Cisco:

crypto isakmp policy 1
authentication pre-share
group 2
lifetime 28800
crypto isakmp key КЛЮЧЕВОЕ СЛОВО address ВНЕШНИЙ АДРЕС ISA no-xauth
!
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
mode transport
!
crypto map map1 1 ipsec-isakmp
description test tunnel
set peer ВНЕШНИЙ АДРЕС ISA
set transform-set set1
match address 144
!
interface FastEthernet4
.....
crypto map map1
!
access-list 144 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
!
!чтобы трафик адресованный в тонель не натился:
!
access-list 115 permit ip 10.0.0.0 0.0.0.255 any
access-list 115 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
route-map mainroute permit 1
match ip address 115


Теперь с ISA
Vpn>>Remote Site>>Add

Genrela:
имя: test1
Address:
start address: 10.0.0.1
end address: 10.0.0.255
Connection:
remote gateway
Внешний адрес cisco

local gateway
Внутренний адрес ISA

аутентификация pre-share



IpSec Summary:

Local Tunnel Endpoint: 192.168.0.167
Remote Tunnel Endpoint: 89.*.*.67 (внешний циски)

To allow HTTP proxy or NAT traffic to the remote site,
the remote site configuration must contain the local
site tunnel end-point IP address.

IKE Phase I Parameters:
Mode: Main mode
Encryption: 3DES
Integrity: SHA1
Diffie-Hellman group: Group 2 (1024 bit)
Authentication method: Pre-shared secret (СЛОВО)
Security Association lifetime: 28800 seconds

IKE Phase II Parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: SHA1
Perfect Forward Secrecy: ON
Diffie-Hellman group: Group 2 (1024 bit)
Time rekeying: OFF
Kbyte rekeying: OFF

Remote Network 'plg' IP Subnets:
Subnet: 10.0.0.0/255.255.255.0

Local Network 'Internal' IP Subnets:
Subnet: 192.168.0.0/255.255.255.0

Local Network 'VPN Clients' IP Subnets:
Subnet: 192.168.1.220/255.255.255.255
Subnet: 192.168.1.216/255.255.255.252
Subnet: 192.168.1.200/255.255.255.248
Subnet: 192.168.1.208/255.255.255.248


Далее в NetWorks
Делаю роутинг между удалённой сеткой и локальной (между 10,0,0,0/24 и 192,168,0,0/24)


Не пашет.
Вообще не пашет. никак не пашет.