08-24-2011 10:37 PM - edited 02-21-2020 05:32 PM
hello
i am trying to setup ipsec vpn tunnel between my network and remote site. i,am using ISA server 2006 run on windows 2003 server. sp2. other end use a cisco vpn.
when i access website i recived " 500 internal server error host server unreachable (10065)
i have attached firewall and ipsec logs
08-24-2011 11:53 PM
Please share the config and logs from the cisco vpn side. As this is cisco forum, we are more familiar with cisco product than ISA. For ISA related logs, please post it on Microsoft forum. If you can share the cisco side, we can look through further for you.
08-25-2011 12:30 AM
thank you for the reply. when i test with a juniper firewall instead of ISA server it worked well. i will try to gety cisco logs
08-25-2011 03:37 AM
here the part of configuration what i could get
crypto isakmp key s413st4r! address 123.231.21.114
crypto isakmp peer address 123.231.21.114
crypto ipsec transform-set 3ptrans esp-3des esp-sha-hmac
crypto map 3pmap 210 ipsec-isakmp
set peer 123.231.21.114
set transform-set 3ptrans
match address salestar_test
ip route 10.0.0.240 255.255.255.240 10.40.14.17 name salestar_POSreg_test
ip route 123.231.21.114 255.255.255.255 10.40.14.17 name salestar-tunnel
ip nat pool salestar-test-nat 10.40.210.197 10.40.210.197 netmask 255.255.255.0
ip nat inside source list salestar-test-range pool salestar-test-nat overload
ip access-list extended salestar-test-nat
permit ip 10.0.0.240 0.0.0.15 host 149.254.251.84
ip access-list extended salestar_test
permit ip host 149.254.251.84 10.0.0.240 0.0.0.15
interface GigabitEthernet0/1
description Busines to Business VPN inside DMZ
ip address 10.x.x.12 255.255.255.240
ip accounting output-packets
ip nat outside
no ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
media-type rj45
no negotiation auto
standby 1 ip 10.x.x.14
standby 1 priority 105
standby 1 preempt
standby 1 track GigabitEthernet0/2
!
interface GigabitEthernet0/2
description Busines to Business VPN Outside DMZ
ip address 10.x.x.28 255.255.255.240
ip nat inside
no ip virtual-reassembly
ip route-cache flow
no ip route-cache cef
duplex full
speed 100
media-type rj45
no negotiation auto
standby 2 ip 10.40.14.30
standby 2 priority 105
standby 2 preempt
standby 2 track GigabitEthernet0/1
crypto map 3pmap redundancy hsrp-Gi0/2-2
08-25-2011 04:54 AM
Config does not look correct.
If you can provide the full topology, as well as the peer IP from each side, full config, what you are trying to encrypt on both sides, plus if NATing is required, that would help.
Currently just looking at part of the config, it does not make sense.
can you also share the output of:
show cry isa sa
show cry ipsec sa
debug cry isa
debug cry ipsec
from the router when trying to establish the session. So we can pinpoint where the issue is.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide