RE: Cisco VPN Client

• From: "David Elmquist \( Subcore \)" <david@xxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 26 Oct 2001 10:25:17 +0200

[isalist] RE: Cisco VPN ClientIf it is a custumized client, it is entirely 
possible that it uses other ranges for 
traffic. First check you firewall log. If you have succesfull connections, for 
both
UDP 500 and UDP 10000, you might be having gateway problems or something
like that. Is the VPN box usable from other locations ?
If you have UDP 500, but not UDP 10000 connections in the firewall log, it
could be your customized agent trying to use another port for data transfer.
Check your packet filter log for anything that could look like UDP packets being
dropped during a connection attempt.

On a standard Cisco Altiga, this is the ports in use:

UDP 500 is IKE negotiation
UDP 10000 is datatransfer

 David Elmquist


  ----- Original Message ----- 
  From: Jeffrey M. Butte 
  To: [ISAserver.org Discussion List] 
  Sent: Friday, October 26, 2001 5:44 AM
  Subject: [isalist] RE: Cisco VPN Client


  http://www.ISAserver.org


  David,

  Well, I am much closer.... the protocol definitions solved the client
  connection problem.  The VPN client authenticates and connects.
  However.. it does not seem to pass traffic.  The client overlays the
  local NIC with the foreign network settings (DNS, WINS, etc).  When not
  going through ISA, I can ping things etc.  However going through ISA,
  once the connection is established, the traffic seems to go out.. but
  does not return a reply.  All internal clients are SNAT; no firewall
  client.

  I am trying to get more info on the client.  The provider of the
  customized VPN client is not very forthcoming with info.

  Any other ideas would be greatly appreciated.

  Thanks!
  - Jeff

  -----Original Message-----
  From: David Elmquist [mailto:david@xxxxxxxxxx]
  Sent: Thursday, October 25, 2001 10:30 AM
  To: [ISAserver.org Discussion List]
  Subject: [isalist] RE: Cisco VPN Client


  http://www.ISAserver.org



  If you are trying to connect to a Cisco VPN concentrator box, try
  To create the following protocol definitions:

  UDP 500 SEND
  UDP 10000 SEND

  You have to disable the firewall client, if installed,
  For this to work properly.

  I believe the Altiga VPN clients are the only ones supporting NAT.
  Otherwise, you may have to read up on the port specifications for your
  Client, and modify the rules accordingly.

  David Elmquist



  -----Original Message-----
  From: Jeffrey M. Butte [mailto:jbutte@xxxxxx]
  Sent: 25. oktober 2001 05:00
  To: [ISAserver.org Discussion List]
  Subject: [isalist] Cisco VPN Client


  http://www.ISAserver.org


  I am attempting to configure ISA to allow a Cisco VPN client connection
  on an internal (behind ISA) workstation pass though ISA server. 

  I can currently VPN (PPTP) through to outside hosts.  I have not tested
  L2TP since I do not have an external host to test
  against.  (I will probably build one next week to test.)  However, the
  Cisco client fails with a "remote peer is not responding" message.

  I went through Dr. Shinder's book (pages 765-769) on the IPSec section
  because it discusses configuration for ESP and AH, but it didn't seem to
  fit what I was looking for because it was more for using W2K's IPSec.

  The Cisco client is set to allow IPSec through NAT mode.  This allows
  secure transmission between the client and the VPN device through a
  router serving as a firewall, which may also be performing Network
  Address Translation (NAT) like ISA.

  According to Cisco, the most common application for IPSec through NAT
  mode is behind a home router performing PAT. Using this feature
  encapsulates Protocol 50 (ESP) traffic within UDP packets that the home
  router forwards to their destination. The VPN Client also sends
  keepalives frequently, ensuring that the mappings on the router are kept
  active.

  Does anyone have a clue what I need to do to get Protocol 50 inbound to
  an internal client?  It needs bi-direction access due to the keepalives.

  Thanks,

  Jeff Butte
  mailto:jbutte@xxxxxx





  ------------------------------------------------------
  You are currently subscribed to this ISAserver.org Discussion List as:
  david@xxxxxxxxxx To unsubscribe send a blank email to
  $subst('Email.Unsub')

  ------------------------------------------------------
  You are currently subscribed to this ISAserver.org Discussion List as:
  jbutte@xxxxxx
  To unsubscribe send a blank email to $subst('Email.Unsub')


  ------------------------------------------------------
  You are currently subscribed to this ISAserver.org Discussion List as: 
david@xxxxxxxxxx
  To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Cisco VPN Client
• » RE: Cisco VPN Client
• » RE: Cisco VPN Client
• » Cisco VPN Client
• » RE: Cisco VPN Client
• » RE: Cisco VPN Client
• » Cisco VPN Client
• » RE: Cisco VPN Client
• » RE: Cisco VPN Client
• » RE: Cisco VPN Client
• » RE: Cisco VPN Client

1. Home
2. isalist
3. Archive
4. 10-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---