VPN Server behind NAT/PAT router

Unanswered Question
Mar 10th, 2007

I'm sure this has been asked before, but I am unable to find any documentation on this.

I have a ISA 2006 VPN server behind a Cisco 1700 series router connected to the internet via a T1 (S0). I have a static route to the ISA box located on the internal network (E0). ISA works as I can connect internally, but I'm figuring I need additional configuration to pass IPSEC from outside VPN clients through the router to the ISA server.

Does anyone know of any step by step documentation to enable my IPSEC VPN clients to connect to the ISA box? I can only find site-to-site VPN info and for configuring PIX boxes. Are there any special commands I need to use in the static route command?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
kaachary Sun, 03/11/2007 - 05:52

To make a Cisco Router IPSec passthrough, make sure the router is not blocking incoming and outgoing,

UDP 500

UDP 4500


*Please rate if helped.


muhnihausen Sun, 03/11/2007 - 20:13

Thanks for the help Kanishka... I'm still having issues though.

This is what I have so far:

ip nat inside source static

access-list 111 permit udp any host eq isakmp

access-list 111 permit udp any host eq non500-isakmp

access-list 111 permit esp any host

My remote VPN clients still can not authenticate or establish the connection. I've verified that the VPN box is being properly NAT translated.



kaachary Mon, 03/12/2007 - 05:40

It should work, unless we have some configuration issues on ISA box.

Make sure, the outbound VPN traffic is also allowed. Are the clients not able to authenticate or they are not even getting to that stage. What type of client is it ?


muhnihausen Mon, 03/12/2007 - 08:50

With IPSEC, the clients are not reaching the ISA server and no athentication is taking place.

I did enable PPTP passthrough and I can authenticate and pass traffic using PPTP. Right now I'm just using the Microsoft client, but eventually I will move to use the Cisco client.



dradhika Mon, 03/12/2007 - 06:25

Can you check if you missed out to configure route to external VPN IP on server or next hop of the router?

Hope this helps,


muhnihausen Mon, 03/12/2007 - 08:53

I apologize as I'm not an expert as these things and I'm not following your question.

I did confirm from the VPN server that it is routing through the static route I've configured. (From the internal private address out to the public IP address). It is working via PPTP, but I'm guessing that the IPSEC traffic is not being sent back.



kaachary Mon, 03/12/2007 - 09:15

Coming back to the question I asked earlier:

What type of IPSec client you are using ? Is it Cisco VPN client ?

Cisco VPN client is not supported to connect to an ISA server.


muhnihausen Mon, 03/12/2007 - 09:24

builtin Microsoft VPN Client w/ pre-shared key. (Windows XP SP2).



kaachary Mon, 03/12/2007 - 09:43

Microsoft doesn't have pure IPsec client. Are you sure you are not talking about L2TP/IPSec or PPTP connection.

In case its a L2TP/IPSEc connection, you also have to open UDP 1701 on the router.


muhnihausen Mon, 03/12/2007 - 10:10

Sorry, I didn't give you all of the information. Yes it is L2TP/IPSec. I had the following line in the config.

access-list 111 permit udp any host eq 1701



This Discussion