18.1.0 255.255.255.0 crypto map map1 match test-vpn crypto map map1 interface outside crypto map map1 peer 206.x.x.232 isakmp policy 20 preshare isakmp policy 20 group 2 isakmp policy 20 encrypt aes-256 isakmp policy 20 hash sha isakmp policy 20 life 28800 A show isakmp sa and show crypto ipsec on both sides seems to show a tunnel up. With a debug crypto isakmp and debug crypto ipsec on the pix 501 I keep getting IKMP_NO_ERR_NO_TRANS The 5520 side shows a tunnel active and the pix a tunnel idle. Pings or traffic of any form can't traverse the tunnel. What have I missed? Any pointers would be appreciated. Thanks Scott _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
