From: London, UK
Before anyone points it out I know what I am trying to do here is pretty wierd but there is a good reason.
I have been tasked with setting up some VPN architectures at work. To this end I have borrowed some routers and am trying to prototype the setup at home. The setup will be fairly straightforward and will consist of a Cisco VPN router with a Public Internet Address, and a number of client laptops running the Cisco Secure VPN Client (a piece of software Cisco make for connecting to their VPN routers).
However, at home I am running an ADSL connection which feeds into the USB port of my trusty ISA server. The rest of my LAN sits off the ISA Server NIC. So, the setup is:
ADSL Connection (Dynamic IP Addressing) --> ISA Server --> LAN Switch --> LAN Computers.
I want to be able to play around with Cisco Router VPNs without having to dissemble too much of my exisitng setup. Ideally I could have everything going from the outside through the Cisco VPN Router first, terminating any VPN tunnels there, and then onto the ISA server and subsequently through to my internal LAN. However, I can't plug my USB ADSL connection into the Cisco Router (Cisco do make an ADSL modem card but it's very expensive and won't work with the router I have anyway). So whatever I do, I have to go through the ISA Server first.
Now, on with the actual problem (thank you for your patience so far)...
I plan to set things up as follows:
Cisco VPN Client --> Public Dial-up ISP --> Public Internet --> My ADSL Connection --> My ISA Server --> My Cisco VPN Router, where the VPN tunnel will terminate --> Internal Resources.
This would be straightforward enough if there ISA Server wasn't there, but as it is there is a basic question I can't answer:
If the VPN Client initiates the connection and is pointing at my ADSL connection, how can I set the ISA Server to simply pass the traffic through to the Cisco VPN Router? I have opened up IKE and IPSec ports appropriately (I think!) but I seem to be having problems with the IP Addressing - I can't seem to get the ISA Server to resolve my external Internet Address to the internal Cisco VPN Router address.
At this stage I haven't experimented too far. I am posting this to see if anyone else has tried doing anything like this. Of course, usually you would simply terminate VPN tunnels on the ISA Server itself but I need to terminate them on the Cisco VPN router sitting behind it instead.
I would be grateful for any info anyone could give me on this. I will, of course, post full details of how to do this if and when I finally figure it out.
Thanks to you all for a great ISA Server resource - I have already picked up lots of tips which have really helped in my ISA explorations.
aha... if the Cisco VPN router is using plain IPSec (ESP/AH IP protocol 50/51) then you are in trouble. You cann't pass that through ISA.
However, if the Cisco VPN implementation supports the NAT traversal feature, sometimes called the UDP encapsulated ESP, then it might be possible. I know the Cisco VPN3000 supports already that feature. You'll have to check first if the Cisco router has that functionality.
From: London, UK
Thanks a lot for this Stefaan - you've already saved me hours of frustration trying to do straightforward AH/ESP passthrough.
I'll investigate the UDP ecapsulation option - I've generally found that if a Cisco VPN Conentrator can do something then an IPSEC version of IOS on a normal router can often do it too (although with much fewer simultaneous sessions).
I'll let you know how it goes... (although it may be a few days before I get the time to give this some proper attention).