How to get the Cisco VPN client to work through the ISA Server

Question #834

How in the world do I get the Cisco VPN client to work through the ISA Server?

Answer

Check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=002752
Some other links about the same subject:
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=001902
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=002752
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=000503
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=000495
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=000570
The basic setup is: 1. Create two protocol definitions:
– UDP Port 500 Send Receive : this is for the IKE protocol (key negotiation).
– UDP Port XXXX Send Receive : this is for the UDP encapsulated ESP packets.

1. The administrator of the VPN gateway should be able to tell you the exact portnumber to use.
2. Next, create a protocol rule who allows those two created protocols.
3. One thing you must keep in mind is that the client must be a SecureNAT client and that the firewall client must be disabled when setting up the VPN connection. Also, when certificates are involved disable filtering of IP fragments on ISA.
BTW — in general, any IPSec implementation who supports NAT Traversal or UDP encapsulated ESP should work from behind ISA. Many thanks for Stefaan Pouselle for this valuable information!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top