RE: Cisco VPN Client
- From: "Jeffrey M. Butte" <jbutte@xxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 31 Oct 2001 00:09:53 -0600
David,
I went through the logs and found nothing (which kind of surprised me).
I could only see the outbound calls for UDP 500. I focused more on the
client and found in the status window of the client that it listed a
port used during encryption over NAT. This port was well over 10000. I
created a protocol definition for it and everything immediately worked.
Once again, thanks for all your help. Two simple protocol definitions
were the solution.
Jeff Butte
mailto:jbutte@xxxxxx <mailto:jbutte@xxxxxx>
-----Original Message-----
From: David Elmquist ( Subcore ) [mailto:david@xxxxxxxxxx]
Sent: Friday, October 26, 2001 3:25 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Cisco VPN Client
http://www.ISAserver.org
If it is a custumized client, it is entirely possible that it uses other
ranges for
traffic. First check you firewall log. If you have succesfull
connections, for both
UDP 500 and UDP 10000, you might be having gateway problems or something
like that. Is the VPN box usable from other locations ?
If you have UDP 500, but not UDP 10000 connections in the firewall log,
it
could be your customized agent trying to use another port for data
transfer.
Check your packet filter log for anything that could look like UDP
packets being
dropped during a connection attempt.
On a standard Cisco Altiga, this is the ports in use:
UDP 500 is IKE negotiation
UDP 10000 is datatransfer
David Elmquist
----- Original Message -----
From: Jeffrey M. Butte <mailto:jbutte@xxxxxx>
To: [ISAserver.org Discussion List] <mailto:isalist@xxxxxxxxxxxxx>
Sent: Friday, October 26, 2001 5:44 AM
Subject: [isalist] RE: Cisco VPN Client
http://www.ISAserver.org <http://www.ISAserver.org>
David,
Well, I am much closer.... the protocol definitions solved the client
connection problem. The VPN client authenticates and connects.
However.. it does not seem to pass traffic. The client overlays the
local NIC with the foreign network settings (DNS, WINS, etc). When not
going through ISA, I can ping things etc. However going through ISA,
once the connection is established, the traffic seems to go out.. but
does not return a reply. All internal clients are SNAT; no firewall
client.
I am trying to get more info on the client. The provider of the
customized VPN client is not very forthcoming with info.
Any other ideas would be greatly appreciated.
Thanks!
- Jeff
-----Original Message-----
From: David Elmquist [ mailto:david@xxxxxxxxxx <mailto:david@xxxxxxxxxx>
]
Sent: Thursday, October 25, 2001 10:30 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Cisco VPN Client
http://www.ISAserver.org <http://www.ISAserver.org>
If you are trying to connect to a Cisco VPN concentrator box, try
To create the following protocol definitions:
UDP 500 SEND
UDP 10000 SEND
You have to disable the firewall client, if installed,
For this to work properly.
I believe the Altiga VPN clients are the only ones supporting NAT.
Otherwise, you may have to read up on the port specifications for your
Client, and modify the rules accordingly.
David Elmquist
-----Original Message-----
From: Jeffrey M. Butte [ mailto:jbutte@xxxxxx <mailto:jbutte@xxxxxx> ]
Sent: 25. oktober 2001 05:00
To: [ISAserver.org Discussion List]
Subject: [isalist] Cisco VPN Client
http://www.ISAserver.org <http://www.ISAserver.org>
I am attempting to configure ISA to allow a Cisco VPN client connection
on an internal (behind ISA) workstation pass though ISA server.
I can currently VPN (PPTP) through to outside hosts. I have not tested
L2TP since I do not have an external host to test
against. (I will probably build one next week to test.) However, the
Cisco client fails with a "remote peer is not responding" message.
I went through Dr. Shinder's book (pages 765-769) on the IPSec section
because it discusses configuration for ESP and AH, but it didn't seem to
fit what I was looking for because it was more for using W2K's IPSec.
The Cisco client is set to allow IPSec through NAT mode. This allows
secure transmission between the client and the VPN device through a
router serving as a firewall, which may also be performing Network
Address Translation (NAT) like ISA.
According to Cisco, the most common application for IPSec through NAT
mode is behind a home router performing PAT. Using this feature
encapsulates Protocol 50 (ESP) traffic within UDP packets that the home
router forwards to their destination. The VPN Client also sends
keepalives frequently, ensuring that the mappings on the router are kept
active.
Does anyone have a clue what I need to do to get Protocol 50 inbound to
an internal client? It needs bi-direction access due to the keepalives.
Thanks,
Jeff Butte
mailto:jbutte@xxxxxx <mailto:jbutte@xxxxxx>
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
david@xxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jbutte@xxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
david@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jbutte@xxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
