ISA 2006 to Cisco ASA 5505 IPSEC VPN

Posted on 2011-10-18
Last Modified: 2012-05-12
Hi all,

recently a remote site of ours moved location and had to have a new VPN router intstalled so I thought to go for Cisco ASA because it was an upgrade over the existing cisco router at the office and was very inexpensive.  However I now cannot get IPSEC to bring up a tunel between the remote site and head office.

HO Details:
Local Networks -,
ISA 2006 IP - X.X.X.X

Remote Site Details:
Local Networks -
CISCO ASA [version 8.2(5)] IP - Y.Y.Y.Y
DG at that site: Z.Z.Z.Z

After setting things up at both sides when I pinged from the inside interface of the ASA to the HO inside network.  I got the following in the logs:
Routing failed to locate next hop for icmp from NP Identity Ifc: to inside:

After a reboot of the router I saw the following appear in the logs:
IP = X.X.X.X, IKE Initiator: New Phase 1, Intf inside, IKE Peer X.X.X.X  local Proxy Address, remote Proxy Address,  Crypto map (outside_map)
IP = X.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Then it seems to repeat these log entries after a while.

The ISA server is showing that the remote office is initiating the IPSEC tunnel but after around 5 minutes it shows a status of failed and the tunnel trying to re-initialise.

Both sites are running on the same ISP and initially I thought this could be a block at the ASA end (the ISA currently performs IPSEC tunneling with 4 other remote sites) but I did an NMAP of the remote sites public IP and got the following:

Starting Nmap 5.51 ( ) at 2011-10-18 18:16 E. Australia Standard Time
Initiating Parallel DNS resolution of 1 host. at 18:16
Completed Parallel DNS resolution of 1 host. at 18:16, 0.04s elapsed
Initiating IPProto Scan at 18:16
Scanning (Y.Y.Y.Y) [2 ports]
Completed IPProto Scan at 18:16, 3.17s elapsed (2 total ports)
Nmap scan report for (Y.Y.Y.Y)
Host is up.
50       open|filtered esp
51       open|filtered ah
Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 3.25 seconds
           Raw packets sent: 4 (80B) | Rcvd: 7 (602B)

I tested this against one of our remote office routers and it matches the results so I am assuming that there is no blocking from the ISP.  I also contacted an engineer from Telstra who logged into their router before the ASA and confirmed that there was no block and could see the packets passing through.

I've been through multiple examples online (including some from EE) and just cannot seem to make it work.
ISA Config:
Phase1 Details Phase2 Details
ASA Config:
: Saved
ASA Version 8.2(5)
hostname ROUTER
enable password .dH9K/LPE1233vSF encrypted
passwd 2KFQ423IdI.2KYOU encrypted
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address Y.Y.Y.Y
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
object-group network DM_INLINE_NETWORK_1
access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
route outside Z.Z.Z.Z 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 100000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
telnet timeout 5
ssh outside
ssh timeout 60
console timeout 0
dhcpd auto_config outside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username root password h9xxnQJB3dM38B7F encrypted privilege 15
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 pre-shared-key *****
prompt hostname context
no call-home reporting anonymous
: end

Open in new window


(pause for breath)

I am certain that it should be much simpler than this, but unfortunately I just am not seeming to get it.

Can anyone see where I am going wrong or offer advise on how to diagnose this issue further?
Question by:Dealer_Solutions

    Author Comment

    Just to make things weirder I tried setting up a VPN from the ASA to an old SonicWall device and the VPN connected.

    Could it be possible that ISA2006 and CISCO ASA [version 8.2(5)] have an incompatability when using IPSEC?
    LVL 5

    Expert Comment

    I seen mismatches in VPN tunnels phases.  One thing to do is set AES for both sides.  I have seen AES tunnel work while a DES or 3DES not.

    Accepted Solution

    I have resolved the issue.

    it turns out there was some filtering on the cisco router at the head office blocking ISAKMP to the remote office location.  Updated the ACL's on the Cisco router and it's now fully functional.

    Author Closing Comment

    resolved ourselves.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now