Welcome to ISAserver.org

Cisco 857 to ISA Server 2004

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> VPN >> Cisco 857 to ISA Server 2004

Page: [1]

Message

<< Older Topic Newer Topic >>

Cisco 857 to ISA Server 2004 - 12.Mar.2008 3:56:49 AM

Puffin

Posts: 7
Joined: 12.Mar.2008
Status: offline

Hello,

I'm having problems getting a Cisco 800 series router (the 857) to talk to a Microsoft ISA Server 2004 machine on a remote site. The 'Main Mode' session is established successfully but the 'Quick Mode' does not get established and therefore the two sites are unable to talk to each other.

I set up the ISA Server side of the connection using the Microsoft Technet guide on how to connect a PIX to ISA Server 2004; I then set up the 857 side manually via the CLI as I was advised that the PIX config in the Microsoft document won't work "out of the box". I've tweaked the config several times now and have seen different errors for the failure of 'Quick Mode' including negotiation timeout, no policy defined, etc.

An extract of the configuration appears below along with the error messages I'm seeing on the ISA Server end:

Extract from Cisco Config:
-------------------------------------------------------------
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key pass123 address 217.11.22.33
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to217.11.22.33
set peer 217.11.22.33
set transform-set ESP-3DES-SHA
match address 102
reverse-route remote-peer 217.11.22.33
!
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.10.10.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.10.10.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 103 permit ip 10.10.10.0 0.0.0.7 any
-------------------------------------------------------------

Event Log Entry on the ISA Server End:

-------------------------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 05/03/2008
Time: 19:32:06
User: NT AUTHORITY\NETWORK SERVICE
Computer: SERVERS01
Description:
IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)
Filter:
Source IP Address 217.11.22.33
Source IP Address Mask 255.255.255.255
Destination IP Address 10.10.10.2
Destination IP Address Mask 255.255.255.254
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 217.11.22.33
IKE Peer Addr 88.11.22.33
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr
Peer Identity:
Preshared key ID.
Peer IP Address: 88.11.22.33
Failure Point:
Me
Failure Reason:
Negotiation timed out
Extra Status:
Processed third (ID) payload
Initiator(Internal). Delta Time 63
0x0 0x0
-------------------------------------------------------------

IPsec Config Summary on ISA Server

-------------------------------------------------------------
Local Tunnel Endpoint: 217.11.22.33
Remote Tunnel Endpoint: 88.11.22.33
To allow HTTP proxy or NAT traffic to the remote site,
the remote site configuration must contain the local
site tunnel end-point IP address.
IKE Phase I Parameters:
   Mode: Main mode
   Encryption: 3DES
   Integrity: SHA1
   Diffie-Hellman group: Group 2 (1024 bit)
   Authentication method: Pre-shared secret (pass123)
   Security Association lifetime: 28800 seconds
IKE Phase II Parameters:
   Mode: ESP tunnel mode
   Encryption: 3DES
   Integrity: SHA1
   Perfect Forward Secrecy: ON
   Diffie-Hellman group: Group 2 (1024 bit)
   Time rekeying: ON
   Security Association lifetime: 3600 seconds
   Kbyte rekeying: OFF
Remote Network 'Remote Office' IP Subnets:
   Subnet: 10.10.10.1/255.255.255.255
   Subnet: 10.10.10.254/255.255.255.255
   Subnet: 10.10.10.2/255.255.255.254
   Subnet: 10.10.10.252/255.255.255.254
   Subnet: 10.10.10.4/255.255.255.252
   Subnet: 10.10.10.248/255.255.255.252
   Subnet: 10.10.10.8/255.255.255.248
   Subnet: 10.10.10.240/255.255.255.248
   Subnet: 10.10.10.16/255.255.255.240
   Subnet: 10.10.10.224/255.255.255.240
   Subnet: 10.10.10.32/255.255.255.224
   Subnet: 10.10.10.192/255.255.255.224
   Subnet: 10.10.10.64/255.255.255.192
   Subnet: 10.10.10.128/255.255.255.192
Local Network 'Internal' IP Subnets:
   Subnet: 192.168.16.1/255.255.255.255
   Subnet: 192.168.16.2/255.255.255.254
   Subnet: 192.168.16.4/255.255.255.252
   Subnet: 192.168.16.8/255.255.255.248
   Subnet: 192.168.16.16/255.255.255.240
   Subnet: 192.168.16.32/255.255.255.224
   Subnet: 192.168.16.64/255.255.255.192
   Subnet: 192.168.16.128/255.255.255.128
-------------------------------------------------------------

If anyone has any suggestions as to how to get the two sites to talk, they would make me a very happy guy indeed! Happy to provide any additional information people need from me.

Regards, Ade.

Post #: 1

Featured Links*

RE: Cisco 857 to ISA Server 2004 - 12.Mar.2008 6:36:02 AM

justmee

Posts: 505
Joined: 14.May2007
Status: offline

Hi,
How is the pfs set on the Cisco router ?
I see it enabled on ISA but not on the Cisco router.
How exactly have you defined the Remote Network on ISA ?
It should be 10.10.10.0/24.
Enter it as 10.10.10.0-10.10.10.255.
Also the Internal Network looks a little bit messed (according to the Cisco router config, it should be192.168.16.0/24).
What would be the purpose of the RRI ?
Regards,
J

(in reply to Puffin)

Post #: 2

RE: Cisco 857 to ISA Server 2004 - 12.Mar.2008 7:06:38 AM

Puffin

Posts: 7
Joined: 12.Mar.2008
Status: offline

Hi Justmee,

Very good questions.

The "SDM_CMAP_1 " originally had "set pfs group2" in it but I don't see it in the copy and pasted configuration so perhaps I forgot to copy the running-config to startup-config before I did a 'reload' at one point. Will get this added back to the config and see what happens.

On ISA, I'd set the Remote Network to be 10.10.10.1 - 10.10.10.255 so I'll go and check this as soon as possible.

The purpose of the RRI (when I did a Google search to find out what it meant!) was that it was in the example config I found :-)

I'll power up the 837 later this afternoon and correct the entries as per your post then get back to you to let you know what happened.

Thanks for your suggestions thus far!

Regards, Ade.

(in reply to justmee)

Post #: 3

RE: Cisco 857 to ISA Server 2004 - 13.Mar.2008 5:06:50 AM

Puffin

Posts: 7
Joined: 12.Mar.2008
Status: offline

Howdy,

First of all, thanks for the help so far.

Some progress has been made. Here�s what I did:

Cisco: Removed the �reverse-route� from the crypto entry
Cisco: Added �set pfs group2� to the crypto entry
Cisco: Changed subnet mask from 255.255.255.248 to 255.255.255.0
Cisco: Altered DHCP options to reflect the subnet mask change
ISA Server: Changed Remote Network (�Neil�s Office�) from 10.10.10.1 � 10.10.10.254 to 10.10.10.0 � 10.10.10.255
ISA Server: Changed Internal Network from 192.168.16.1 � 192.168.16.255 to 192.168.16.0 � 192.168.16.255 (I hadn�t previously changed this, so it must be the default)

Changing the above means that I can now ping from Neil�s Office to the Internal Network on the ISA Server and access any services on the remote site, however the relationship doesn�t work the other way around (�Negotiating IP Security�). The security event log on the ISA Server shows me:

quote:

Event Type:        Failure Audit
Event Source:    Security
Event Category:                Logon/Logoff
Event ID:              547
Date:                     13/03/2008
Time:                     08:47:23
User:                     NT AUTHORITY\NETWORK SERVICE
Computer:          SERVERNAME
Description:
IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)

Filter:
Source IP Address 217.11.22.33
Source IP Address Mask 255.255.255.255
Destination IP Address 10.10.10.0
Destination IP Address Mask 255.255.255.0
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 217.11.22.33
IKE Peer Addr 88.11.22.33
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Preshared key ID.
Peer IP Address: 88.11.22.33

Failure Point:
Me

Failure Reason:
IKE SA deleted before establishment completed

Extra Status:
Processed third (ID) payload
Initiator. Delta Time 63
0x0 0x0

The tidied-up IPsec Policy now looks like this:

quote:

Local Tunnel Endpoint: 217.11.22.33

Remote Tunnel Endpoint: 88.11.22.33

To allow HTTP proxy or NAT traffic to the remote site,

the remote site configuration must contain the local

site tunnel end-point IP address.

IKE Phase I Parameters:

    Mode: Main mode

    Encryption: 3DES

    Integrity: SHA1

    Diffie-Hellman group: Group 2 (1024 bit)

    Authentication method: Pre-shared secret (pass123)

    Security Association lifetime: 28800 seconds

IKE Phase II Parameters:

    Mode: ESP tunnel mode

    Encryption: 3DES

    Integrity: SHA1

    Perfect Forward Secrecy: ON

    Diffie-Hellman group: Group 2 (1024 bit)

    Time rekeying: ON

    Security Association lifetime: 3600 seconds

    Kbyte rekeying: OFF

Remote Network 'Neil's Office' IP Subnets:

    Subnet: 10.10.10.0/255.255.255.0

Local Network 'Internal' IP Subnets:

    Subnet: 192.168.16.0/255.255.255.0

Cisco Config now looks like this:

quote:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key pass123 address 217.11.22.33

crypto isakmp nat keepalive 10

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec df-bit clear

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to 217.11.22.33

set peer 217.11.22.33

set transform-set ESP-3DES-SHA

set pfs group2

match address 102

access-list 102 permit ip 10.10.10.0 0.0.0.255 192.168.16.0 0.0.0.255

From what I�ve read the ISA Server always sends using its external network interface so I think this may now be due to the Cisco box needing an IPsec Access Rule added somewhere. Can anyone confirm my hypothesis and let me know what rule I need to add and where?

Regards, Ade.

(in reply to justmee)

Post #: 4

RE: Cisco 857 to ISA Server 2004 - 13.Mar.2008 5:46:25 AM

justmee

Posts: 505
Joined: 14.May2007
Status: offline

Hi Ade,
Make sure that on ISA, there is a route relationship between the Internal Network and
the remote site, and not a NAT relationship.
If you ping from ISA itself to the remote site you need to add the remote endpoint address(88.11.22.33) to the network range of the remote site on ISA.
Same thing on the Cisco router(add 217.11.22.33).
You may like to read this:
http://www.isaserver.org/tutorials/Troubleshooting-IPSec-Tunnel-Mode-Scenarios.html
Regards,
J

(in reply to Puffin)

Post #: 5