Welcome to ISAserver.org

Cisco VPN and Remote Administrator

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client >> Cisco VPN and Remote Administrator

Page: [1]

Message

<< Older Topic Newer Topic >>

Cisco VPN and Remote Administrator - 31.Aug.2004 9:33:00 PM

mikecjfl231

Posts: 10
Joined: 28.Jul.2003
From: Florida
Status: offline

Hi guys

Got a good one for you. see if you can help out.

Here is the situation. I just changed over from a linksys router to ISA 2000 sp2 fp1. Runninf on W2k with sp4. I use remote administrator from famatech to connect to remote sites to do admin for companies. I have one site that requires me to access via cisco vpn client. I can connect the cisco vpn client but then my radmin does not connect.

When i do not have the vpn client running on a win2k pro station i can connect to other sites.

I suspect it has something to do with either dns, ldt, or lat

I allowed isa to built the lat and am running on 10.0.0.x as a subnet at home. The remote site i am trying to access is on 10.190.1.x . When I activate the vpn client and do an ipconfig/all i get my domain name as Primary DNS Suffix, but I get their domain name as DNS suffix search list.

Also it changes the DNS servers listed from mine to thiers. I can get connected to the VPN device but cannot get connected to the server at the remote site.
I have included their domain name in my LDT and the LAT included the remote site address but not the address of the VPN server.

Anyone have any clues ?

Thanks in advance

Michael C. Jones

Post #: 1

Featured Links*

RE: Cisco VPN and Remote Administrator - 31.Aug.2004 10:39:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Michael,

what have you configured to allow the Cisco VPN client through the ISA server? Check out my article http://www.isaserver.org/articles/IPSec_Passthrough.html for more info.

Also, what are the exact TCP/IP settings on the ISA internal interface and what is the exact content of the LAT?

HTH,
Stefaan

(in reply to mikecjfl231)

Post #: 2

RE: Cisco VPN and Remote Administrator - 1.Sep.2004 1:31:00 PM

mikecjfl231

Posts: 10
Joined: 28.Jul.2003
From: Florida
Status: offline

Stefaan

I created a protocol rule for cisco vpn clinet with the following entries.

ports 500 4500 and 10000 udp send recieve as protocol definitions and a rule to allow them

The cisco vpn connects perfectly
the internal interface is 10.0.0.2
the lat includes
10.0.0.0 10.0.0.255
10.0.0.0 10.255.255.255
10.255.255.255 10.255.255.255
169.254.0.0 169.254.255.255
172.16.0.0 172.31.255.255
192.168.0.0 192.168.255.255

The LDT contains my domain and the domain of the remote site both with * before the domain name

Got any clues?

THanks

Michael C. Jones

(in reply to mikecjfl231)

Post #: 3

RE: Cisco VPN and Remote Administrator - 1.Sep.2004 10:04:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Michael,

assuming your internal network is an non-routed internal network and uses a subnet mask of /24 (255.255.255.0), the LAT should only a contain the single entry '10.0.0.0 10.0.0.255'.

Next, make sure the internal host is configured as a SecureNAT client only! You should first test with this configuration. Once that is working we can fine tune the configuration further.

Now, you should make a new test and be sure you have enabled the full Cisco VPN client logging. For more info, check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001993 for some troubleshooting tips.

HTH,
Stefaan

(in reply to mikecjfl231)

Post #: 4

RE: Cisco VPN and Remote Administrator - 2.Sep.2004 12:07:00 PM