Cisco & Juniper vpn remote client problem

["Rajaie Issaid" <rajaie () palnet com>]

Hi,

I have an ADSL line connected through Cisco router 837, and behind the Cisco
router there is an SSG140 with a virtual ip. The Cisco router has a fixed
dialer ip, and the Ethernet interface have a virtual ip from the same subnet
of the un-trust zone of the juniper.

I have made static Nat translation on the following ports from the Cisco to
the juniper ssg140:

• Tcp, udp 50
• Tcp 500
• Tcp 11111, 11112, 42496

I have a laptop with a configured account of remote net screen client of
juniper, and I am trying to connect over the internet to the SSG140,
unfortunately I am encountering the following error log:

Initiating IKE Phase 1 (IP ADDR=real-ip-address)
SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH)
Peer supports Dead Peer Detection Version 1.0
Dead Peer Detection enabled
Cannot match Phase 1 ID with Policy Entry:  received ID IP ADDR=10.4.1.2
SENDING>>>> ISAKMP OAK INFO (HASH, NOTIFY:INVALID_ID_INFO)
Discarding IKE SA negotiation
MY COOKIE 54 1b 33 29 6c 14 41 51
HIS COOKIE 66 ec df 8 6 5a ba a7
RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH)
Received message for non-active SA 


(Ip address of ssg140 outside interface is 10.4.1.2 , ip address of Cisco
Ethernet 10.4.1.1 ,  Nat on Cisco is done for the whole subnet class ,
static Nat is done for mentioned ports)

And whenever I give the laptop an ip from the virtual subnet between the
juniper and the Cisco, the remote client will connect without a problem. I
am almost convinced that it is a Nat traversal issue, but did I miss
something?

Regards