• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Putting a Cisco VPN Router behind an ISA Server

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> Putting a Cisco VPN Router behind an ISA Server Page: [1]
Login
Message << Older Topic   Newer Topic >>
Putting a Cisco VPN Router behind an ISA Server - 13.Jun.2002 6:13:00 PM   
Holf

 

Posts: 2
Joined: 13.Jun.2002
From: London, UK
Status: offline
Hi,

Before anyone points it out I know what I am trying to do here is pretty wierd but there is a good reason.

I have been tasked with setting up some VPN architectures at work. To this end I have borrowed some routers and am trying to prototype the setup at home. The setup will be fairly straightforward and will consist of a Cisco VPN router with a Public Internet Address, and a number of client laptops running the Cisco Secure VPN Client (a piece of software Cisco make for connecting to their VPN routers).

However, at home I am running an ADSL connection which feeds into the USB port of my trusty ISA server. The rest of my LAN sits off the ISA Server NIC. So, the setup is:

ADSL Connection (Dynamic IP Addressing) --> ISA Server --> LAN Switch --> LAN Computers.

I want to be able to play around with Cisco Router VPNs without having to dissemble too much of my exisitng setup. Ideally I could have everything going from the outside through the Cisco VPN Router first, terminating any VPN tunnels there, and then onto the ISA server and subsequently through to my internal LAN. However, I can't plug my USB ADSL connection into the Cisco Router (Cisco do make an ADSL modem card but it's very expensive and won't work with the router I have anyway). So whatever I do, I have to go through the ISA Server first.

Now, on with the actual problem (thank you for your patience so far)...

I plan to set things up as follows:

Cisco VPN Client --> Public Dial-up ISP --> Public Internet --> My ADSL Connection --> My ISA Server --> My Cisco VPN Router, where the VPN tunnel will terminate --> Internal Resources.

This would be straightforward enough if there ISA Server wasn't there, but as it is there is a basic question I can't answer:

If the VPN Client initiates the connection and is pointing at my ADSL connection, how can I set the ISA Server to simply pass the traffic through to the Cisco VPN Router? I have opened up IKE and IPSec ports appropriately (I think!) but I seem to be having problems with the IP Addressing - I can't seem to get the ISA Server to resolve my external Internet Address to the internal Cisco VPN Router address.

At this stage I haven't experimented too far. I am posting this to see if anyone else has tried doing anything like this. Of course, usually you would simply terminate VPN tunnels on the ISA Server itself but I need to terminate them on the Cisco VPN router sitting behind it instead.

I would be grateful for any info anyone could give me on this. I will, of course, post full details of how to do this if and when I finally figure it out.

Thanks to you all for a great ISA Server resource - I have already picked up lots of tips which have really helped in my ISA explorations.

Holf
Post #: 1
RE: Putting a Cisco VPN Router behind an ISA Server - 13.Jun.2002 6:38:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Holf,

aha... if the Cisco VPN router is using plain IPSec (ESP/AH IP protocol 50/51) then you are in trouble. You cann't pass that through ISA.

However, if the Cisco VPN implementation supports the NAT traversal feature, sometimes called the UDP encapsulated ESP, then it might be possible. I know the Cisco VPN3000 supports already that feature. You'll have to check first if the Cisco router has that functionality.

HTH,
Stefaan

[ June 13, 2002, 10:54 PM: Message edited by: spouseele ]

(in reply to Holf)
Post #: 2
RE: Putting a Cisco VPN Router behind an ISA Server - 13.Jun.2002 11:38:00 PM   
Holf

 

Posts: 2
Joined: 13.Jun.2002
From: London, UK
Status: offline
Thanks a lot for this Stefaan - you've already saved me hours of frustration trying to do straightforward AH/ESP passthrough.

I'll investigate the UDP ecapsulation option - I've generally found that if a Cisco VPN Conentrator can do something then an IPSEC version of IOS on a normal router can often do it too (although with much fewer simultaneous sessions).

I'll let you know how it goes... (although it may be a few days before I get the time to give this some proper attention).

Thanks again,

Holf

(in reply to Holf)
Post #: 3
RE: Putting a Cisco VPN Router behind an ISA Server - 14.Jun.2002 10:04:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Holf,

OK, thanks for the follow up.

Greetings,
Stefaan

(in reply to Holf)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> Putting a Cisco VPN Router behind an ISA Server Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts