cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
646
Views
0
Helpful
1
Replies

IPSec traffic is only initiated from one end

Hi All,

I have configured the IPsec vpn between Cisco 877 and ISA server which is working fine and ok. But the issue is I have multiple subnet on the TMG "Treat Managmenet Gateway" side and only one subnet on the Cisco 877 side. I can only sending some subnet's traffics from Cisco 877 through the vpn tunnel to the other side which is TMG server and I have recieved teh timeout request for the rest of teh subnets.

However, if I initiated the ping from inside the ISA with different sources , I can reached the Cisco 877 and from then I can be able to send traffic.

So, the tunnel is up and active but it should be initated from ISA server to have a full connectivity.

Here is the IP sec configuration on Cisco side:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key ##### address X.X.X.X

!

!

crypto ipsec transform-set inttec esp-3des esp-sha-hmac

!

crypto map ipsec-tunnel 10 ipsec-isakmp

set peer x.x.x.x

set security-association lifetime seconds 28800

set transform-set inttec

match address 100

access-list 100 permit ip 192.168.60.0 0.0.0.255 192.168.10.0 0.0.0.255 log

access-list 100 permit ip 192.168.60.0 0.0.0.255 192.168.150.0 0.0.0.255

access-list 100 permit ip 192.168.60.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 100 permit ip 192.168.60.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 100 permit ip 192.168.60.0 0.0.0.255 10.61.9.0 0.0.0.255 log

That whould be great if any one can help me. 

Cheers,

Parham

1 Reply 1

stephen jeffrey
Level 1
Level 1

Can you post the config from the TMG ? When I've had something like this it is a mismatch in the ACLs on the devices