Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Vpn site to site isa 570 to asa 5505 nat bypass

Hi ,

I am configuring the site to site vpn between isa 570 and asa 5505, facing the issue to configure the nat bypass on

isa 570 , please help to configure the isa 570, phase 1 and phase 2 is up due to nating packet is decrypting but not

encrypting .

Thanks

Kunal

2 REPLIES
New Member

Vpn site to site isa 570 to asa 5505 nat bypass

Hi Kunal,

mybe my post helps you.

https://supportforums.cisco.com/message/3981535

Please refer at the policy group

You need a exact machting in the IKE policies group.

Please use always group5 1536 bits with AES128 and SHA1 hash.

regrads

patrick

Vpn site to site isa 570 to asa 5505 nat bypass

Kunal,

I've worked quite a bit with both the ISA and ASA including establishing VPNs.  On the ASA you have to do pretty much every step of the VPN yourself.  The ISA is not that way.  You just go to VPN -> Site-to-Site -> IPsec Policies and input the VPN details including the local and remote networks.  The ISA will take care of all it's own NAT'ing, etc.

Much like the ASA, you can create Address Objects and Address Groups in the ISA via Networking -> Address Management.  So if you have multiple subnets, hosts, or ranges that need to traverse the VPN, that is all possible.

As with any VPN, your Local and Remote Networks must match at both ends (except reversed of course), and your IKE and Transform Sets must match.  I'd recommend the default Transform Set in the ISA which is ESP_SHA1_HMAC ESP_AES_256.  However I'd recommend creating your own IKE Policy of AES_256, SHA1, and D-H Group_5.  Then be sure to mirror those settings on the ASA.

In the ASA NAT configuration, be sure to uncheck the "Disable Proxy Arp on egress interface" and "Lookup route table to locate egress interface".  As well, depending on which version of the ASA firmware you're running, ensure you have an Access Rule applied to your outside interface to allow Source: Remote Networks (ISA) to Destination: Local Networks (ASA) with appropriate Services.  Finally ensure you're Site-to-Site VPN Connection Profile is using IKEv1 as the ISA doesn't currently support v2.

The environment I'm referrencing is ASA Version 9.1(1)2 / ASDM 7.1(1)52 and ISA Version 1.2.17.  Please let me know if you need further assistance.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
837
Views
0
Helpful
2
Replies
CreatePlease to create content