"Good grief charlie brown" this one is killing me. I recently moved from Symantec Enterprise 7.04 to ISA Server (by the way ISA is the first thing from microcrap I like), but I'm having problem publishing my Cisco 3300 VPN Concentrator. I have read all the kb articles I could find and the closet thing I have found is the article on how to allow a Cisco VPN client out of the ISA. The VPN Concentrator is located on it's own (private ip scheme) subnet connected directly to a nic on the ISA. I have tried to allow (well I have published) udp 500, udp 4500 and udp 48169 (that's what I have choosen to change the default port to). I have tried every imaginable configuration including NAT-T to no avail. I have even tried configuring the ISA server in the reverse manner described in the kb article detailing how to allow the Cisco VPN client out, figured the reverse would let it in. Just for the record it ain't working. The Concentrator worked flawlessly with Symantec Enterprise firewall (but god knows I will never go back to that heinous contraption)
Although it discusses the outbound scenario, the concepts stay the same for the inbound scenario. Of course the direction changes in the protocol definition and you should create two server publishing rules. Also, you will have to disable the IPSec services on ISA server.
Also, you said "The VPN Concentrator is located on it's own (private ip scheme) subnet connected directly to a nic on the ISA". Is this another LAT interface?
the reason you need to disable the IPSec service on ISA is that otherwise the ISA server owns the UDP port 500 (IKE). As a consequence, when you server publish a VPN gateway on ISA, ISA can no longer be a VPN endpoint. Keep that in mind!
BTW --- is there a particular reason why you place the VPN box on the internal network and not in parallel with the ISA server?
The reason I place it there is just peace of mind. I truly believe that everything should be behind a firewall. Cisco is just as prone to security flaws as anyone else, and I just prefer the extra protection afforded by the firewall.
From: Eastern PA
For one. MS VPN does not pass security audits very easily, especilally MSPPTP. For another the only way I have been able to get a 3des tunnel through MS RRAS is using certificates, user and computer. (Real pain in the you know what)
Cisco VPN is standard. If the EU unchecks something then the server sets it right back or they dont connect. On MS it takes hours to trouble shoot an issue because the EU unchecked somthing. Plus on the 3005 you can make sure then EU is at least running a software firewall. It also connects into the zone labs integrity server (very cool) New virus, block the file or key and the VPN EU can still connect, but they arnt going anywhere. Same with Virus definitions.
Dont get me wrong ISA is so fat the best I have worked with (in a windows enviroment) but the RRAS is not a prodcut of ISA, its on every 2K server and leaves a lot to be desired.
If MS came out with a VPN solution build only with ISA then I might think about dropping cisco.
The CMAK will solve all the problems you mention here. Create and distribute a CMAK profile to your users. That creates a standarzied profile that users will not be able to change. If they have a problem, email them a new profile, just in case. Bingo! Everything works again.
PPTP with MS-CHAPv2 or EAP cert-based cert auth is quite secure. Security "audits" that ping PPTP make my blood boil because it reminds me of marching morons who check "checkboxes" and have no idea why. However, they're not completely stupid, because they can add up the number of boxes that are unchecked, and of course, add up the number of hours they worked for you and multiply that by the hourly rate
One of the biggest reasons that I use the Cisco Concentrator is to unload the Processing from the Firewall. Another reason is a more personal belief, that I like to (and my company affords me the finacial means), use one box for one purpose. For example my webservers are webservers, my financial transactions servers only process financial stuff, my email servers just process email etc. I tend to beleive it is easy to track down a problem on a machine if it is only serving one purpose. I don't want to troubleshoot a windows problem if someone can't connect to the VPN. I understand not everyone has the luxury of lots of money to spend. Everything is working now, thanks to Stefaan's advise. I feel like a fool not putting 2 and 2 together and realizing that the ISA server still had IPSEC enabled and was sucking up my VPN traffic. Thanks to everyone.