Re: VPN Server behind NAT/PAT router

muhnihausen · ‎03-10-2007

I'm sure this has been asked before, but I am unable to find any documentation on this.

I have a ISA 2006 VPN server behind a Cisco 1700 series router connected to the internet via a T1 (S0). I have a static route to the ISA box located on the internal network (E0). ISA works as I can connect internally, but I'm figuring I need additional configuration to pass IPSEC from outside VPN clients through the router to the ISA server.

Does anyone know of any step by step documentation to enable my IPSEC VPN clients to connect to the ISA box? I can only find site-to-site VPN info and for configuring PIX boxes. Are there any special commands I need to use in the static route command?

Thanks,

J

kaachary · ‎03-11-2007

To make a Cisco Router IPSec passthrough, make sure the router is not blocking incoming and outgoing,

UDP 500

UDP 4500

ESP

*Please rate if helped.

-Kanishka

muhnihausen · ‎03-11-2007

Thanks for the help Kanishka... I'm still having issues though.

This is what I have so far:

ip nat inside source static

access-list 111 permit udp any host eq isakmp

access-list 111 permit udp any host eq non500-isakmp

access-list 111 permit esp any host

My remote VPN clients still can not authenticate or establish the connection. I've verified that the VPN box is being properly NAT translated.

Thanks,

J

kaachary · ‎03-12-2007

It should work, unless we have some configuration issues on ISA box.

Make sure, the outbound VPN traffic is also allowed. Are the clients not able to authenticate or they are not even getting to that stage. What type of client is it ?

-Kanishka

muhnihausen · ‎03-12-2007

With IPSEC, the clients are not reaching the ISA server and no athentication is taking place.

I did enable PPTP passthrough and I can authenticate and pass traffic using PPTP. Right now I'm just using the Microsoft client, but eventually I will move to use the Cisco client.

Thanks,

J

dradhika · ‎03-12-2007

Can you check if you missed out to configure route to external VPN IP on server or next hop of the router?

Hope this helps,

Radhika

muhnihausen · ‎03-12-2007

I apologize as I'm not an expert as these things and I'm not following your question.

I did confirm from the VPN server that it is routing through the static route I've configured. (From the internal private address out to the public IP address). It is working via PPTP, but I'm guessing that the IPSEC traffic is not being sent back.

Thanks,

J

kaachary · ‎03-12-2007

Coming back to the question I asked earlier:

What type of IPSec client you are using ? Is it Cisco VPN client ?

Cisco VPN client is not supported to connect to an ISA server.

-Kanishka

muhnihausen · ‎03-12-2007

builtin Microsoft VPN Client w/ pre-shared key. (Windows XP SP2).

Thanks,

J

kaachary · ‎03-12-2007

Microsoft doesn't have pure IPsec client. Are you sure you are not talking about L2TP/IPSec or PPTP connection.

In case its a L2TP/IPSEc connection, you also have to open UDP 1701 on the router.

-Kanishka

muhnihausen · ‎03-12-2007

Sorry, I didn't give you all of the information. Yes it is L2TP/IPSec. I had the following line in the config.

access-list 111 permit udp any host eq 1701

-j