RE: Cisco VPN Client
- From: "Jeffrey M. Butte" <jbutte@xxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 25 Oct 2001 22:44:56 -0500
David,
Well, I am much closer.... the protocol definitions solved the client
connection problem. The VPN client authenticates and connects.
However.. it does not seem to pass traffic. The client overlays the
local NIC with the foreign network settings (DNS, WINS, etc). When not
going through ISA, I can ping things etc. However going through ISA,
once the connection is established, the traffic seems to go out.. but
does not return a reply. All internal clients are SNAT; no firewall
client.
I am trying to get more info on the client. The provider of the
customized VPN client is not very forthcoming with info.
Any other ideas would be greatly appreciated.
Thanks!
- Jeff
-----Original Message-----
From: David Elmquist [mailto:david@xxxxxxxxxx]
Sent: Thursday, October 25, 2001 10:30 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Cisco VPN Client
http://www.ISAserver.org
If you are trying to connect to a Cisco VPN concentrator box, try
To create the following protocol definitions:
UDP 500 SEND
UDP 10000 SEND
You have to disable the firewall client, if installed,
For this to work properly.
I believe the Altiga VPN clients are the only ones supporting NAT.
Otherwise, you may have to read up on the port specifications for your
Client, and modify the rules accordingly.
David Elmquist
-----Original Message-----
From: Jeffrey M. Butte [mailto:jbutte@xxxxxx]
Sent: 25. oktober 2001 05:00
To: [ISAserver.org Discussion List]
Subject: [isalist] Cisco VPN Client
http://www.ISAserver.org
I am attempting to configure ISA to allow a Cisco VPN client connection
on an internal (behind ISA) workstation pass though ISA server.
I can currently VPN (PPTP) through to outside hosts. I have not tested
L2TP since I do not have an external host to test
against. (I will probably build one next week to test.) However, the
Cisco client fails with a "remote peer is not responding" message.
I went through Dr. Shinder's book (pages 765-769) on the IPSec section
because it discusses configuration for ESP and AH, but it didn't seem to
fit what I was looking for because it was more for using W2K's IPSec.
The Cisco client is set to allow IPSec through NAT mode. This allows
secure transmission between the client and the VPN device through a
router serving as a firewall, which may also be performing Network
Address Translation (NAT) like ISA.
According to Cisco, the most common application for IPSec through NAT
mode is behind a home router performing PAT. Using this feature
encapsulates Protocol 50 (ESP) traffic within UDP packets that the home
router forwards to their destination. The VPN Client also sends
keepalives frequently, ensuring that the mappings on the router are kept
active.
Does anyone have a clue what I need to do to get Protocol 50 inbound to
an internal client? It needs bi-direction access due to the keepalives.
Thanks,
Jeff Butte
mailto:jbutte@xxxxxx
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
david@xxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jbutte@xxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
