VPN
Configuring a Site-to-Site VPN
Cisco ISA500 Series Integrated Security Appliances Administration Guide 353
8
Use Case: The UC500 device is behind the security appliance. You want to
establish a site-to-site VPN tunnel between two security appliances to provide
voice and data services to phones at a remote site.
Solution: When you configure the site-to-site VPN on the security appliances,
make sure that the local network on the security appliance at Site A is set as “Any”
and the remote network on the security appliance at Site B is set as “Any”.
Because the security appliance provides the firewall, Network Address
Translation (NAT ), and SIP Application Level Gateway (SIP ALG) for your network,
you must disable those functions on the UC500. For instructions, refer to the
documentation or online Help for the Cisco Configuration Assistant (CCA).
To allow the hosts in non-native subnets of the security appliance to access the
Internet over the VPN tunnels, you must manually create advanced NAT rules on
your security appliance. Go to the Firewall > NAT > Advanced NAT page to do this.
For example, you can create an advanced NAT rule as fo llows to allow the hosts in
the data LAN (10.25.1.0/24) behind the UC500 to access the Internet:
Transfor m Integrity = ESP_SHA1_HMAC
Encryption = ESP_3DES
NOTE: The default transform set used on the UC500
cannot be modified through CCA. The above transform
settings must be configured on the security appliance.
Field Setting
ISA500
IP Phone
IP
UC500
IP Phone
IP
site-to-site VPN
ISA500
Site A Site B
283882
Name datalan-behinduc500
Enable On
From Any
To WAN1