• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Cisco 3000 Vpn Concentrator behind ISA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> Cisco 3000 Vpn Concentrator behind ISA Page: [1]
Login
Message << Older Topic   Newer Topic >>
Cisco 3000 Vpn Concentrator behind ISA - 26.Sep.2003 4:32:00 AM   
jjwinter

 

Posts: 66
Joined: 26.Sep.2003
From: irvine
Status: offline
"Good grief charlie brown" this one is killing me. I recently moved from Symantec Enterprise 7.04 to ISA Server (by the way ISA is the first thing from microcrap I like), but I'm having problem publishing my Cisco 3300 VPN Concentrator. I have read all the kb articles I could find and the closet thing I have found is the article on how to allow a Cisco VPN client out of the ISA. The VPN Concentrator is located on it's own (private ip scheme) subnet connected directly to a nic on the ISA. I have tried to allow (well I have published) udp 500, udp 4500 and udp 48169 (that's what I have choosen to change the default port to). I have tried every imaginable configuration including NAT-T to no avail. I have even tried configuring the ISA server in the reverse manner described in the kb article detailing how to allow the Cisco VPN client out, figured the reverse would let it in. Just for the record it ain't working. The Concentrator worked flawlessly with Symantec Enterprise firewall (but god knows I will never go back to that heinous contraption)
Post #: 1
RE: Cisco 3000 Vpn Concentrator behind ISA - 26.Sep.2003 10:15:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi zer0degrees,

check out my article
http://www.isaserver.org/articles/IPSec_Passthrough.html .

Although it discusses the outbound scenario, the concepts stay the same for
the inbound scenario. Of course the direction changes in the protocol
definition and you should create two server publishing rules. Also, you will
have to disable the IPSec services on ISA server.

Also, you said "The VPN Concentrator is located on it's own (private ip scheme) subnet connected directly to a nic on the ISA". Is this another LAT interface?

HTH,
Stefaan

(in reply to jjwinter)
Post #: 2
RE: Cisco 3000 Vpn Concentrator behind ISA - 27.Sep.2003 6:46:00 AM   
jjwinter

 

Posts: 66
Joined: 26.Sep.2003
From: irvine
Status: offline
Stefaan,

I never though of disabling the IPSEC services on ISA . To answer you question yes, the VPN Concentrator is on a LAT interface.

(in reply to jjwinter)
Post #: 3
RE: Cisco 3000 Vpn Concentrator behind ISA - 27.Sep.2003 10:48:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi zer0degrees,

the reason you need to disable the IPSec service on ISA is that otherwise the ISA server owns the UDP port 500 (IKE). As a consequence, when you server publish a VPN gateway on ISA, ISA can no longer be a VPN endpoint. Keep that in mind!

BTW --- is there a particular reason why you place the VPN box on the internal network and not in parallel with the ISA server?

HTH,
Stefaan

(in reply to jjwinter)
Post #: 4
RE: Cisco 3000 Vpn Concentrator behind ISA - 28.Sep.2003 8:38:00 PM   
jjwinter

 

Posts: 66
Joined: 26.Sep.2003
From: irvine
Status: offline
The reason I place it there is just peace of mind. I truly believe that everything should be behind a firewall. Cisco is just as prone to security flaws as anyone else, and I just prefer the extra protection afforded by the firewall.

(in reply to jjwinter)
Post #: 5
RE: Cisco 3000 Vpn Concentrator behind ISA - 28.Sep.2003 10:18:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi zer0degrees,

so you are saying that the Cisco VPN box is not as secure as the ISA server. Great! Why not using ISA for the VPN too and drop entirely the Cisco box? [Big Grin]

To learn more about how to use ISA server as a VPN gateway, check out:
- http://www.microsoft.com/vpn
- http://www.isaserver.org/articles/isa2000vpndeploymentkit.html

HTH,
Stefaan

(in reply to jjwinter)
Post #: 6
RE: Cisco 3000 Vpn Concentrator behind ISA - 29.Sep.2003 3:12:00 AM   
andifur

 

Posts: 143
Joined: 25.Oct.2001
From: Eastern PA
Status: offline
For one. MS VPN does not pass security audits very easily, especilally MSPPTP. For another the only way I have been able to get a 3des tunnel through MS RRAS is using certificates, user and computer. (Real pain in the you know what)

Cisco VPN is standard. If the EU unchecks something then the server sets it right back or they dont connect. On MS it takes hours to trouble shoot an issue because the EU unchecked somthing. Plus on the 3005 you can make sure then EU is at least running a software firewall.
It also connects into the zone labs integrity server (very cool) New virus, block the file or key and the VPN EU can still connect, but they arnt going anywhere. Same with Virus definitions.

Dont get me wrong ISA is so fat the best I have worked with (in a windows enviroment) but the RRAS is not a prodcut of ISA, its on every 2K server and leaves a lot to be desired.

If MS came out with a VPN solution build only with ISA then I might think about dropping cisco.

(in reply to jjwinter)
Post #: 7
RE: Cisco 3000 Vpn Concentrator behind ISA - 29.Sep.2003 7:41:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Anthony,

The CMAK will solve all the problems you mention here. Create and distribute a CMAK profile to your users. That creates a standarzied profile that users will not be able to change. If they have a problem, email them a new profile, just in case. Bingo! Everything works again.

PPTP with MS-CHAPv2 or EAP cert-based cert auth is quite secure. Security "audits" that ping PPTP make my blood boil because it reminds me of marching morons who check "checkboxes" and have no idea why. However, they're not completely stupid, because they can add up the number of boxes that are unchecked, and of course, add up the number of hours they worked for you and multiply that by the hourly rate [Big Grin]

HTH,
Tom

(in reply to jjwinter)
Post #: 8
RE: Cisco 3000 Vpn Concentrator behind ISA - 29.Sep.2003 6:15:00 PM   
jjwinter

 

Posts: 66
Joined: 26.Sep.2003
From: irvine
Status: offline
One of the biggest reasons that I use the Cisco Concentrator is to unload the Processing from the Firewall. Another reason is a more personal belief, that I like to (and my company affords me the finacial means), use one box for one purpose. For example my webservers are webservers, my financial transactions servers only process financial stuff, my email servers just process email etc. I tend to beleive it is easy to track down a problem on a machine if it is only serving one purpose. I don't want to troubleshoot a windows problem if someone can't connect to the VPN. I understand not everyone has the luxury of lots of money to spend. Everything is working now, thanks to Stefaan's advise. I feel like a fool not putting 2 and 2 together and realizing that the ISA server still had IPSEC enabled and was sucking up my VPN traffic. Thanks to everyone.

(in reply to jjwinter)
Post #: 9
RE: Cisco 3000 Vpn Concentrator behind ISA - 29.Sep.2003 9:11:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi zer0degrees,

very glad to hear you got it working and thanks for the follow up! [Smile] [Smile] [Smile]

Stefaan

(in reply to jjwinter)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> Cisco 3000 Vpn Concentrator behind ISA Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts