Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Cisco VPN client through the ISA server
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Cisco VPN client through the ISA server - 28.Oct.2002 7:59:00 PM
|
|
|
zubin
Posts: 3
Joined: 25.Jul.2001
Status: offline
|
Is there a Tutorial for configuring Cisco VPN client through the ISA server? What ports do I need to open on the ISA server and where do ip open them?
Thanks in advanced.
-Zubin
|
|
|
|
RE: Cisco VPN client through the ISA server - 28.Oct.2002 9:44:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Zubin,
Have you already read the post http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001043 and done a search in the forums on the keyword Cisco?
As you can read in the above post, you usual need to enable two protocols in order to pass IPSec through ISA, unless the IPSec implementation already supports the very latest drafts with the NAT auto detection feature. In the latter case only the predefined IKE protocol definition (UDP port 500 send/receive) is needed. So, the first thing you should do is find out which ports must be opened besides the standaard IKE UDP port 500.
BTW --- the most Cisco implementations I heard of uses UDP port 10000 send/receive for the UDP encapsulated ESP packets.
HTH,
Stefaan
|
|
|
|
|
RE: Cisco VPN client through the ISA server - 28.Oct.2002 10:36:00 PM
|
|
|
zubin
Posts: 3
Joined: 25.Jul.2001
Status: offline
|
Stefaan,
The Cisco guy says "You will need to open either ESP (protocol 50) or AH (protocol 51) and IKE (UDP 10000)."
How do I open protocol 50 or 51. Is that UDP 50 / 51?? Help.
Thanks
-Zubin
|
|
|
|
|
RE: Cisco VPN client through the ISA server - 29.Oct.2002 12:11:00 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Zubin,
standard IPSec (I call it often 'plain' IPSec) uses UDP port 500 (IKE) and IP protocol 50/51 (ESP/AH). Note that ESP/AH are *not* port numbers but IP protocol numbers!
As I already wrote in many posts, you can't pass plain IPSec through ISA because ISA is doing NAT (more precisely N:1 NAT or PAT in Cisco terms) and this breaks IPSec. Needless to try, it won't work! However, if the IPSec implementation supports a feature called NAT-T (IPSec NAT Traversal as defined by the IETF IPSec workgroup), it should work because all ESP/AH traffic is encapsulated in UDP packets.
I know for sure that the Cisco VPN clients and the Cisco 3000 VPN concentrator supports the NAT-T feature (sometimes called UDP encapsulated ESP by Cisco). However, I'm not sure if it is implemented on the Cisco PIX. Also, I've heard that some IPSec gateway implementations on Cisco IOS already supports it. So, tell the Cisco guy you need the NAT-T feature and if the Cisco VPN gateway you must connect to supports NAT-T, he should be able to tell you which UDP port it uses besides the standard IKE port (UDP port 500).
HTH,
Stefaan
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
