cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
534
Views
0
Helpful
2
Replies

ASA 7.2 VPN to Microsoft ISA problem

jasonww04
Level 1
Level 1

I've attached my ASA's config. I can't bring the VPN up by pinging from the ASA but the VPN will come up when someone pings from behind the ISA server. So the problem seems to be routing/NAT on my ASA because my pings aren't being directed out the tunnel.

The VPN in question has 64.106.x.x as the peer and AES 256/SHA for phase 1 and 2.

2 Replies 2

fb_webuser
Level 6
Level 6

I just reviewed your config and I don't see any problem on the ASA. Perhaps the packets from your ISA server aren't hitting the ASA's inside interface.

Try to do a capture on the ASA like this:

access-l 150 permit ip host A host B

A will be the IP of the ISA server (192.168.10.x)

B will be the IP of somethign pingeable behind the other side of the VPN tunnel. (10.61.x.x)

capture capin access-list 150 interface inside

Then generate traffic and do "sh capture capin"

If you see hits; then the ASA is receiving the packets from the ISA server.

In that case do a "sh crypto ipsec sa peer 64.106.x.x"

This should show you packets being encrypted and decrypted with similar increasing numbers.

If you DO not see packets hitting the ASA then check your internal routing on the ISA's side..default gateway, etc.

Let me know if this was helpful.

---

Posted by WebUser Dennis Ariel

That is good info for troubleshooting but the problem isn't from ISA to the ASA. The problem is the ASA doesn't seem to be routing the traffic correctly. I cannot bring up the VPN when I ping from the ASA to ISA but ISA to the ASA does bring up the VPN.

With your suggested change, I get 0 packet captured and 0 packet shown when I ping from 192.168.10.x to 10.61.x.x.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: