Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Configure ISA to allow Cisco VPN clients
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Configure ISA to allow Cisco VPN clients - 16.Jul.2008 11:49:10 AM
|
|
|
mikemalter
Posts: 60
Joined: 9.Oct.2002
From: San Rafael, CA
Status: offline
|
I am at a loss over configuring ISA Server 2004 to allow Cisco VPN clients to connect. I have been successfully supporting the Microsoft client and now have a client who will only allow their users to use the Cisco VPN client. The most I can get out of those people are that they configured the VPN client to use IPSec over UDP or TDP.
I really need this to work as my client is on the other side of the country. Any thoughts, tips or ideas would be extremely welcomed.
Thank you.
_____________________________
Mike Malter
Mike Malter & Associates, Inc.
|
|
|
|
|
RE: Configure ISA to allow Cisco VPN clients - 18.Jul.2008 11:38:35 AM
|
|
|
mikemalter
Posts: 60
Joined: 9.Oct.2002
From: San Rafael, CA
Status: offline
|
Tarek,
Thank you very much for your reply. However my issue is with incoming VPN traffic, not outgoing. I have clients on the east coast that can only use the Cisco VPN client, and I wanted to have them VPN into my ISA Server and I could not get them connected.
Is there anything special that has to be done to support an inbound connection to ISA Server 2004 with a Cisco client?
Thanks again for your reply.
_____________________________
Mike Malter
Mike Malter & Associates, Inc.
|
|
|
|
|
RE: Configure ISA to allow Cisco VPN clients - 18.Jul.2008 5:30:37 PM
|
|
|
mikemalter
Posts: 60
Joined: 9.Oct.2002
From: San Rafael, CA
Status: offline
|
J, not sure what you are saying.
Can ISA support a Cisco client incoming connection?
I scrounged up an old PIX and am routing them through that.
_____________________________
Mike Malter
Mike Malter & Associates, Inc.
|
|
|
|
|
RE: Configure ISA to allow Cisco VPN clients - 19.Jul.2008 7:42:44 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi Mike,
The answer is no.
The Cisco VPN Client establishes a remote access IPsec VPN session to an Easy VPN Server using Cisco's Easy VPN technology.
This means that it uses some open standards along with Cisco proprietary ones, like XAUTH for user authentication.
PPTP and L2TP/IPsec are not supported with it.
For IPsec based remote access VPN, ISA uses an Internet Standard, L2TP/IPsec. The user authentication is provided by PPP.
Cisco supports L2TP/IPsec for remote access as L2TP/IPsec VPN server on some products. In that case, the clients can be for example Microsoft Windows L2TP/IPsec VPN clients.
Regards,
J
|
|
|
|
|
RE: Configure ISA to allow Cisco VPN clients - 19.Jul.2008 10:33:30 AM
|
|
|
mikemalter
Posts: 60
Joined: 9.Oct.2002
From: San Rafael, CA
Status: offline
|
J,
Thanks for confirming my experiences. Too bad ISA is not supporting Cisco clients. I wonder if it is not some legal thing where Cisco patented their VPN process and require license fees for anyone to use them.
My solution is to use a 501 PIX as a VPN server on the edge of my network. I gave it a public IP for the outside address, and an IP that is on my network for the inside address.
Now that I have two gateways into and out of my network, I wonder what security/networking problems I might have. For now at least they can connect. Do you have any thoughts about the PIX 501 and ISA Server mix?
Thanks.
_____________________________
Mike Malter
Mike Malter & Associates, Inc.
|
|
|
|
|
RE: Configure ISA to allow Cisco VPN clients - 20.Jul.2008 9:25:04 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi Mike,
If I understood your current design, you are running a sort of parallel setup.
If that is a concern, you can switch to a back-to-back topology, with the PIX in front of ISA terminating remote access VPN connections.
Change the network relationship between Internal and External on ISA to route.
Make the PIX aware of the network behind ISA by adding the needed route on it.
If configured properly, you will end up with a secure solution, better than the parallel one. No firewall cheats.
As far as I know there aren't any legal issues, at least for basic connectivity(= to successfully establish a basic remote access VPN session).
Actually XAUTH is supported by some vendors, including open source solutions.
This was discussed on the IETF boards, but got rejected due to a number of security issues in certain scenarios.
Cisco kept pushing their solution. Since Cisco is a big name, their solution gain market shares.
Some of the security issues related to their implementation appear in their security advisories.
On the other side, Microsoft rejected XAUTH, see:
http://www.microsoft.com/technet/network/vpn/vpnfaq.mspx
And implemented L2TP/IPsec.
L2TP + IPsec represented a simple and clear way of solving the user authentication problem (the certificates or pre-shared keys are typically stored on the client, thus if someone gains access to or steals the client machine, this level of authentication is useless, therefore we need to authenticate the user who is using the device too) or the address assignment one.
Is a not a perfect solution though.
Some folks, eronately consider L2TP/IPsec more secure than IPsec tunnel mode from a general point of view. However these folks take facts out of context, and misinterpret them.
The idea: is good to use at both ends, client and VPN server, same vendor, in order to benefit at maximum from their posibilities.
If you are running in a Microsoft shop, L2TP/IPsec was and may still be the way to go. Not sure about SSTP, waiting to see it getting "dirty".
Microsoft's L2TP/IPSec VPN client and server also implement some proprietary extensions too.
J
< Message edited by justmee -- 20.Jul.2008 9:37:11 AM >
|
|
|
|
|
RE: Configure ISA to allow Cisco VPN clients - 20.Jul.2008 9:40:08 AM
|
|
|
mikemalter
Posts: 60
Joined: 9.Oct.2002
From: San Rafael, CA
Status: offline
|
J,
Nice, your suggestion is much better than a parallel solution. I have a few questions.
When I create the network type, what do I want, another internal network, or is there another network type I should select?
Where do I physically connect the internal port of the PIX to? Do I get another NIC card for my ISA box? Do I plug it directly into a switch?
Thanks.
_____________________________
Mike Malter
Mike Malter & Associates, Inc.
|
|
|
|
|
RE: Configure ISA to allow Cisco VPN clients - 20.Jul.2008 10:47:32 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
It's not actually my suggestion, is a common setup I would say. Just search this forum.
I suppose your ISA has two Nics on it: Internal and External, is not the single NIC deployment.
If so:
Internet
|
|
PIX
|
| Transit network
|
ISA
|
|
Internal Network
The external NIC of ISA is connected to the same network with the PIX's internal NIC. You can use a switch to connect them if you want.
So from ISA's point of view, its External Network includes the transit network too.
By default on ISA, you have a NAT network relationship between Internal and External Networks.Change that to route.
And as said above, add a route on the PIX so that it knows that the network behind ISA(Internal Network) is accessible through ISA's external interface.
Use on ISA access rules or publishing rules, as needed to allow communication from the required hosts located on the External Network of ISA. Note that your VPN clients are located on ISA's External Network too. With certain protocols, you cannot bind the application filters to access rules. Typically for inbound rules you use publishing rules, and for outbound rules access rules. However, since you now have a route relationship between Internal and External, and the PIX in front of ISA terminating remote access VPN connections, you might use without any problems access rules too for some "inbound" traffic(=coming from the External Net and going to the Internal Net).
J
< Message edited by justmee -- 20.Jul.2008 10:53:01 AM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
