Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Cisco VPN Client
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Cisco VPN Client - 18.Mar.2004 2:13:00 PM
|
|
|
beanz
Posts: 148
Joined: 30.Jul.2001
Status: offline
|
Hey all!
I'm trying to connect to a clients site using the Cisco VPN client ver 4.0.1.
I have a protocol rule that allows UDP Send Receive on ports 500 and 4500.
In the firewall log I can see that the rule is working but the connection keeps timing out. One thing I did notice in the IP logs however was the following:
2004-03-18 13:20:10 xxx.xxxx.xxx.xxxx yyy.yyy.yyy.yyy Udp 1050 137 - BLOCKED xxx.xxx.xxx.xxx 45 00 00 4e 5f cc 00 00 80 11 00 00 d9 9e 70 82 d4 73 34 34 04 1a 00 89 00 3a bb 04
2004-03-18 13:20:10 xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy Udp 1051 137 - BLOCKED xxx.xxx.xxx.xxx 45 00 00 4e 5f cd 00 00 80 11 00 00 d9 9e 70 82 d4 73 34 34 04 1b 00 89 00 3a bb 01
The #param1 column increments the port number by one for each of the dozen or so entries.
Can anyone help out with this?
Cheers.
Danny
|
|
|
|
|
RE: Cisco VPN Client - 21.Mar.2004 1:08:00 AM
|
|
|
beanz
Posts: 148
Joined: 30.Jul.2001
Status: offline
|
Cheers for the links.
I have created the following Protocol Definitions and Protocol Rule:
UDP
Port 4500
Direction Send Receive
UDP
Port 500
Direction Send Receive
And the associated protocol rule. I even created the same on port 10000 UDP Send Receive.
I'm still getting the blocked packets in the IP logs. Am I missing something totally obvious?
One thing to note, in the Cisco client log I get no response whatsoever from the server, the client just keeps retransmitting.
To me this suggests a server end problem??
Danny
|
|
|
|
|
RE: Cisco VPN Client - 21.Mar.2004 10:51:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Danny,
the blocked IP packets in the IP packet filter log has nothing to do with your IPSec passthrough problem as such.
However, make sure the internal host is configured as a SecureNAT client and that the Firewall client is disabled if installed. This implies that the internal host must be capable of resolving external FQDN's on his own. You can check that out with the nslookup command.
HTH,
Stefaan
|
|
|
|
|
RE: Cisco VPN Client - 22.Mar.2004 2:51:00 AM
|
|
|
beanz
Posts: 148
Joined: 30.Jul.2001
Status: offline
|
Hey Stefaan,
The client machine is definitly a SecureNAT client and doesn't have the firewall client installed.
The server I'm trying to connect to is by IP address but the client can resolve FQDN's without any problems. Although the resolving is done by our internal DNS using forwarders to our ISP.
Cheers,
Danny
|
|
|
|
|
RE: Cisco VPN Client - 22.Mar.2004 10:51:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Danny,
what is the ISA Firewall log telling you? If you post an excerpt, just make sure you have enabled the logging of *all* fields and that log format is set to ISA format.
HTH,
Stefaan
|
|
|
|
|
RE: Cisco VPN Client - 23.Mar.2004 2:55:00 PM
|
|
|
beanz
Posts: 148
Joined: 30.Jul.2001
Status: offline
|
Here are the two lines that correspond to the Cisco connection:
192.168.3.47 - - N 2004-03-23 14:09:07 fwsrv SVR-ISASERVER - - - - - - - 0 UDP Bind - - - 0 - - - 9 474
192.168.3.47 - - N 2004-03-23 14:09:16 fwsrv SVR-ISASERVER - - xxx.xxx.xxx.xxx 500 9033 - - 500 UDP UdpMap - - - 0 - Allow Outbound Cisco VPN Connection Allow DTMTest Connection 9 474
Does this tell you anything?
Danny
|
|
|
|
|
RE: Cisco VPN Client - 23.Mar.2004 11:43:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Danny,
hmm... both entries give a result code of 0 meaning successful. What I suggest is to find out if the IKE packets are really sent. If they are and no answer comes back then the problem is somewhere upstream.
To do that I would enable the logging of allowed IP packets too (cfr IP packet filter properties) for testing purposes only and take a Netmon trace on the ISA external interface.
HTH,
Stefaan
|
|
|
|
|
RE: Cisco VPN Client - 24.Mar.2004 2:59:00 AM
|
|
|
beanz
Posts: 148
Joined: 30.Jul.2001
Status: offline
|
Hey Stefaan,
Thanks for the advice. I'll post results once I have something.
Thanks again,
Danny
|
|
|
|
|
RE: Cisco VPN Client - 27.Mar.2004 1:24:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Danny,
ok, no problem!
Thanks,
Stefaan
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
