• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 786
  • Last Modified:

site to site VPN (ISA -- Cisco Pix)

Hi,

We here at head office have an ISA firewall we are adding a branch office but it will have a cisco pix firewall.  Is it possible to do site to site VPN even though the remote site is not and ISA server?  I assume it would be the same as long as you get all the right info like the ip's and the encryption type.  Please correct me if I am wong.
0
mark1per
Asked:
mark1per
  • 6
  • 3
1 Solution
 
wilsjCommented:
I haven't configured a VPN on an ISA server before but I know this is possible. Here are the credentials you will need on the PIX side. The below config is for Pix version 7.x if you have version 6.x let me know and I will post the config for that. hope this helps.

access-list isa-server permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 (interesting traffic)
crypto ipsec transform-set 3DES/SHA esp-3des esp-sha-hmac
crypto map mymap 2 match address isa-server
crypto map mymap 2 set peer IP ADDRESS of ISA server
crypto map mymap 2 set transform-set 3DES/SHA
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400

tunnel-group ISA.IP.ADDRESS type ipsec-l2l
tunnel-group ISA.IP.ADDRESS ipsec-attributes
 pre-shared-key secret key

0
 
wilsjCommented:
oh also if you do not need to nat the traffic you will need an ACL to specify no-nat

access-list no-nat permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list no-nat (whatever is in this ACL will not be nated to outside interface)
nat (inside) 1 0.0.0.0 0.0.0.0 (nat everything to outside interface to allow internet for inside hosts)
0
 
wilsjCommented:
oh also if you do not need to nat the traffic you will need an ACL to specify no-nat

access-list no-nat permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list no-nat (whatever is in this ACL will not be nated to outside interface)
nat (inside) 1 0.0.0.0 0.0.0.0 (nat everything to outside interface to allow internet for inside hosts)
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
mark1perAuthor Commented:
I have a bit more info.  The device that will be on the Branch office side will be a Cisco 871 Router with VPN capabilites.  Tripple DES.  Will the ISA 2004 accept that connection from a Device such as the a Cisco 871?
0
 
wilsjCommented:
So instead of the PIX it is going to be a cisco 871 router?
0
 
mark1perAuthor Commented:
yes.  This is what the ISP has suggested to put in.  They will configure the router.  However I do not know if the ISA will accept it.  That is my realy question.
0
 
wilsjCommented:
Yes the isa server will accept 3des MD5 or 3des SHA.
0
 
mark1perAuthor Commented:
And the setup would be the same as if it were connection to another ISA server?
0
 
wilsjCommented:
have a look here. it uses a pix as an example but I think you will get the idea.

http://technet.microsoft.com/en-us/library/cc302442.aspx
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now