LAN-LAN VPN using Cisco PIX to Microsoft ISA Server 2004

When i try to create a LAN-LAN tunnel using a Cisco PIX 501, v 6.3(3) i one end and a Microsoft ISA-Server 2004 with sp2 on the other end according to Microsoft document at Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and Cisco PIX v6.3.1
(Yes i now, there is already version issues)

The tunnel seams to get up but there is no traffic that is passing the tunnel. When I try to pinpoint the problem this is what i get.


pix501# show isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
172.16.120.1 172.16.120.254 QM_IDLE 0 0
pix501# show crypto sa


interface: outside
Crypto map tag: InGetargatan, local addr. 172.16.120.254

local ident (addr/mask/prot/port): (192.168.130.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.120.0/255.255.255.0/0/0)
current_peer: 172.16.120.1:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 255, #recv errors 0

local crypto endpt.: 172.16.120.254, remote crypto endpt.: 172.16.120.1
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0

inbound esp sas:


inbound ah sas:

The send errors count indicates som kind of problem but i can´t figure out what it is. The tunnel PIX indicates "VPN Tunnel" if traffic is sent from192.168.120.0/24 to 192.186.130.0/24 and vise versa.

The setup is as follow:

192.168.130.0/24 --- Pix501 --- 172.16.120.0/24 --- ISA Firewall --- 192.168.120.0/24


The PIX configuration is as follow:

...

access-list Inside_no_NAT permit ip 192.168.130.0 255.255.255.0 192.168.120.0 255.255.255.0
access-list To_tunnel permit ip 192.168.130.0 255.255.255.0 192.168.120.0 255.255.255.0
access-list Outside_in permit icmp any any

...

ip address outside 172.16.120.254 255.255.255.0
ip address inside 192.168.130.1 255.255.255.0

...

global (outside) 1 interface
nat (inside) 0 access-list Inside_no_NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group Outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.120.1 1
...
sysopt connection permit-ipsec
crypto ipsec transform-set mySet esp-3des esp-md5-hmac
crypto map InMap 1 ipsec-isakmp
crypto map InMap 1 match address To_tunnel
crypto map InMap 1 set peer 172.16.120.1
crypto map InMap 1 set transform-set mySet
crypto map InMap interface outside
isakmp enable outside
isakmp key ******** address 172.16.120.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 28800
...
pix501#

The ISA-server follows the parameters in the configuration above in every detail (by this time i have checked this a hundred times over)

Using the debug isakmp command did not give me any information for the moment so my question is: How do I get on to pinpoint the problem and get this tunnel to pass traffic?

Regards
Mattias Lindqvist