VPN through Cisco 1720 to ISA 2006

Configure your 1720 router to do one-to-one NAT for your ISA server; then any outgoing traffic from ISA would go out using that public IP address only and not the NAT IP. Specify the same public IP as remote gateway on linksys and the VPN tunnel should come up.

You need to have multiple public IP addresses.

Please look at the example below:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f2f.shtml

Is the ip 216.85.242.85 assigned to the outside wan interface on the 1720 ? If you could post the config (sanitized -> remove passwords and remove any one of the octects from the public ip), then it would be easy to work on this one.

Cheers,
Rajesh

here is the config file.

version 12.0            
service timestamps debug uptime                              
service timestamps log uptime                            
no service password-encryption                              
!
hostname router                  
!
enable secret 5 $1$ejYQ$PumDTjKsIG1                                              
enable password xxxxxxx                        
!
ip subnet-zero              
no ip domain-lookup                  
ip name-server 207.191.50.10                            
ip name-server 207.191.1.10                          
!
!
!
!
interface Serial0                
 bandwidth 10000000                  
 ip address 216.85.xxx.70 255.255.255.252                                        
 ip access-group 100 in                      
 ip access-group 105 out                        
 no ip directed-broadcast                        
 ip nat outside              
 encapsulation ppp                  
 fair-queue 64 256 0                    
 service-module t1 remote-alarm-enable                                      
!
interface FastEthernet0                      
 description connected to EthernetLAN                                    
 bandwidth 10000000                  
 ip address 192.9.200.1 255.255.255.0                                    
 no ip directed-broadcast                        
 ip nat inside              
 full-duplex            
!
router rip          
 version 2          
 network 192.9.200.0                    
 no auto-summary                
!
ip nat inside source static 192.9.200.2 216.85.xxx.85
ip classless
ip route 0.0.0.0 0.0.0.0 216.85.xxx.69
ip http server
!
snmp-server engineID local 0000000902000050547CFFF0
snmp-server community public RO
!
line con 0
 exec-timeout 0 0
 login
 transport input none
line aux 0
line vty 0
 password xxxxxxx
 login
line vty 1 4
 login
!
end

OK.  here is a corrected config file:

version 12.0            
service timestamps debug uptime                              
service timestamps log uptime                            
no service password-encryption                              
!
hostname router                  
!
enable secret 5 $1$ejYQ$PumDTjKsIG1                                              
enable password xxxxxxx                        
!
ip subnet-zero              
no ip domain-lookup                  
ip name-server 207.191.50.10                            
ip name-server 207.191.1.10                          
!
!
!
!
interface Serial0                
 bandwidth 10000000                  
 ip address 216.85.xxx.82 255.255.255.248                                      
 no ip directed-broadcast                        
 ip nat outside              
 encapsulation ppp                  
 fair-queue 64 256 0                    
 service-module t1 remote-alarm-enable                                      
!
interface FastEthernet0                      
 description connected to EthernetLAN                                    
 bandwidth 10000000                  
 ip address 192.9.200.1 255.255.255.0                                    
 no ip directed-broadcast                        
 ip nat inside              
 full-duplex            
!
router rip          
 version 2          
 network 192.9.200.0                    
 no auto-summary                
!
ip nat inside source static 192.9.200.2 216.85.xxx.85
ip classless
ip route 0.0.0.0 0.0.0.0 216.85.xxx.81
ip http server
!
snmp-server engineID local 0000000902000050547CFFF0
snmp-server community public RO
!
line con 0
 exec-timeout 0 0
 login
 transport input none
line aux 0
line vty 0
 password xxxxxxx
 login
line vty 1 4
 login
!
end

********************
note, i took out the ip access-group.  but i still cannot get it connected.  
i also tried the "ip nat outside", but i have a question do i also need to add a "ip nat inside" that matches.  for example:  ip nat inside source static 192.9.200.2 216.85.xxx.82
                      ip nat outside source static 216.85.xxx.82 192.9.200.2

No you don't need that.

What port is open in ISA ? probably http ? If so, from the internet can you do this;

telnet 216.85.xxx.82 <port number> and see if you're connected ? Any open port is fine.

Cheers,
Rajesh

i gave it a try on port 80 from home.  i will assume it did go because if i type something, says "hello", and hit return i get back html code.

OH yeah, then it is working :-)

So nat is up now and that is why you get connected.

Cheers,
Rajesh

yes.  its alway up.

Are you able to get the VPN tunnel up now.

no.

Have the configuration changed helped anything? Do you get any different logs than before? Would request  more details on the current status of the problem.

Thank you.

can i use the bridge command to use the public ip?

I have a T1 line coming in that is why i have the Cisco router, if i got rid of it and got something like a gateway will that do it?

will the "ip nat outside" work and if so do i also use the "ip nat inside"?

what are my choices?

John,

  Now the nat is enabled right ? and still the vpn is not coming up ? What are the logs for failure ?

Let the router be there since you have ip addresses.

Cheers,
Rajesh

I installed a Windows 2000 with ISA 2000 for the branch office instead of the RVS4000.  with this, i am using ptpp to create a vpn site-to-site to our main office.  instead of taking this to the branch, i am testing it here.  

in the cisco 1720 router, i entered "ip nat inside source static 192.9.200.3 216.85.xxx.83" for the ISA 2000.  everything works like it is suppose to if i connect using the 192.9.200.2 to connect to 192.9.200.3.  if i configure the ISA 2000 to connect to 216.85.xxx.82 and the ISA 2006 to connect to 216.85.xxx.83, it does not work.

can i do it this way?  and if so is there a way i can view a log to determined where it is going wrong?

one more thing.  my internal ip addresses are 192.168.1.0-255.  should my router's ip address be on the same ip addresses as my internal?  will this help?

I can't help you with ISA since I don't have experience with that. But the configuration should work, but there are few problems;

The remote office and corporate office end you're using same ip block ? 216.85.xxx.82 and 83 are allocated to the site on which we were working till now, but you can't use one of the ip from this on the remote site.

Cheers,
Rajesh

so i can't use 216.85.xxx.82 and 83 for testing purposes.  i just don't feel like driving to the branch office to find out that it did not work.

Hope you're getting what I'm saying :-) The site A is given that ip range, similarly site B should've also be given some public ip address range. So you just have to find out that, once you have that then you could use that to configure the other end with that ip address and thats it.

Cheers,
Rajesh

I rechecked the settings in the Cisco to make sure everything was according to what you had said (Rajesh).  then i went back out to the branch office and installed everything.  i must say that everything works.  i was able to vpn to the ISA 2006 with the branch office having the configuration of Win2003 with ISA 2000.  I was not able to connect with the branch office having the configuration of WIn2000 with ISA 2000.  so i guess i will use the Win2003 with ISA 2000.

thanks for all your help.

Okay, it is probably with the connection difference between 2003 and 2000. Glad you got it working now.

Cheers,
Rajesh