Scott, I can't speak to your issue with establishing a VPN through your ISA server (having had no experience dealing with that issue) but I can speak to a couple of other things. VPN Connectivity Based on the ports you indicated that you have opened up, it looks like you're trying to establish an IPSEC tunnel over which to link your VPN. That will require that both firewalls and routers on both sides are configured to pass IP protocols 50 and 51. You'll also want to check with the system administrator of the Cisco VPN device to which your Cisco VPN clients are connecting and make sure it's set up for IPSEC-based VPNs. Routing There are two sides to this story. I'll start with yours. You're using 10.10.10.x as your network ID. All of your clients will only route traffic that is destined for any IP address outside of that range. If the remote network uses that network address space, you're clients won't be able to talk to those remote clients since everything in your network will see that as a local network address. They are using 10.10.x.x as their network ID. Since 10.10.10.x is a subnet of that network ID, they are correct when they say that they won't be able to route anything back to you; your network address is seen by their routers and switches as being local to their environment. Before you dig too far into the configuration of ISA, I would start by changing your network address to 10.1.1.x. This will clear up your routing issues in both directions, although it will require that you visit each device in your network to update its IP address settings, which can cause lots of havoc if you have Windows DNS servers and Domain Controllers running currently with 10.10.10.x IP addresses. In any case, you're going to need to reassess your network configuration and make changes in order to get the two networks to talk with each other. I'm not sure what kind of relationship you have with the other side but you may want to sit down with them and brainstorm what can be done to address the issue in a way that minimizes impact to either system. I hope this helps. Cordially yours, Jerry G. Young II MCSE (4.0/W2K) Atlanta EES Implementation Team Lead HHS Engineering Unisys 11493 Sunset Hills Rd. Reston, VA 20190 Office: 703-579-2727 Cell: 703-625-1468 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -----Original Message----- From: Talley, Scott [mailto:stalley@xxxxxxxxxxxxxxxxx] Sent: Tuesday, February 28, 2006 9:22 PM To: [ISAserver.org Discussion List] Subject: [isalist] more Cisco VPN.. http://www.ISAserver.org Hello all, I'm having the classic issue of Cisco VPN client out from behind ISA2kSP2/Win03SP1. Can connect to the remote Cisco VPN gadget, acquire a dhcp address, then nothing. Can't even ping a host on the remote network. Cisco client shows keep-alive traffic flowing outbound, but nothing inbound. I've carefully checked my config, allowing UDP 500/4500/10000/20000 s/r according to Stephans excellent docs and kb812076, my client machines are SNAT. I've verified that they have IPsec over UDP nat/pat engaged on the gizmo and are using the standard udp 4500 port for encapsulation. I don't see any any denied connections in the logs. Now here's the craziest part: Their network guys are telling me that because I use a 10.10.10.x network and they use a 10.10.x.x network, that routing is impossible. Now I'm obviously no networking wizard, but can anyone throw me some ammo? Thank you, Scott Talley IT Manager, The Combined Group e> stalley@xxxxxxxxxxxxxxxxx p> 469.892.9829 f> 469.892.9710 NOTICE: This e mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gerald.young@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx