LAN-LAN VPN using Cisco PIX to Microsoft ISA Server 2004

Discussion in 'Cisco' started by wmmalii, May 17, 2006.

  1. wmmalii

    wmmalii

    Joined:
    May 16, 2006
    Messages:
    1
    When i try to create a LAN-LAN tunnel using a Cisco PIX 501, v 6.3(3) i one end and a Microsoft ISA-Server 2004 with sp2 on the other end according to Microsoft document at Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and Cisco PIX v6.3.1
    (Yes i now, there is already version issues)

    The tunnel seams to get up but there is no traffic that is passing the tunnel. When I try to pinpoint the problem this is what i get.


    pix501# show isakmp sa
    Total : 1
    Embryonic : 0
    dst src state pending created
    172.16.120.1 172.16.120.254 QM_IDLE 0 0
    pix501# show crypto sa


    interface: outside
    Crypto map tag: InGetargatan, local addr. 172.16.120.254

    local ident (addr/mask/prot/port): (192.168.130.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.120.0/255.255.255.0/0/0)
    current_peer: 172.16.120.1:0
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 255, #recv errors 0

    local crypto endpt.: 172.16.120.254, remote crypto endpt.: 172.16.120.1
    path mtu 1500, ipsec overhead 0, media mtu 1500
    current outbound spi: 0

    inbound esp sas:


    inbound ah sas:


    The send errors count indicates som kind of problem but i canĀ“t figure out what it is. The tunnel PIX indicates "VPN Tunnel" if traffic is sent from192.168.120.0/24 to 192.186.130.0/24 and vise versa.

    The setup is as follow:

    192.168.130.0/24 --- Pix501 --- 172.16.120.0/24 --- ISA Firewall --- 192.168.120.0/24


    The PIX configuration is as follow:

    ...

    access-list Inside_no_NAT permit ip 192.168.130.0 255.255.255.0 192.168.120.0 255.255.255.0
    access-list To_tunnel permit ip 192.168.130.0 255.255.255.0 192.168.120.0 255.255.255.0
    access-list Outside_in permit icmp any any

    ...

    ip address outside 172.16.120.254 255.255.255.0
    ip address inside 192.168.130.1 255.255.255.0

    ...

    global (outside) 1 interface
    nat (inside) 0 access-list Inside_no_NAT
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group Outside_in in interface outside
    route outside 0.0.0.0 0.0.0.0 172.16.120.1 1
    ...
    sysopt connection permit-ipsec
    crypto ipsec transform-set mySet esp-3des esp-md5-hmac
    crypto map InMap 1 ipsec-isakmp
    crypto map InMap 1 match address To_tunnel
    crypto map InMap 1 set peer 172.16.120.1
    crypto map InMap 1 set transform-set mySet
    crypto map InMap interface outside
    isakmp enable outside
    isakmp key ******** address 172.16.120.1 netmask 255.255.255.255 no-xauth no-config-mode
    isakmp identity address
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption 3des
    isakmp policy 1 hash md5
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 28800
    ...
    pix501#


    The ISA-server follows the parameters in the configuration above in every detail (by this time i have checked this a hundred times over)

    Using the debug isakmp command did not give me any information for the moment so my question is: How do I get on to pinpoint the problem and get this tunnel to pass traffic?

    Regards
    Mattias Lindqvist
    wmmalii, May 17, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dejan Gambin
    Replies:
    0
    Views:
    728
    Dejan Gambin
    Oct 16, 2003
  2. Martin Kayes
    Replies:
    0
    Views:
    507
    Martin Kayes
    Nov 19, 2003
  3. =?Utf-8?B?V29wcHltYW4=?=
    Replies:
    7
    Views:
    458
    =?Utf-8?B?V29wcHltYW4=?=
    Aug 14, 2005
  4. quentinhudson@hotmail.com
    Replies:
    0
    Views:
    3,190
    quentinhudson@hotmail.com
    May 31, 2006
  5. Dingus

    Exchange Server 2003 and ISA Server 2004

    Dingus, Mar 25, 2006, in forum: Computer Support
    Replies:
    4
    Views:
    446
Loading...

Share This Page