Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
606
Views
0
Helpful
5
Replies

VPN IPSec problem with ISA Server

lformelli
Level 1
Level 1

‎02-05-2008 01:03 AM - edited ‎02-21-2020 03:32 PM

Hi,

I have deployed an a VPN IPSec L2L from

ASA 5505 with peer firwall ISA Server Microsoft.

I see that this tunnel is unstable enough.

Does someone know if there is some problem about or advice me something ?

best regards

Lorenzo

Labels:
0 Helpful
5 Replies 5

hadbou
Level 5
Level 5

‎02-11-2008 07:20 AM

Make sure the Crypto Access List matches on both the sides. This issue has troubled me in getting the stable tunnel. Refer URL http://cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml for general troublesooting.

0 Helpful

mark.white
Level 1
Level 1

‎02-19-2008 09:30 PM

Hello:

We have run across this issue two times and the solution has been the same. When trying to establish a VPN with an ISA server on their end, you need to (for some strange reason) add the actual peer address of the ISA server to the encryption domains of the VPN tunnel. Example:

access-list 104 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 104 permit ip 192.168.1.0 255.255.255.0 host 1.1.1.1

crypto map mymap 8 set peer 1.1.1.1

Hope this helps.

0 Helpful

lformelli
Level 1
Level 1
In response to mark.white

‎02-20-2008 12:49 AM

Hi Mark,

Is 192.168.1.0 network address behind ASA ?

Is 1.1.1.1 public address of ISA Server ?

Is 192.168.100.0 network address behind ISA Server ?

I have now:

access-list outside_20_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host Ip_Peer

access-list outside_20_cryptomap extended permit ip 192.168.18.0 255.255.255.0 intranet 255.255.255.0

crypto map outside_map 20 set peer Ip_Peer

where IP_Peer is address public of ISA

and intranet in network address behind ISA.

192.168.18.0 i network address behind ASA.

I think to have already configure like you

suggest me.

It's true ?

best regards

Lorenzo

0 Helpful

mark.white
Level 1
Level 1
In response to lformelli

‎02-20-2008 04:26 PM

access-list 104 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 104 permit ip 192.168.1.0 255.255.255.0 host 1.1.1.1

crypto map mymap 8 set peer 1.1.1.1

Where:

192.168.1.0 255.255.255.0 - Your local domain

192.168.100.0 255.255.255.0 - Remote domain

It looks as if the order of ACEs maybe an issue. I believe you should switch the two lines. I haven't tried it the way you have written it. I've only written the ACL as stated above. I'm a strong believer of "If ain't broke, don't fix it!" :)

Does this clear it up for you?

0 Helpful

lformelli
Level 1
Level 1

‎02-20-2008 11:11 PM

Hi,

have you deployed this ACE on a ASA 5505 ?

If so,

have you not enter any access-group 104 about ?

best regards

Lorenzo

0 Helpful
Customers Also Viewed These Support Documents
Top