We have a situation here that is confusing us and I am asking for assistance with this one. We have a pix firewall configured with a single outside and two inside interfaces. Behind one of the inside interfaces, we run a Ms Isa server and have several customer client machines behind the Isa server. All clients need to run Nortel's Contivity Vpn client software to connect to their network in this environment.
If we connect the Isa server directly to the outside world, (thus bypassing the pix), the clients can make the vpn connection to their home network and have no issues. If we connect the Isa server behind the pix, (and change an ip adr. on the Isa machine outside nic), the clients are no longer able to raise the vpn connection to their home network and time-out attempting to do so.
Curiously however, the Isa server running the same vpn client software can do the vpn connection without issue.
At this time, we are unsure of where to look for problems, (ie: the clients work if connected to the isa server hanging on the outside world, but fail when the isa machine is behind the firewall, but the Isa machine works when it is wired behind the firewall). We are unsure if this issue is a config one in the pix, isa server, or even both of them.
Any suggestions on where to look and what to look for?
1) Isa client on the desktops appears to make no difference but currently, we are running the clients without the software enabled, but are using a g/w adr. of each client of the internal nic of the Isa server.
2) Good idea - we'll try this one next.
3) Clients behind the isa server behind the pix are able to access internet sites and appear to have no trouble with this. The vpn stuff is what causes the problems for us.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...