Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 7.2 VPN to Microsoft ISA problem

I've attached my ASA's config. I can't bring the VPN up by pinging from the ASA but the VPN will come up when someone pings from behind the ISA server. So the problem seems to be routing/NAT on my ASA because my pings aren't being directed out the tunnel.

The VPN in question has 64.106.x.x as the peer and AES 256/SHA for phase 1 and 2.


ASA 7.2 VPN to Microsoft ISA problem

I just reviewed your config and I don't see any problem on the ASA. Perhaps the packets from your ISA server aren't hitting the ASA's inside interface.

Try to do a capture on the ASA like this:

access-l 150 permit ip host A host B

A will be the IP of the ISA server (192.168.10.x)

B will be the IP of somethign pingeable behind the other side of the VPN tunnel. (10.61.x.x)

capture capin access-list 150 interface inside

Then generate traffic and do "sh capture capin"

If you see hits; then the ASA is receiving the packets from the ISA server.

In that case do a "sh crypto ipsec sa peer 64.106.x.x"

This should show you packets being encrypted and decrypted with similar increasing numbers.

If you DO not see packets hitting the ASA then check your internal routing on the ISA's side..default gateway, etc.

Let me know if this was helpful.


Posted by WebUser Dennis Ariel

New Member

ASA 7.2 VPN to Microsoft ISA problem

That is good info for troubleshooting but the problem isn't from ISA to the ASA. The problem is the ASA doesn't seem to be routing the traffic correctly. I cannot bring up the VPN when I ping from the ASA to ISA but ISA to the ASA does bring up the VPN.

With your suggested change, I get 0 packet captured and 0 packet shown when I ping from 192.168.10.x to 10.61.x.x.

CreatePlease login to create content