site to site VPN (ISA -- Cisco Pix)

Hi,

We here at head office have an ISA firewall we are adding a branch office but it will have a cisco pix firewall.  Is it possible to do site to site VPN even though the remote site is not and ISA server?  I assume it would be the same as long as you get all the right info like the ip's and the encryption type.  Please correct me if I am wong.
mark1perAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wilsjCommented:
I haven't configured a VPN on an ISA server before but I know this is possible. Here are the credentials you will need on the PIX side. The below config is for Pix version 7.x if you have version 6.x let me know and I will post the config for that. hope this helps.

access-list isa-server permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 (interesting traffic)
crypto ipsec transform-set 3DES/SHA esp-3des esp-sha-hmac
crypto map mymap 2 match address isa-server
crypto map mymap 2 set peer IP ADDRESS of ISA server
crypto map mymap 2 set transform-set 3DES/SHA
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400

tunnel-group ISA.IP.ADDRESS type ipsec-l2l
tunnel-group ISA.IP.ADDRESS ipsec-attributes
 pre-shared-key secret key

0
wilsjCommented:
oh also if you do not need to nat the traffic you will need an ACL to specify no-nat

access-list no-nat permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list no-nat (whatever is in this ACL will not be nated to outside interface)
nat (inside) 1 0.0.0.0 0.0.0.0 (nat everything to outside interface to allow internet for inside hosts)
0
wilsjCommented:
oh also if you do not need to nat the traffic you will need an ACL to specify no-nat

access-list no-nat permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list no-nat (whatever is in this ACL will not be nated to outside interface)
nat (inside) 1 0.0.0.0 0.0.0.0 (nat everything to outside interface to allow internet for inside hosts)
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

mark1perAuthor Commented:
I have a bit more info.  The device that will be on the Branch office side will be a Cisco 871 Router with VPN capabilites.  Tripple DES.  Will the ISA 2004 accept that connection from a Device such as the a Cisco 871?
0
wilsjCommented:
So instead of the PIX it is going to be a cisco 871 router?
0
mark1perAuthor Commented:
yes.  This is what the ISP has suggested to put in.  They will configure the router.  However I do not know if the ISA will accept it.  That is my realy question.
0
wilsjCommented:
Yes the isa server will accept 3des MD5 or 3des SHA.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mark1perAuthor Commented:
And the setup would be the same as if it were connection to another ISA server?
0
wilsjCommented:
have a look here. it uses a pix as an example but I think you will get the idea.

http://technet.microsoft.com/en-us/library/cc302442.aspx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.