VPN and ISA 2004

I have:

Internet--->Cisco 2801 Router---->ISA Server 2004----> LAN

All inbound traffic from the Internet is forwarded from the 2801 to the ISA server.  So its true that the ISA Server will handle all of the VPN authentication correct?  In other words, I don't actually configure the Cisco Router for VPN connections but rather the ISA Server?
A.V.Lead EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
If the Cisco device will handle VPN's  then you can do either. Personally I would let the Cisco unit handle the VPN. As it is hardware based it will likely give better performance and let ISA perform as your inside firewall. If there is a specific reason why you want the ISA to do the job then that is cool; its certainly capable but you do lose that dual protection. By that I mean that potential vpn users from the Internet have already got past the first router to the ISA server, any protection the router may have offered will have been missed in part.

All that said, in answer to your question, yes. The ISA can authenticate your VPN connections using any/all of the MS authentication systems including RADIUS etc.

If you need some help with setting up VPN's on ISA2000 or ISA2004, I have a number of documents that can help.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
A.V.Lead EngineerAuthor Commented:
Thank you. I agree but the Cisco Technician I spoke to said it can't be done!! Okay, so I configured the router to allow vpn connectins ( and I am able to connect) and I configured to issue an IP address.  Now what?  I can't seem to get any further than that..meaning I can't communicate with anything inside the LAN.
A.V.Lead EngineerAuthor Commented:
any suggestions?
Bootstrap 4: Exploring New Features

Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.

Keith AlabasterEnterprise ArchitectCommented:

First, get on to my ftp site and download the isa2004 file that you find there.

I'll turn it on now.

IP is
username    anonymous
password     test@you.com

Soon as you have downloaded it, let me know so I can shut down my FTP server please. When I leave it up I get innundated....

Keith AlabasterEnterprise ArchitectCommented:
Oh, are you saying you have to terminate the VPN on the Cisco ?
A.V.Lead EngineerAuthor Commented:
I am not really saying I HAVE to....I just thought that is the way it had to be done?  What would you say is the best way for me to handle this. Let the VPN terminate aon the Cisco Router on on the ISA Server.  I copied the file down via ftp so you can shut it down now...thanks!
Keith AlabasterEnterprise ArchitectCommented:
If you had a PIX it would be a no-brainer. As you are on a router though, the ISA is probably the best. The documented you have just downloaded from me will give you the start-to-finish in respect of the ISA end of things. It makes for good reading. What we will need to ensure is that the Cisco router asses on the traffic that we need.
A.V.Lead EngineerAuthor Commented:
'What we will need to ensure is that the Cisco router asses on the traffic that we need."

I know that there are no access list configured so all traffic is passed to the ISA server.  Is that what you mean?
Keith AlabasterEnterprise ArchitectCommented:
thats fine :)
A.V.Lead EngineerAuthor Commented:
Thanks so much..worked great!!!!!!!
Keith AlabasterEnterprise ArchitectCommented:
You are most welcome. I love it when a plan comes together :)
Keith AlabasterEnterprise ArchitectCommented:
PS Your points for this question took me to Guru level for firewalls (150,000 points) so thanks for that as well :)
A.V.Lead EngineerAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.