RE: Cisco SSL VPN client
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 20 Oct 2005 11:38:37 -0400
I do recall running into a version like that not too long ago. Couldn't
make it work quite right because of what Jim mentioned, it installed
itself as an LSP, and the FWC was battling it out, and wouldn't allow
the VPN client to connect quite right.
It would connect, but it wouldn't redirect everything. I.e. the
destination server was on a different subnet than the VPN server, and it
couldn't reach it. Since I could reach servers on the VPN server
subnet, it appeared that the VPN client wasn't redirecting all the
traffic like it was supposed to, it was treating it as an additional
subnet for the local computer, that was all. I considered setting up
the workstation for routing, to redirect traffic appropriately, but they
wouldn't give me any details about their network...
I seem to remember posting about it on this mailing list, and Jim
informed me about the dueling LSP problem. If I remember right, it's
basically whatever LSP gets installed first that has first dibs. Since
we didn't want to totally ruin that workstation just to get one program
running I worked around it. I uninstalled the client, figured out the
protocols/ports the program needed to use, and created a specific set of
rules.
Sorry, that is probably not a heck of a lot of help...
No free "hamburger" for me!
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Thursday, October 20, 2005 11:12 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Cisco SSL VPN client
http://www.ISAserver.org
Hi Dan,
This is the new SSL VPN client, not IPSec tunnel mode.
If you have a pointer on any docs on how this thing works, I'll gladly
pay you Tuesday for a hamberger today :)
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Thursday, October 20, 2005 10:09 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Cisco SSL VPN client
>
> http://www.ISAserver.org
>
> I've had a Cisco VPN client running like there here for a few
> years now.
> I used the article at
> http://support.microsoft.com/default.aspx?scid=kb;en-us;812076 to get
> the right settings for ISA 2000, then just used those same ports to
> recreate a rule for ISA 2004 and it works fine.
>
> Although, we're using a slightly older VPN client, so maybe
> that makes a
> difference.
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Thursday, October 20, 2005 10:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Cisco SSL VPN client
>
> http://www.ISAserver.org
>
> I guess I should also add that the Cisco SSL VPN sludgeware also
> installs a local host proxy listener.
>
>
>
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: Wednesday, October 19, 2005 8:52 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Cisco SSL VPN client
> >
> > http://www.ISAserver.org
> >
> > Hey folks,
> >
> > Anyone have any experience with the Cisco SSL VPN client
> > connecting to a
> > Cisco VPN server when the client is behind an ISA firewall
> > and the Cisco
> > SSL VPN server is behind god knows what?
> >
> > From the tests of done so far:
> >
> > ===========================
> > Web proxy client ONLY configuration does NOT work
> >
> > Firewall client ONLY configuration does NOT work
> >
> > Web proxy AND Firewall client configuration does NOT work
> >
> > Web proxy and SecureNAT configuration DOES work
> >
> > Firewall client and SecureNAT configuration DOES work
> >
> > Firewall client, Web proxy client and SecureNAT client configuration
> > DOES work
> > ===========================
> >
> > The Web proxy log file shows SSL connection failed with a 995
> > reported.
> > The Firewall client doesn't even intercept the request, at
> least from
> > what I see in the Sessions tab of the console
> >
> > An example of what happens with the Web proxy filter
> connection is the
> > line below:
> > Original Client IP Authenticated Client Service Server Name
> > Referring Server Destination Host Name MIME Type Object
> > Source Source Proxy Destination Proxy
> > Bidirectional Client
> > Host Name Network Interface Raw IP Header Raw Payload
> > Source Port Processing Time Bytes Sent Bytes Received Cache
> > Information Log Time Client IP Destination IP
> > Transport Destination Port Protocol Action Rule
> > Client Username URL Source Network Destination
> > Network HTTP
> > Method Filter Information Error Information
> > Result Code
> > Log Record Type Client Agent HTTP Status Code
> > 0.0.0.0 No Proxy CELESTIX-H5L4CS webvpn.fsba.com
> > Internet - - - - - -
> > 0 0 105978 1464 0x0 10/19/2005 7:25:58 PM
> > 192.168.1.71 216.226.999.999 TCP 443
> SSL-tunnel Failed
> > Connection Attempt All Open Servers anonymous
> > webvpn.noneya.com:443 Internal External
> > 0x9 Web Proxy Filter Mozilla/4.0 (compatible; MSIE
> > 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) 995
> > ==============================
> >
> > Firewall policy is All Open from source to destination network.
> > Web proxy filter is unbound from the HTTP protocol
> >
> > Hints, tips, tricks, guesses or anything appreciated.
> >
> >
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org <http://www.isaserver.org/>
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> > MVP -- ISA Firewalls
Other related posts:
