Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > LAN-LAN VPN using Cisco PIX to Microsoft ISA Server 2004

Reply
Thread Tools

LAN-LAN VPN using Cisco PIX to Microsoft ISA Server 2004

 
 
wmmalii wmmalii is offline
Junior Member
Join Date: May 2006
Posts: 1
 
      05-16-2006
When i try to create a LAN-LAN tunnel using a Cisco PIX 501, v 6.3(3) i one end and a Microsoft ISA-Server 2004 with sp2 on the other end according to Microsoft document at Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and Cisco PIX v6.3.1
(Yes i now, there is already version issues)

The tunnel seams to get up but there is no traffic that is passing the tunnel. When I try to pinpoint the problem this is what i get.


pix501# show isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
172.16.120.1 172.16.120.254 QM_IDLE 0 0
pix501# show crypto sa


interface: outside
Crypto map tag: InGetargatan, local addr. 172.16.120.254

local ident (addr/mask/prot/port): (192.168.130.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.120.0/255.255.255.0/0/0)
current_peer: 172.16.120.1:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 255, #recv errors 0

local crypto endpt.: 172.16.120.254, remote crypto endpt.: 172.16.120.1
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0

inbound esp sas:


inbound ah sas:


The send errors count indicates som kind of problem but i canīt figure out what it is. The tunnel PIX indicates "VPN Tunnel" if traffic is sent from192.168.120.0/24 to 192.186.130.0/24 and vise versa.

The setup is as follow:

192.168.130.0/24 --- Pix501 --- 172.16.120.0/24 --- ISA Firewall --- 192.168.120.0/24


The PIX configuration is as follow:

...

access-list Inside_no_NAT permit ip 192.168.130.0 255.255.255.0 192.168.120.0 255.255.255.0
access-list To_tunnel permit ip 192.168.130.0 255.255.255.0 192.168.120.0 255.255.255.0
access-list Outside_in permit icmp any any

...

ip address outside 172.16.120.254 255.255.255.0
ip address inside 192.168.130.1 255.255.255.0

...

global (outside) 1 interface
nat (inside) 0 access-list Inside_no_NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group Outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.120.1 1
...
sysopt connection permit-ipsec
crypto ipsec transform-set mySet esp-3des esp-md5-hmac
crypto map InMap 1 ipsec-isakmp
crypto map InMap 1 match address To_tunnel
crypto map InMap 1 set peer 172.16.120.1
crypto map InMap 1 set transform-set mySet
crypto map InMap interface outside
isakmp enable outside
isakmp key ******** address 172.16.120.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 28800
...
pix501#


The ISA-server follows the parameters in the configuration above in every detail (by this time i have checked this a hundred times over)

Using the debug isakmp command did not give me any information for the moment so my question is: How do I get on to pinpoint the problem and get this tunnel to pass traffic?

Regards
Mattias Lindqvist
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP outward traffic causing "Unidentified IP traffic" error on ISA 2004 server connected to a PIX quentinhudson@hotmail.com Cisco 0 05-31-2006 11:43 AM
Exchange Server 2003 and ISA Server 2004 Dingus Computer Support 4 03-25-2006 05:06 PM
Cisco VPN Client 4.0 versus PIX 501 trough MS ISA Edward Voermans Cisco 2 04-29-2004 06:46 AM
Can Microsoft ISA Server terminate a Cisco VPN? Martin Kayes Cisco 0 11-19-2003 10:10 AM
Configuring VPN through Cisco PIX and ISA Server in Back-to-back scenario Dejan Gambin Cisco 0 10-16-2003 01:53 PM



Advertisments