From your fail/pass table, it appears that unless your client can use ISA as the next hop, you're SOL. Are you trying to test through the tunnel or around it? IIRC, the Shitsco VPN Crap installs as an LSP. What kind of IP is "216.226.999.999"? Is this Crapsco's idea of "specialicity" in IP tunnels? ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, October 20, 2005 07:20 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Cisco SSL VPN client http://www.ISAserver.org I guess I should also add that the Cisco SSL VPN sludgeware also installs a local host proxy listener. > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, October 19, 2005 8:52 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Cisco SSL VPN client > > http://www.ISAserver.org > > Hey folks, > > Anyone have any experience with the Cisco SSL VPN client > connecting to a > Cisco VPN server when the client is behind an ISA firewall > and the Cisco > SSL VPN server is behind god knows what? > > From the tests of done so far: > > =========================== > Web proxy client ONLY configuration does NOT work > > Firewall client ONLY configuration does NOT work > > Web proxy AND Firewall client configuration does NOT work > > Web proxy and SecureNAT configuration DOES work > > Firewall client and SecureNAT configuration DOES work > > Firewall client, Web proxy client and SecureNAT client configuration > DOES work > =========================== > > The Web proxy log file shows SSL connection failed with a 995 > reported. > The Firewall client doesn't even intercept the request, at least from > what I see in the Sessions tab of the console > > An example of what happens with the Web proxy filter connection is the > line below: > Original Client IP Authenticated Client Service Server Name > Referring Server Destination Host Name MIME Type Object > Source Source Proxy Destination Proxy > Bidirectional Client > Host Name Network Interface Raw IP Header Raw Payload > Source Port Processing Time Bytes Sent Bytes Received Cache > Information Log Time Client IP Destination IP > Transport Destination Port Protocol Action Rule > Client Username URL Source Network Destination > Network HTTP > Method Filter Information Error Information > Result Code > Log Record Type Client Agent HTTP Status Code > 0.0.0.0 No Proxy CELESTIX-H5L4CS webvpn.fsba.com > Internet - - - - - - > 0 0 105978 1464 0x0 10/19/2005 7:25:58 PM > 192.168.1.71 216.226.999.999 TCP 443 SSL-tunnel Failed > Connection Attempt All Open Servers anonymous > webvpn.noneya.com:443 Internal External > 0x9 Web Proxy Filter Mozilla/4.0 (compatible; MSIE > 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) 995 > ============================== > > Firewall policy is All Open from source to destination network. > Web proxy filter is unbound from the HTTP protocol > > Hints, tips, tricks, guesses or anything appreciated. > > > > Thomas W Shinder, M.D. > Site: www.isaserver.org <http://www.isaserver.org/> > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > MVP -- ISA Firewalls > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.