• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 2004 to PIX ipsec tunnel

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> ISA 2004 to PIX ipsec tunnel Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA 2004 to PIX ipsec tunnel - 31.Mar.2004 11:46:00 PM   
zvakil

 

Posts: 9
Joined: 2.Aug.2001
Status: offline
Hi There

Has anyone seen an article that talks about how to configure an ISA 2004 to PIX ipsec tunnel.

Where do you set the IKE Phase1 and Phase 2 parameters?

Thanks

Zubin
Post #: 1
RE: ISA 2004 to PIX ipsec tunnel - 1.Apr.2004 3:26:00 AM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
quote:
Where do you set the IKE Phase1 and Phase 2 parameters
I'm assuming you mean on ISA. You need to create a "Remote Site Network" - once this is created, under the "Connection" tab, you'll have an "IPsec Settings" button that will give you the Main and Quick Mode settings.

I have done this with PIXOS 6.3.1 and it works fine.

(in reply to zvakil)
Post #: 2
RE: ISA 2004 to PIX ipsec tunnel - 1.Apr.2004 5:38:00 AM   
andifur

 

Posts: 143
Joined: 25.Oct.2001
From: Eastern PA
Status: offline
I have worked with a broad range of cisco ipsec VPNS from Routers to 3000 series concentrators to PIX's. Getting them to play together is a piece of cake. Through a Windows server into the mix and you cake turns to molasis! I have everything setup correctly in ISA04. I am getting the security logs about main mode established and quick mode established. I am assuming Phase I and II?? When I go to ping to any remote system from the ISA box, I get Negotationg IP Security, over and over and over. If I do it from a box behind the ISA I get reqest timed out. I have tried this to a router, PX and a 3005 concentrator all without luck. If I remove the ISA and place a simple 831 router in its place the VPN is up within seconds. I have checked my settings 100x times and still nothing. Any suggestions????

Thanks

(in reply to zvakil)
Post #: 3
RE: ISA 2004 to PIX ipsec tunnel - 1.Apr.2004 6:25:00 AM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
If you PING from the ISA box, what filter do you have on the remote device that matches ISA's filters?

When you create the "Remote Site Network", it creates 2 Quick Mode filters

Local Subnet to Remote Subnet
ISA's External IP to Remote Subnet

If you have Win2003, you can use NETSH IPSEC DYNAMIC SHOW QMFILTERS ALL to see these filters. If you have Win2000, use NETDIAG /test:ipsec /v /debug to see the filters.
You need to make sure that there are matching filters on ISA and matching ACLs on the router or PIX.

When I tested interop with my PIX, I tried PINGing from ISA but couldn't get IPsec to come up until the PIX had a filter added that explicitly listed the ISA Servers external IP address (which makes sense because of a filter mismatch).

The behavior of ISA PINGing the remote subnet and receiving "Negotiating IP Security" is most likely due to a filter mismatch.

The client timing out is most likely due to not having a Firewall Policy Access Rule defined in ISA that allows traffic to pass from the ISA's Internal Network to the Remote Site Network. What rule have you created to allow this? It can also be caused by IPsec negotiations failing between the endpoints.

[ April 01, 2004, 06:35 AM: Message edited by: ClintD ]

(in reply to zvakil)
Post #: 4
RE: ISA 2004 to PIX ipsec tunnel - 2.Apr.2004 6:16:00 PM   
zvakil

 

Posts: 9
Joined: 2.Aug.2001
Status: offline
Tom

You mentioned on another post that Microsoft internally has an white paper decribing an ipsec tunnel between a pix and isa2004. Would you happen to have seen a "beta" copy of that paper?

Thanks

Zubin

(in reply to zvakil)
Post #: 5
RE: ISA 2004 to PIX ipsec tunnel - 3.Apr.2004 10:22:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Zubin,

I don't have a cop[y of it, but I know who wrote it [Smile]

It should be released on the MS Web site by the time the product RTMs.

HTH,
Tom

(in reply to zvakil)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> ISA 2004 to PIX ipsec tunnel Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts