Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > LAN-LAN VPN using Cisco PIX to Microsoft ISA Server 2004

Thread Tools

LAN-LAN VPN using Cisco PIX to Microsoft ISA Server 2004

wmmalii wmmalii is offline
Junior Member
Join Date: May 2006
Posts: 1
When i try to create a LAN-LAN tunnel using a Cisco PIX 501, v 6.3(3) i one end and a Microsoft ISA-Server 2004 with sp2 on the other end according to Microsoft document at Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and Cisco PIX v6.3.1
(Yes i now, there is already version issues)

The tunnel seams to get up but there is no traffic that is passing the tunnel. When I try to pinpoint the problem this is what i get.

pix501# show isakmp sa
Total : 1
Embryonic : 0
dst src state pending created QM_IDLE 0 0
pix501# show crypto sa

interface: outside
Crypto map tag: InGetargatan, local addr.

local ident (addr/mask/prot/port): (
remote ident (addr/mask/prot/port): (
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 255, #recv errors 0

local crypto endpt.:, remote crypto endpt.:
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0

inbound esp sas:

inbound ah sas:

The send errors count indicates som kind of problem but i canīt figure out what it is. The tunnel PIX indicates "VPN Tunnel" if traffic is sent from192.168.120.0/24 to and vise versa.

The setup is as follow: --- Pix501 --- --- ISA Firewall ---

The PIX configuration is as follow:


access-list Inside_no_NAT permit ip
access-list To_tunnel permit ip
access-list Outside_in permit icmp any any


ip address outside
ip address inside


global (outside) 1 interface
nat (inside) 0 access-list Inside_no_NAT
nat (inside) 1 0 0
access-group Outside_in in interface outside
route outside 1
sysopt connection permit-ipsec
crypto ipsec transform-set mySet esp-3des esp-md5-hmac
crypto map InMap 1 ipsec-isakmp
crypto map InMap 1 match address To_tunnel
crypto map InMap 1 set peer
crypto map InMap 1 set transform-set mySet
crypto map InMap interface outside
isakmp enable outside
isakmp key ******** address netmask no-xauth no-config-mode
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 28800

The ISA-server follows the parameters in the configuration above in every detail (by this time i have checked this a hundred times over)

Using the debug isakmp command did not give me any information for the moment so my question is: How do I get on to pinpoint the problem and get this tunnel to pass traffic?

Mattias Lindqvist
Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP outward traffic causing "Unidentified IP traffic" error on ISA 2004 server connected to a PIX Cisco 0 05-31-2006 11:43 AM
Exchange Server 2003 and ISA Server 2004 Dingus Computer Support 4 03-25-2006 05:06 PM
Cisco VPN Client 4.0 versus PIX 501 trough MS ISA Edward Voermans Cisco 2 04-29-2004 06:46 AM
Can Microsoft ISA Server terminate a Cisco VPN? Martin Kayes Cisco 0 11-19-2003 10:10 AM
Configuring VPN through Cisco PIX and ISA Server in Back-to-back scenario Dejan Gambin Cisco 0 10-16-2003 01:53 PM