Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
763
Views
5
Helpful
4
Replies

Cisco VPN Client --> ISA server --> PIX/Concentrator

n.oneill
Level 1
Level 1

‎08-01-2003 11:52 AM - edited ‎02-21-2020 12:42 PM

I am tring to configure ISA to allow a Cisco VPN client to connect through to a VPN concentrator/PIX

The Client is a secure NAT client i.e. has the ISA server as its DG. The ISA server has two NIC's, one connected to the Internet and one to the LAN. I have created a definition for UDP/500 and UDP/4500 (both send/receive) but it will not connect. The client is 4.0.2B. Other applications like messenger and ICQ connect ok so the secure NAT is working but when I sniff the traffic (everything is on one hub) When the VPN client tries to connect the ISA server does not make any requests on behalf of the client, its as if it is ignoring the client (other apps work though)

Any ideas or has anyone got this working?

Thanks in advance

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎08-04-2003 10:17 PM

I don't believe there's any way to make this work. The ISA server does not proxy IPSec communications, regardless of what ports you set it up for (at least that's my understanding of it).

0 Helpful

n.oneill
Level 1
Level 1
In response to gfullage

‎08-11-2003 04:22 AM

Managed to get this working with NAT-T :D

0 Helpful

docjay
Level 1
Level 1
In response to n.oneill

‎04-12-2004 02:51 PM

I found this page here --> http://www.tacteam.net/isaserverorg/vpnkitbeta2/nat-t-packetfilters.htm describes how to let external L2TP/IPSec clients that are located behind NAT based firewalls to connect to your ISA Server firewall/VPN server -- but my situation is more like yours was -- I have a client behind an ISA server just just needs to use the cicso client to authenticate to a diff site that has a cicso firewall (not sure what kind - the admin really isn't cooperating) Could you give me some specifics on how exactly you got yours working? I followed that page I referenced but I wasn't for sure if I should have the packet filters for inbound receive/send or send/receive. Also didn't know if I should apply the packet filter to the default IP on the adapter or to my subnet of computers..? Please help!?! Am I even going in the right direction?

0 Helpful

n.oneill
Level 1
Level 1
In response to docjay

‎04-13-2004 11:24 PM

Briefly this is what you need to do:

Configure 2 protocol definitions (found under policy elements)

Name protocol port direction

IPSec ISAKMP UDP 500 send receive (not receive send)

IPSec NAT-T UDP 4500 send receive

Next create a protocol rule under access policy allowing these two protocol definitions.

Now disable filtering of IP fragments by right clicking IP Packet filters (under access policy) and selecting properties.

You will find the option on the second tab

The client must be a secure NAT client ie have its default gateway as the ISA server and firewall client must be disabled

whilst you are connecting/using the VPN.

The ISA server must have atleast two network cards and be operating in Firewall or Integrated mode.

Hope this helps.

Nick

Customers Also Viewed These Support Documents