Solved

Permit Cisco VPN Software to pass through ISA Server

Posted on 2007-12-06
9
1,164 Views
Last Modified: 2010-08-05
I have an ISA Server 2004 firewall that has been working great for about 4 years. The state has now required that we connect to their systems using the Cisco VPN Software. I have set it up but it doesn't work and I am sure it is because the ISA firewall will not permit it.

I need to know exactly what to do to allow 5 specific workstations to use the VPN software to connect to the State's system.

Thanks - DL
0
Comment
Question by:DLockwood
  • 3
  • 3
  • 3
9 Comments
 
LVL 19

Accepted Solution

by:
SteveH_UK earned 500 total points
ID: 20419393
You need to check in the Cisco client which port it is using (it is configurable) and allow it to the VPN gateway.

Also, ensure that AH and ESP IP protocols are allowed (IP 50,51), IKE (UDP 500) and NAT-T (UDP 4500).

We did this with ISA 2006.  In our case the Cisco client was expecting to use port 10000.
0
 

Author Comment

by:DLockwood
ID: 20419459
OK - But what actual steps do I take?

It is using port 10,000, but I have NO idea where to even begin.

Thanks.
0
 
LVL 19

Assisted Solution

by:SteveH_UK
SteveH_UK earned 500 total points
ID: 20419493
In ISA Management, you need to configure a new access rule.

Use the following settings:

Type:   Allow
From:   Internal Network (or a subset)
To:       IP address of VPN gateway (the remote site, e.g. vpn.company.com)
Protocols: AH, ESP, IKE, NAT-T

On the protocols page, if they don't already exist you will need to create them.

See http://www.isaserver.org/articles/IPSec_Passthrough.html for some more help with this.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20421956
The link is for ISA2000 so the process is a little different - that said, the ports required are described in the link comprehensively. The ports you need will depend on the transport options you have selected in the VPN client.

For isa 2004/2006,
Open the ISA gui - right-=click the firewall policy then select new - access rule and follow the wizard.
When asked for the protocols, choose selected and then select from the list. if the protocol you want is not there (they ARE there though), youcan select new and create your own.

In the from box select internal and in the TO box select external - then all users.

Keith
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:DLockwood
ID: 20423454
Keith, does the access rule need to permit inbound and outbound?
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20424118
Permit outbound is required
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20427816
Steve is correct - outbound only needs setting up - once the connection is established (and ISA will allow this as the setup in initiated outbound and the responses will be permitted as they are response packets) then there will be a tunnel from the client to the destination and ISA will just forward the packets to and fro like a forwarder.
0
 

Author Closing Comment

by:DLockwood
ID: 31413129
Hi Guys - It workled brilliantly. I hope you do not mind me splitting the points, but to be perfectly honest with you, I used both answers to get the job done.

Thanks again - DL!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20445144
oh well...
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange 2003 Dirty Shutdown 6 106
Microsoft ISA server 2006 2 686
Having trouble setting vpn from isa2004 server to Cisco/Linksys RVS4000 2 177
forefront TMG internet logs 1 96
Forefront is the brand name for Microsoft's major security product. Forefront covers a number of specific security areas and has 'swallowed' a number of applications under this umbrella including Antigen, ISA Server, the Integrated Access Gateway (t…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now