• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1221
  • Last Modified:

Permit Cisco VPN Software to pass through ISA Server

I have an ISA Server 2004 firewall that has been working great for about 4 years. The state has now required that we connect to their systems using the Cisco VPN Software. I have set it up but it doesn't work and I am sure it is because the ISA firewall will not permit it.

I need to know exactly what to do to allow 5 specific workstations to use the VPN software to connect to the State's system.

Thanks - DL
0
DLockwood
Asked:
DLockwood
  • 3
  • 3
  • 3
2 Solutions
 
SteveH_UKCommented:
You need to check in the Cisco client which port it is using (it is configurable) and allow it to the VPN gateway.

Also, ensure that AH and ESP IP protocols are allowed (IP 50,51), IKE (UDP 500) and NAT-T (UDP 4500).

We did this with ISA 2006.  In our case the Cisco client was expecting to use port 10000.
0
 
DLockwoodAuthor Commented:
OK - But what actual steps do I take?

It is using port 10,000, but I have NO idea where to even begin.

Thanks.
0
 
SteveH_UKCommented:
In ISA Management, you need to configure a new access rule.

Use the following settings:

Type:   Allow
From:   Internal Network (or a subset)
To:       IP address of VPN gateway (the remote site, e.g. vpn.company.com)
Protocols: AH, ESP, IKE, NAT-T

On the protocols page, if they don't already exist you will need to create them.

See http://www.isaserver.org/articles/IPSec_Passthrough.html for some more help with this.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Keith AlabasterEnterprise ArchitectCommented:
The link is for ISA2000 so the process is a little different - that said, the ports required are described in the link comprehensively. The ports you need will depend on the transport options you have selected in the VPN client.

For isa 2004/2006,
Open the ISA gui - right-=click the firewall policy then select new - access rule and follow the wizard.
When asked for the protocols, choose selected and then select from the list. if the protocol you want is not there (they ARE there though), youcan select new and create your own.

In the from box select internal and in the TO box select external - then all users.

Keith
0
 
DLockwoodAuthor Commented:
Keith, does the access rule need to permit inbound and outbound?
0
 
SteveH_UKCommented:
Permit outbound is required
0
 
Keith AlabasterEnterprise ArchitectCommented:
Steve is correct - outbound only needs setting up - once the connection is established (and ISA will allow this as the setup in initiated outbound and the responses will be permitted as they are response packets) then there will be a tunnel from the client to the destination and ISA will just forward the packets to and fro like a forwarder.
0
 
DLockwoodAuthor Commented:
Hi Guys - It workled brilliantly. I hope you do not mind me splitting the points, but to be perfectly honest with you, I used both answers to get the job done.

Thanks again - DL!
0
 
Keith AlabasterEnterprise ArchitectCommented:
oh well...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

  • 3
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now