Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
0
Helpful
5
Replies

VPN IPSec problem with ISA Server

lformelli
Level 1
Level 1

‎02-05-2008 01:03 AM - edited ‎02-21-2020 03:32 PM

Hi,

I have deployed an a VPN IPSec L2L from

ASA 5505 with peer firwall ISA Server Microsoft.

I see that this tunnel is unstable enough.

Does someone know if there is some problem about or advice me something ?

best regards

Lorenzo

Labels:
0 Helpful
5 Replies 5

hadbou
Level 5
Level 5

‎02-11-2008 07:20 AM

Make sure the Crypto Access List matches on both the sides. This issue has troubled me in getting the stable tunnel. Refer URL http://cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml for general troublesooting.

0 Helpful

mark.white
Level 1
Level 1

‎02-19-2008 09:30 PM

Hello:

We have run across this issue two times and the solution has been the same. When trying to establish a VPN with an ISA server on their end, you need to (for some strange reason) add the actual peer address of the ISA server to the encryption domains of the VPN tunnel. Example:

access-list 104 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 104 permit ip 192.168.1.0 255.255.255.0 host 1.1.1.1

crypto map mymap 8 set peer 1.1.1.1

Hope this helps.

0 Helpful

lformelli
Level 1
Level 1
In response to mark.white

‎02-20-2008 12:49 AM

Hi Mark,

Is 192.168.1.0 network address behind ASA ?

Is 1.1.1.1 public address of ISA Server ?

Is 192.168.100.0 network address behind ISA Server ?

I have now:

access-list outside_20_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host Ip_Peer

access-list outside_20_cryptomap extended permit ip 192.168.18.0 255.255.255.0 intranet 255.255.255.0

crypto map outside_map 20 set peer Ip_Peer

where IP_Peer is address public of ISA

and intranet in network address behind ISA.

192.168.18.0 i network address behind ASA.

I think to have already configure like you

suggest me.

It's true ?

best regards

Lorenzo

0 Helpful

mark.white
Level 1
Level 1
In response to lformelli

‎02-20-2008 04:26 PM

access-list 104 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 104 permit ip 192.168.1.0 255.255.255.0 host 1.1.1.1

crypto map mymap 8 set peer 1.1.1.1

Where:

192.168.1.0 255.255.255.0 - Your local domain

192.168.100.0 255.255.255.0 - Remote domain

It looks as if the order of ACEs maybe an issue. I believe you should switch the two lines. I haven't tried it the way you have written it. I've only written the ACL as stated above. I'm a strong believer of "If ain't broke, don't fix it!" :)

Does this clear it up for you?

0 Helpful

lformelli
Level 1
Level 1

‎02-20-2008 11:11 PM

Hi,

have you deployed this ACE on a ASA 5505 ?

If so,

have you not enter any access-group 104 about ?

best regards

Lorenzo

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents