[isalist] RE: Cisco VPN ClientIf it is a custumized client, it is entirely possible that it uses other ranges for traffic. First check you firewall log. If you have succesfull connections, for both UDP 500 and UDP 10000, you might be having gateway problems or something like that. Is the VPN box usable from other locations ? If you have UDP 500, but not UDP 10000 connections in the firewall log, it could be your customized agent trying to use another port for data transfer. Check your packet filter log for anything that could look like UDP packets being dropped during a connection attempt. On a standard Cisco Altiga, this is the ports in use: UDP 500 is IKE negotiation UDP 10000 is datatransfer David Elmquist ----- Original Message ----- From: Jeffrey M. Butte To: [ISAserver.org Discussion List] Sent: Friday, October 26, 2001 5:44 AM Subject: [isalist] RE: Cisco VPN Client http://www.ISAserver.org David, Well, I am much closer.... the protocol definitions solved the client connection problem. The VPN client authenticates and connects. However.. it does not seem to pass traffic. The client overlays the local NIC with the foreign network settings (DNS, WINS, etc). When not going through ISA, I can ping things etc. However going through ISA, once the connection is established, the traffic seems to go out.. but does not return a reply. All internal clients are SNAT; no firewall client. I am trying to get more info on the client. The provider of the customized VPN client is not very forthcoming with info. Any other ideas would be greatly appreciated. Thanks! - Jeff -----Original Message----- From: David Elmquist [mailto:david@xxxxxxxxxx] Sent: Thursday, October 25, 2001 10:30 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Cisco VPN Client http://www.ISAserver.org If you are trying to connect to a Cisco VPN concentrator box, try To create the following protocol definitions: UDP 500 SEND UDP 10000 SEND You have to disable the firewall client, if installed, For this to work properly. I believe the Altiga VPN clients are the only ones supporting NAT. Otherwise, you may have to read up on the port specifications for your Client, and modify the rules accordingly. David Elmquist -----Original Message----- From: Jeffrey M. Butte [mailto:jbutte@xxxxxx] Sent: 25. oktober 2001 05:00 To: [ISAserver.org Discussion List] Subject: [isalist] Cisco VPN Client http://www.ISAserver.org I am attempting to configure ISA to allow a Cisco VPN client connection on an internal (behind ISA) workstation pass though ISA server. I can currently VPN (PPTP) through to outside hosts. I have not tested L2TP since I do not have an external host to test against. (I will probably build one next week to test.) However, the Cisco client fails with a "remote peer is not responding" message. I went through Dr. Shinder's book (pages 765-769) on the IPSec section because it discusses configuration for ESP and AH, but it didn't seem to fit what I was looking for because it was more for using W2K's IPSec. The Cisco client is set to allow IPSec through NAT mode. This allows secure transmission between the client and the VPN device through a router serving as a firewall, which may also be performing Network Address Translation (NAT) like ISA. According to Cisco, the most common application for IPSec through NAT mode is behind a home router performing PAT. Using this feature encapsulates Protocol 50 (ESP) traffic within UDP packets that the home router forwards to their destination. The VPN Client also sends keepalives frequently, ensuring that the mappings on the router are kept active. Does anyone have a clue what I need to do to get Protocol 50 inbound to an internal client? It needs bi-direction access due to the keepalives. Thanks, Jeff Butte mailto:jbutte@xxxxxx ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: david@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jbutte@xxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: david@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')