LAN-LAN VPN using Cisco PIX to Microsoft ISA Server 2004

Discussion in 'Cisco' started by wmmalii, May 17, 2006.

  1. wmmalii


    May 16, 2006
    Likes Received:
    When i try to create a LAN-LAN tunnel using a Cisco PIX 501, v 6.3(3) i one end and a Microsoft ISA-Server 2004 with sp2 on the other end according to Microsoft document at Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and Cisco PIX v6.3.1
    (Yes i now, there is already version issues)

    The tunnel seams to get up but there is no traffic that is passing the tunnel. When I try to pinpoint the problem this is what i get.

    pix501# show isakmp sa
    Total : 1
    Embryonic : 0
    dst src state pending created QM_IDLE 0 0
    pix501# show crypto sa

    interface: outside
    Crypto map tag: InGetargatan, local addr.

    local ident (addr/mask/prot/port): (
    remote ident (addr/mask/prot/port): (
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 255, #recv errors 0

    local crypto endpt.:, remote crypto endpt.:
    path mtu 1500, ipsec overhead 0, media mtu 1500
    current outbound spi: 0

    inbound esp sas:

    inbound ah sas:

    The send errors count indicates som kind of problem but i can´t figure out what it is. The tunnel PIX indicates "VPN Tunnel" if traffic is sent from192.168.120.0/24 to and vise versa.

    The setup is as follow: --- Pix501 --- --- ISA Firewall ---

    The PIX configuration is as follow:


    access-list Inside_no_NAT permit ip
    access-list To_tunnel permit ip
    access-list Outside_in permit icmp any any


    ip address outside
    ip address inside


    global (outside) 1 interface
    nat (inside) 0 access-list Inside_no_NAT
    nat (inside) 1 0 0
    access-group Outside_in in interface outside
    route outside 1
    sysopt connection permit-ipsec
    crypto ipsec transform-set mySet esp-3des esp-md5-hmac
    crypto map InMap 1 ipsec-isakmp
    crypto map InMap 1 match address To_tunnel
    crypto map InMap 1 set peer
    crypto map InMap 1 set transform-set mySet
    crypto map InMap interface outside
    isakmp enable outside
    isakmp key ******** address netmask no-xauth no-config-mode
    isakmp identity address
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption 3des
    isakmp policy 1 hash md5
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 28800

    The ISA-server follows the parameters in the configuration above in every detail (by this time i have checked this a hundred times over)

    Using the debug isakmp command did not give me any information for the moment so my question is: How do I get on to pinpoint the problem and get this tunnel to pass traffic?

    Mattias Lindqvist
    wmmalii, May 17, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.