Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Ms Isa server behind pix firewall

We have a situation here that is confusing us and I am asking for assistance with this one. We have a pix firewall configured with a single outside and two inside interfaces. Behind one of the inside interfaces, we run a Ms Isa server and have several customer client machines behind the Isa server. All clients need to run Nortel's Contivity Vpn client software to connect to their network in this environment.

If we connect the Isa server directly to the outside world, (thus bypassing the pix), the clients can make the vpn connection to their home network and have no issues. If we connect the Isa server behind the pix, (and change an ip adr. on the Isa machine outside nic), the clients are no longer able to raise the vpn connection to their home network and time-out attempting to do so.

Curiously however, the Isa server running the same vpn client software can do the vpn connection without issue.

At this time, we are unsure of where to look for problems, (ie: the clients work if connected to the isa server hanging on the outside world, but fail when the isa machine is behind the firewall, but the Isa machine works when it is wired behind the firewall). We are unsure if this issue is a config one in the pix, isa server, or even both of them.

Any suggestions on where to look and what to look for?

Thanks in advance.

New Member

Re: Ms Isa server behind pix firewall

No clue but it might be worth checking

1:ISA Client on the desktops

2:Create a any any rule in ISA to see if traffic passes then lock it down.

Do you get anything working client side when the isa server is behind the pix?

New Member

Re: Ms Isa server behind pix firewall

1) Isa client on the desktops appears to make no difference but currently, we are running the clients without the software enabled, but are using a g/w adr. of each client of the internal nic of the Isa server.

2) Good idea - we'll try this one next.

3) Clients behind the isa server behind the pix are able to access internet sites and appear to have no trouble with this. The vpn stuff is what causes the problems for us.

Thanks for your input.