David, Well, I am much closer.... the protocol definitions solved the client connection problem. The VPN client authenticates and connects. However.. it does not seem to pass traffic. The client overlays the local NIC with the foreign network settings (DNS, WINS, etc). When not going through ISA, I can ping things etc. However going through ISA, once the connection is established, the traffic seems to go out.. but does not return a reply. All internal clients are SNAT; no firewall client. I am trying to get more info on the client. The provider of the customized VPN client is not very forthcoming with info. Any other ideas would be greatly appreciated. Thanks! - Jeff -----Original Message----- From: David Elmquist [mailto:david@xxxxxxxxxx] Sent: Thursday, October 25, 2001 10:30 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Cisco VPN Client http://www.ISAserver.org If you are trying to connect to a Cisco VPN concentrator box, try To create the following protocol definitions: UDP 500 SEND UDP 10000 SEND You have to disable the firewall client, if installed, For this to work properly. I believe the Altiga VPN clients are the only ones supporting NAT. Otherwise, you may have to read up on the port specifications for your Client, and modify the rules accordingly. David Elmquist -----Original Message----- From: Jeffrey M. Butte [mailto:jbutte@xxxxxx] Sent: 25. oktober 2001 05:00 To: [ISAserver.org Discussion List] Subject: [isalist] Cisco VPN Client http://www.ISAserver.org I am attempting to configure ISA to allow a Cisco VPN client connection on an internal (behind ISA) workstation pass though ISA server. I can currently VPN (PPTP) through to outside hosts. I have not tested L2TP since I do not have an external host to test against. (I will probably build one next week to test.) However, the Cisco client fails with a "remote peer is not responding" message. I went through Dr. Shinder's book (pages 765-769) on the IPSec section because it discusses configuration for ESP and AH, but it didn't seem to fit what I was looking for because it was more for using W2K's IPSec. The Cisco client is set to allow IPSec through NAT mode. This allows secure transmission between the client and the VPN device through a router serving as a firewall, which may also be performing Network Address Translation (NAT) like ISA. According to Cisco, the most common application for IPSec through NAT mode is behind a home router performing PAT. Using this feature encapsulates Protocol 50 (ESP) traffic within UDP packets that the home router forwards to their destination. The VPN Client also sends keepalives frequently, ensuring that the mappings on the router are kept active. Does anyone have a clue what I need to do to get Protocol 50 inbound to an internal client? It needs bi-direction access due to the keepalives. Thanks, Jeff Butte mailto:jbutte@xxxxxx ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: david@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jbutte@xxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')