I have been looking at just about every post on this site about this topic, and i have still not been bale to find a solution to my problem. Problem is I can connect to remote network using the Cisco vpn client (version# is 3.6) the connsentrator is a 3060, but once connected i cant ping ANYTHING on the remote network. If I take a machine and stick it outside of ISA, I can ping. I have created the udp 1000 send/recieve, and 500, and disabled filtering of ipfragments, but still cant ping.
This is a snipet from the ip packet log on ISA. It looks as if udp port 500 is being blocked, but i cant figure out why. I have udp port 500 set to send recieve.
The IKE (UDP port 500) return traffic seems indeed to be blocked by ISA server. I would first delete the relevant protocol rule and recreate it. If it doesn't help, bounce the Firewall service or even better, reboot the ISA server. Also, did you look for any warning/error logging in the event log?
Thank you! thank you! thank you! Yes I did have this working in the past i set this up on a client site, now i have to do it at my work, and thought it would be a no brainer because i have already set this up in the past. I will take a look at the link, and i will reboot the server, and see what happens, i will keep you posted.
that won't help you because ISA can't pass IP protocol 50 & 51. That's exactly the reason why the IPSec implementation must support the IETF IPSec NAT Traversal feature!
You should investigate why the protocol rule is not working. One way is to take a Network Monitor trace at the ISA external interface. Another way could be to enable the logging of *all* packets (allowed and blocked) in the IP packet filter properties and run a test. Don't forget to switch off the logging of the allowed packets afterwards!
Next, analyse the ISA Firewall *and* IP packet log. Pay particular attention to the used source and destination port numbers.
BTW --- it might be necessary to disable IP fragment filtering on ISA, although the posted blocked packets don't seems to be IP fragments.
ok sorry for the long delay. We got it to work, we made a protocol rule for UDP 4500 send recieve and it started working. Now the when you look at the Cisco client, and go to the general tab you can see that the tunnel port now is 4500, before it was 0. I guess the VPN consentrator was not listening on 10000.
Now im really confused. I took out udp 10000 fro mthe protocol rule, because we dont need it to make the connection, but when i look at the ip log i can see that ISA is blocking udp 4500, which we do need to make the connection. The connection works, but why does ISA say its blocking, and if it is blocking, then how is the connection being made?
If you analyze those documents you will see that if NAT is detected along the path the IKE negotiation will be transfered from UDP port 500 to UDP port 4500. The reason for it is that all those dirty IPSec hacks in NAT devices could create havoc during the IKE and NAT Traversal negotiation.
Secondly, you will find out that the UDP port used for the UDP encapsulated IPSec is the same port as used by the IKE after the detection of the NAT presence. In other words, the IKE and UDP encapsulated IPSec are multiplexed over the new well known socket (UDP port 4500).
So, according to the latest drafts a protocol rule allowing UDP port 500 and 4500 send/receive is all what is needed.
Now, looking into the IP packet log excerpt, it appears that ISA is blocking incoming packets destined for UDP port 4500. That seems to be OK for me. Seen from the Cisco VPN gateway the IKE initiator is the ISA external interface. So, ISA will send the IKE packets to UDP (X, 500) and after NAT detection to (Y, 4500). So, the Cisco gateway (IKE responder) must send the reply packets to UDP (500, X) and after NAT detection to (4500, Y). So, it seems rather a Cisco implementation issue!
Posts: 9
Joined: 27.Oct.2002
From: Malaysia
Status: offline
skip and stefaan:
I have been following what you both are talking about because we are having the same problem and we also consulted stefaan a month or so about it. Thank you both for the valuable information.
Stefaan, regarding your last comment, issue is laying on the configuration of cisco router. Our telecom is a pain when asking for any help, so is there anyway to find out what the UDP port is? I followed skip and open udp 4500 and I'm still getting same error, connected but can't ping.
If you don't get much help from the VPN gateway administrator, then you are in serious trouble. The point is that NAT Traversal must be enabled on both the client and the gateway. What you can try is:
1) make sure you enable on ISA the logging of all fields.
3) make sure the client is configured as SecureNAT client and that the Firewall client is disabled, if installed. Also, don't forget to enable IPSec NAT Traversal in the VPN client.
4) make sure you have a protocol rule which allows UDP port 500, 4500 and 10000 send/receive. This are the standard ports I know of for IPSec NAT Traversal in a Cisco environment.
6) activate the Network Monitor on the ISA external interface. If not possible, enable the logging of *all* packets (allowed and blocked) in the IP packet filter properties. Don't forget to switch off the logging of the allowed packets afterwards!
Next, try to setup a VPN connection from the client while all logging and Network Monitor traces are running. And now comes the big work! Start analyzing all the traces (Firewall, Packet filter, Ethereal, etc...). If you see IP protocol 50/51 in the loggings/traces, then the client and/or gateway is not properly configured or the negotiation of the NAT Traversal has not succeed. Also, pay particular attention to the used UDP ports in the conversation.
Posts: 9
Joined: 27.Oct.2002
From: Malaysia
Status: offline
stefaan:
Thank you for the quick response. I will try what you recommended and will post the answer after. Do you know what is the problem where the date stamp on isa logs are one day ahead of time on the server?
yep, change the log file format from W3C to ISA format and you will get local time in the logs. You can change it in the MMC under the node Monitoring Configuration -> Logs .
I'm struggling with this same issue. I've got Cisco VPN 5000 Client 5.3.2 trying to communicate with a Cisco 5000 concentrator through ISA server. I've got a filter rule for UDP ports 500, 4500 and 10000 send receive setup and the client is a secureNAT client. I can connect with NAT Tranparency mode turned OFF, but not with it turned ON. I need it ON so that I can connect to an FTP server on the other end. The FTP server will reject traffic that doesn't come through the Cisco VPN. I can create the tunnel and open an FTP port through a server with just RRAS and NAT, but not through the ISA. Any ideas would be most appreciated.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> Cisco VPN client. Cant ping 
Cisco VPN client. Cant ping - 
RE: Cisco VPN client. Cant ping - 
RE: Cisco VPN client. Cant ping - ![[Confused]](/image/smiles/confused.gif)
![[Big Grin]](/image/smiles/biggrin.gif)
![[Smile]](/image/smiles/smile.gif)
RE: Cisco VPN client. Cant ping - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread