cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
328
Views
0
Helpful
1
Replies

PIX-to-ISA Server VPN

daniel.kline
Level 1
Level 1

I am trying to get a IPSEC vpn tunnel established between a PIX and a Microsoft ISA server.

Does anybody have any good references for how to configure the PIX to get this working?

The VPN tunnel worked prior to the client replacing the PIX at the head end with an ISA server. Now I am seeing erroneous Security Associations (SAs) on both ends of the tunnel (PIX and ISA). And the tunnel appears to work, but drops off periodically throughout the day. The tunnel is reestablished if the client issues echoes from the head end to the remote location.

The three SA's that are established are:

- LAN to LAN (192.168.1.0/24 - 192.168.100.0/24)

- Remote firewall private to ISA server public interface

- LAN (subnet) to LAN (192.168.100.64/26 - 192.168.1.0/24)

The second and third SA's appear to be erroneous.

Below is the IPSEC configuration from the remote branch PIX:

sysopt connection tcpmss 1270

sysopt connection permit-ipsec

crypto ipsec transform-set remotetrans esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto dynamic-map dynmap 10 set transform-set remotetrans

crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800 kilobytes 4608000

crypto map remote 10 ipsec-isakmp

crypto map remote 10 match address remote2WC

crypto map remote 10 set pfs group2

crypto map remote 10 set peer 151.197.74.146

crypto map remote 10 set transform-set remotetrans

crypto map remote 10 set security-association lifetime seconds 28800 kilobytes 4608000

crypto map remote 20 ipsec-isakmp dynamic dynmap

crypto map remote interface outside

isakmp enable outside

isakmp key ******** address 151.197.74.146 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

dk

1 Reply 1

ebreniz
Level 6
Level 6

Tunnel drops could be due to the IPSec SAs timing out. Check your configs for sa life times and make sure they are correct.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: