Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN IPSec problem with ISA Server

Hi,

I have deployed an a VPN IPSec L2L from

ASA 5505 with peer firwall ISA Server Microsoft.

I see that this tunnel is unstable enough.

Does someone know if there is some problem about or advice me something ?

best regards

Lorenzo

5 REPLIES
Bronze

Re: VPN IPSec problem with ISA Server

Make sure the Crypto Access List matches on both the sides. This issue has troubled me in getting the stable tunnel. Refer URL http://cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml for general troublesooting.

Community Member

Re: VPN IPSec problem with ISA Server

Hello:

We have run across this issue two times and the solution has been the same. When trying to establish a VPN with an ISA server on their end, you need to (for some strange reason) add the actual peer address of the ISA server to the encryption domains of the VPN tunnel. Example:

access-list 104 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 104 permit ip 192.168.1.0 255.255.255.0 host 1.1.1.1

crypto map mymap 8 set peer 1.1.1.1

Hope this helps.

Community Member

Re: VPN IPSec problem with ISA Server

Hi Mark,

Is 192.168.1.0 network address behind ASA ?

Is 1.1.1.1 public address of ISA Server ?

Is 192.168.100.0 network address behind ISA Server ?

I have now:

access-list outside_20_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host Ip_Peer

access-list outside_20_cryptomap extended permit ip 192.168.18.0 255.255.255.0 intranet 255.255.255.0

crypto map outside_map 20 set peer Ip_Peer

where IP_Peer is address public of ISA

and intranet in network address behind ISA.

192.168.18.0 i network address behind ASA.

I think to have already configure like you

suggest me.

It's true ?

best regards

Lorenzo

Community Member

Re: VPN IPSec problem with ISA Server

access-list 104 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 104 permit ip 192.168.1.0 255.255.255.0 host 1.1.1.1

crypto map mymap 8 set peer 1.1.1.1

Where:

192.168.1.0 255.255.255.0 - Your local domain

192.168.100.0 255.255.255.0 - Remote domain

It looks as if the order of ACEs maybe an issue. I believe you should switch the two lines. I haven't tried it the way you have written it. I've only written the ACL as stated above. I'm a strong believer of "If ain't broke, don't fix it!" :)

Does this clear it up for you?

Community Member

Re: VPN IPSec problem with ISA Server

Hi,

have you deployed this ACE on a ASA 5505 ?

If so,

have you not enter any access-group 104 about ?

best regards

Lorenzo

185
Views
0
Helpful
5
Replies
CreatePlease to create content