Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco VPN Client --> ISA server --> PIX/Concentrator

I am tring to configure ISA to allow a Cisco VPN client to connect through to a VPN concentrator/PIX

The Client is a secure NAT client i.e. has the ISA server as its DG. The ISA server has two NIC's, one connected to the Internet and one to the LAN. I have created a definition for UDP/500 and UDP/4500 (both send/receive) but it will not connect. The client is 4.0.2B. Other applications like messenger and ICQ connect ok so the secure NAT is working but when I sniff the traffic (everything is on one hub) When the VPN client tries to connect the ISA server does not make any requests on behalf of the client, its as if it is ignoring the client (other apps work though)

Any ideas or has anyone got this working?

Thanks in advance

  • Other Security Subjects
Cisco Employee

Re: Cisco VPN Client --> ISA server --> PIX/Concentrator

I don't believe there's any way to make this work. The ISA server does not proxy IPSec communications, regardless of what ports you set it up for (at least that's my understanding of it).

New Member

Re: Cisco VPN Client --> ISA server --> PIX/Concentrator

Managed to get this working with NAT-T :D

New Member

Re: Cisco VPN Client --> ISA server --> PIX/Concentrator

I found this page here --> describes how to let external L2TP/IPSec clients that are located behind NAT based firewalls to connect to your ISA Server firewall/VPN server -- but my situation is more like yours was -- I have a client behind an ISA server just just needs to use the cicso client to authenticate to a diff site that has a cicso firewall (not sure what kind - the admin really isn't cooperating) Could you give me some specifics on how exactly you got yours working? I followed that page I referenced but I wasn't for sure if I should have the packet filters for inbound receive/send or send/receive. Also didn't know if I should apply the packet filter to the default IP on the adapter or to my subnet of computers..? Please help!?! Am I even going in the right direction?

New Member

Re: Cisco VPN Client --> ISA server --> PIX/Concentrator

Briefly this is what you need to do:

Configure 2 protocol definitions (found under policy elements)

Name protocol port direction

IPSec ISAKMP UDP 500 send receive (not receive send)

IPSec NAT-T UDP 4500 send receive

Next create a protocol rule under access policy allowing these two protocol definitions.

Now disable filtering of IP fragments by right clicking IP Packet filters (under access policy) and selecting properties.

You will find the option on the second tab

The client must be a secure NAT client ie have its default gateway as the ISA server and firewall client must be disabled

whilst you are connecting/using the VPN.

The ISA server must have atleast two network cards and be operating in Firewall or Integrated mode.

Hope this helps.