• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator Page: [1] 2 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 18.Nov.2003 11:01:00 PM   
majstorv

 

Posts: 22
Joined: 24.Feb.2003
From: Belgrade,Serbia and Montenegro
Status: offline
Hello,

we have notebooks with applications using CISCO VPN Clients connecting to CISCO VPN Concentrator somewhere on Internet.
We have ISA 2000 "integrated" on our way out.

This VPN server uses IPSec and IKE tunelling . It also uses so called "Transparent tunelling" .This is a part of instrauction manual:

quote:

"Transparent tunneling allows secure transmission between the VPN Client and a secure gateway through a router serving as a firewall, which may also be performing Network Address Translation (NAT) or Port Address Translations (PAT). Transparent tunneling encapsulates Protocol 50 (ESP) traffic within UDP packets and can allow for both IKE (UDP 500) and Protocol 50 to be encapsulated in TCP packets before they are sent through the NAT or PAT devices and/or firewalls. The most common application for transparent tunneling is behind a home router performing PAT.

Then select a mode of transparent tunneling, over UDP or over TCP. The mode you use must match that used by the secure gateway to which you are connecting. Either mode operates properly through a PAT device. Multiple simultaneous connections might work better with TCP, and if you are in an extranet environment, then in general TCP mode is preferable. UDP does not operate with stateful firewalls so in this case, use TCP.

1. Allow IPSec over UDP (NAT/PAT)
To enable Allow IP over UDP , click the radio button. With UDP, the port number is negotiated. UDP is the default mode

2. Use IPSec over TCP (NAT/PAT/Firewall)
To enable Use IPSec over TCP, click the radio button. When using TCP, you must also enter the port number for TCP in the TCP port field. This port number must match the port number configured on the secure gateway. The default port number is 10000. "


So,
notebooks configured good, everything works normally over dial-up to ISP (because of public address assigned to notebook).

  • Now, how to make this work over ISA 2000 firewall?
  • And what ports need to be opened between ISA and VPN concentrator?
  • If ISA NAT/PAT does not suppport all this, would it help to reserve one public address for specific internal(notebook) address on ISA 2000 and how to do that?
"[Confused]"
Regards,
Vladimir
Post #: 1
RE: CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 18.Nov.2003 11:11:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Vladimir,

check out my article http://www.isaserver.org/articles/IPSec_Passthrough.html . Just keep in mind that you *have* to use "Allow IPSec over UDP (NAT/PAT)". Also, don't forget to check with the VPN administartor on which UDP port they do UDP encapsulation (default is UDP port 4500).

HTH,
Stefaan

(in reply to majstorv)
Post #: 2
RE: CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 24.Nov.2003 3:44:00 PM   
webpilot

 

Posts: 12
Joined: 14.Oct.2003
From: Tampa, Fl
Status: offline
quote:
Originally posted by spouseele:
Hi Vladimir,

check out my article http://www.isaserver.org/articles/IPSec_Passthrough.html . Just keep in mind that you *have* to use "Allow IPSec over UDP (NAT/PAT)". Also, don't forget to check with the VPN administartor on which UDP port they do UDP encapsulation (default is UDP port 4500).

HTH,
Stefaan

I have a similar ssue in where we can connect but cannot pass data traffic. We do have diparate subnets and I have been reading the aforementioned document and cannot seem to find the missing variable in our particular problem. I would greatly appreciate any reading material that any of you may recommend or if you know of the appropriate measures that must be executed to allow us to finally move data between our sites I would welcome those as well.

I am not opposed to educating myself and will read anything including stuff written on the bathroom wall if it will lend hand to solving this discrepancy. Thank you in advance.

Noah

[ November 24, 2003, 03:45 PM: Message edited by: webpilot ]

(in reply to majstorv)
Post #: 3
RE: CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 25.Nov.2003 1:15:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Noah,

If you can connect, can you ping using an IP address of a host on the remote network? Does it work using the MS PPTP or L2TP/IPSec client?

Thanks!
Tom

(in reply to majstorv)
Post #: 4
RE: CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 27.Nov.2003 3:12:00 PM   
majstorv

 

Posts: 22
Joined: 24.Feb.2003
From: Belgrade,Serbia and Montenegro
Status: offline
Hello,

I started this topic and I have some new issues:

I have no support from VPN site technicians (only thing that they knew to tell is that device is VPN Concentrator and that ports are UDP 500 and UDP 10000.

Since I have achieved nothing with opening these ports both on ISA and CISCO router behind, I tried this:

I attached client directly on public switch, gave it public address, and added next line to "inbound" access list (outbound permits all trafic!):

"permit ip any any" - that is, all IP traffic and OF COURSE THIS WORKS!
Now I removed this line and tried to restrict inbound IP to either "UDP" or "TCP"
"permit udp any any" or "permit tcp any any", AND IT DOESN`t WORK !

So, I concluded it should be IP routable (but WATCH OUT: GRE,ESP were opened all the time, NO SUCCESS!

1) Now, what else IP protocols that help IPSEC over UDP( I have never tried over TCP) could be used for inbound traffic. How to find out if you have no support from VPN server personnel?

2) Nevertheless, router is no problem, with CISCO IOS "permit ip any any" you can bypass VIRTUALLY ALL IP TRAFFIC so I wouldn`t care about ports, but what to do with ISA?
IN ISA THERE IS NO "PERMIT IP ANY ANY" SINCE IP IS ONLY WHAT YOU DEFINE WITH "PROTOCOL DEFINITIONS", OR IN THIS CASE "IP PACKET FILTERS". Please correct me if I am wrong.

3) If I cannot find out what IP protocol is used, how to make ISA PASS THROUGH VIRTUALLY ALL IP ?

Regards,
Vladimir

(in reply to majstorv)
Post #: 5
RE: CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 1.Dec.2003 3:34:00 PM   
webpilot

 

Posts: 12
Joined: 14.Oct.2003
From: Tampa, Fl
Status: offline
quote:
Originally posted by tshinder:
Hi Noah,

If you can connect, can you ping using an IP address of a host on the remote network? Does it work using the MS PPTP or L2TP/IPSec client?

Thanks!
Tom

Greetings Tom,

It is honor to know that you have responded to my, our, issue. I know that you are in high demand and I certainly appreciate the attention you have expressed.

Unfortunately, I am not the admin of the PIX device and have had limited contact with the VAR that is providing support to my client. To date i have not been able to get them to turn on the MS-VPN, PPTP, for us to perform connectivity test. I just attempted to ping the assigned IP address and recvd time outs and will assume they have secured ping replies. I will try to put some more pressure on my client and welcome anything that you might be able to add to our dilemma.

Thank you in advance and happy holidays.

Noah P.

(in reply to majstorv)
Post #: 6
RE: CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 2.Dec.2003 12:15:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Vladimir:
Hello,

I started this topic and I have some new issues:

I have no support from VPN site technicians (only thing that they knew to tell is that device is VPN Concentrator and that ports are UDP 500 and UDP 10000.

Since I have achieved nothing with opening these ports both on ISA and CISCO router behind, I tried this:

I attached client directly on public switch, gave it public address, and added next line to "inbound" access list (outbound permits all trafic!):

"permit ip any any" - that is, all IP traffic and OF COURSE THIS WORKS!
Now I removed this line and tried to restrict inbound IP to either "UDP" or "TCP"
"permit udp any any" or "permit tcp any any", AND IT DOESN`t WORK !

So, I concluded it should be IP routable (but WATCH OUT: GRE,ESP were opened all the time, NO SUCCESS!

1) Now, what else IP protocols that help IPSEC over UDP( I have never tried over TCP) could be used for inbound traffic. How to find out if you have no support from VPN server personnel?

2) Nevertheless, router is no problem, with CISCO IOS "permit ip any any" you can bypass VIRTUALLY ALL IP TRAFFIC so I wouldn`t care about ports, but what to do with ISA?
IN ISA THERE IS NO "PERMIT IP ANY ANY" SINCE IP IS ONLY WHAT YOU DEFINE WITH "PROTOCOL DEFINITIONS", OR IN THIS CASE "IP PACKET FILTERS". Please correct me if I am wrong.

3) If I cannot find out what IP protocol is used, how to make ISA PASS THROUGH VIRTUALLY ALL IP ?

Regards,
Vladimir

Hi Vlad,

ISA firewalls pass only GRE, ICMP, GRE, UDP and TCP. They do not pass IP level protcols from the internal network. Make sure that the proprietary NAT-T Cisco implemented is not flawed (as it is with its TCP implementation, from what I understand).

HTH,
Tom

(in reply to majstorv)
Post #: 7
RE: CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 2.Dec.2003 12:19:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by webpilot:
quote:
Originally posted by tshinder:
Hi Noah,

If you can connect, can you ping using an IP address of a host on the remote network? Does it work using the MS PPTP or L2TP/IPSec client?

Thanks!
Tom

Greetings Tom,

It is honor to know that you have responded to my, our, issue. I know that you are in high demand and I certainly appreciate the attention you have expressed.

Unfortunately, I am not the admin of the PIX device and have had limited contact with the VAR that is providing support to my client. To date i have not been able to get them to turn on the MS-VPN, PPTP, for us to perform connectivity test. I just attempted to ping the assigned IP address and recvd time outs and will assume they have secured ping replies. I will try to put some more pressure on my client and welcome anything that you might be able to add to our dilemma.

Thank you in advance and happy holidays.

Noah P.

Hi Noah,

No problem! Its important that you be able to test the basic functionality by using the MS VPN clients. Third party VPN clients introduce variables that make things difficult to troubleshoot, that's why I always prefer the MS VPN clients and servers.

HTH,
Tom

(in reply to majstorv)
Post #: 8
RE: CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 3.Dec.2003 12:49:00 PM   
majstorv

 

Posts: 22
Joined: 24.Feb.2003
From: Belgrade,Serbia and Montenegro
Status: offline
Hello,

Result is always the same:
I establish VPN connection, but cannot move from that. Cannot ping any server on remote network, cannot ping even my own assigned IP address, no matter what I do on ISA !
All I achieved is with public IP address assigned to client attached next to our public router, and it works !
Obviously, ISA NAT does not support this, or I have a big misunderstanding of ISA and all of this stuff.
I have been seraching ISA logs, but found only UDP 500 connections. In fact I suppose I cannot find anything interesting there since it logs only kind of traffic familiar by "protocol definitions" and "packet filters" ,but here we have no such case.
I would rather assign public addresses to clients but how to avoid NAT/PAT? ISA does not support 1 to 1 mapping,does it? And RRAS routing supports but RRAS NAT is not good by definition.
Questions:
1) Can "Secondary connections" in "protocol defintions" help?
2) I have allowed UDP ports 500, 4500, 10000, but only "SendReceive". Could it help with "Send", "ReceiveSend" or "Receive"
3) IP Packet filters are a little bit of mystery for me:

GRE 47 was created automatically when I enabled PPTP but it is kind of a predefined "PPTP call" and "PPTP receive" protocol; I created ESP by simply adding "custom" protocol number 50 ,both directions.
Does it make sense to create filters for undefined protocols this way?

4) Again "Packet filters": I have created UDP filter:
"custom"
UDP "sendreceive"
"local port:all ports"
"remote port:all ports"
When I created filter in "protocol number" value is 17. What is this?
Along with Local port options there are "fixed port/local port number" and "dynamic".
Does this filter make sense and would it help to gamble with this other options?
Would it help to use this other options and how?

5) I disabled "filtering IP fragments", is it correct?
6) My clients are SecureNAT clients. I guess that LAT plays no role here, does it?

I don`t know how to debug this thing at all?
This way I can experiment endlessly, never to succeed.

Does anyone know firewall devices other than ISA 2000 (not CISCO IOS, only in W2000) that support this?

Regards,
Vladimir

(in reply to majstorv)
Post #: 9
RE: CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 3.Dec.2003 1:11:00 PM   
majstorv

 

Posts: 22
Joined: 24.Feb.2003
From: Belgrade,Serbia and Montenegro
Status: offline
Thomas,

if ISA does not pass IP other than GRE, ICMP, GRE, UDP and TCP, then I have to give up with ISA, right?

Vladimir

(in reply to majstorv)
Post #: 10
RE: CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 3.Dec.2003 1:52:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Vladamir,

You do NOT need to pass IP level protocols if you're using NAT-T. ISA firewalls do work with GRE passthrough for outbound PPTP.

But, if you're using NAT-T proprietary non-IETF approved IPSec, then ISA will work with it, because the whole thing is encapsulated in a UDP header.

HTH,
Tom

(in reply to majstorv)
Post #: 11
RE: CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 3.Dec.2003 3:35:00 PM   
l.blokland@itscomputers.n

 

Posts: 10
Joined: 9.May2003
From: Netherlands
Status: offline
Hi,

I can see the frustration.
One thing I don't understand;
The VPN connection is established, but there is no traffic possible through the tunnel.
The Cisco client is checking if the connection is still up and sending keep-alive's.
I suspect this is being sent correctly otherwise the connection should be dropped !?
So why isn't it possible to travel through the tunnel?

Leon

(in reply to majstorv)
Post #: 12
RE: CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 3.Dec.2003 5:10:00 PM   
webpilot

 

Posts: 12
Joined: 14.Oct.2003
From: Tampa, Fl
Status: offline
I am onboard with you Leon, I too do not understand why the connection is maintained and data is not moved. I am ernestly trying to make myself a good student of this product.

I need to get by the book store and check Tom's book's out. I like to peer at the paper before buying books.

(in reply to majstorv)
Post #: 13
RE: CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 3.Dec.2003 10:48:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hey guys,

if the ISA server and ISA client is correctly setted up according to my article http://www.isaserver.org/articles/IPSec_Passthrough.html it should work. So, unless you have an overlapping IP range, it is very likely a Cisco configuration problem.

For some troubleshooting tips, check out http://www.cisco.com/en/US/customer/products/sw/secursw/ps2276/products_configuration_example09186a008010edf4.shtml .

HTH,
Stefaan

(in reply to majstorv)
Post #: 14
RE: CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 4.Dec.2003 2:12:00 PM   
l.blokland@itscomputers.n

 

Posts: 10
Joined: 9.May2003
From: Netherlands
Status: offline
Hi all,

got this from a system engineer.
I didn't found time yet to give it a try.
Maybe you guys can!

Leon

access-list xxx permit esp any host vpn.denhaag.nl
access-list xxx permit ahp any host vpn.denhaag.nl
access-list xxx permit udp any host vpn.denhaag.nl eq isakmp access-list xxx permit tcp any host vpn.denhaag.nl eq 10000 access-list xxx permit udp any host vpn.denhaag.nl eq 10000

(in reply to majstorv)
Post #: 15
RE: CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 4.Dec.2003 5:26:00 PM   
l.blokland@itscomputers.n

 

Posts: 10
Joined: 9.May2003
From: Netherlands
Status: offline
I Think I got it!

try this in ISA server:
create 3 new protocol definitions:
name: settings:
ISAKMP (500-UDP-send/receive)
UDP(10000) (10000-UDP-send/receive)
TCP(10000) (10000-TCP-outbound)

now create a protocole rule and name it Cisco VPN client.
include the just created protocols (ISAKMP/UDP(10000)/TCP(10000) ) and select which users or what computers can use this rule.

Now create 2 packet filters.
1. name: ESP
custom protocol #50
direction both
2. name: AHP
custom protocol #51
direction both

Make sure the client is SecureNAT (no firewallclient active)

This did the trick for me.

Thanks Thomas for the literature!

Leon

(in reply to majstorv)
Post #: 16
RE: CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 4.Dec.2003 8:51:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Leon,

remove the two IP packet filters and the TCP(10000) protocol definition and it should still work! [Big Grin]

HTH,
Stefaan

(in reply to majstorv)
Post #: 17
RE: CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 5.Dec.2003 3:16:00 PM   
majstorv

 

Posts: 22
Joined: 24.Feb.2003
From: Belgrade,Serbia and Montenegro
Status: offline
Hi,

Stefan did help me with that CiSCO link,

it describes the problem that I have: upon authentication, cannot ping anything !

According to article there are 2 options:

"If NAT-T is not checked on the VPN Concentrator or if NAT transparency is not checked on the VPN client, the IPSec tunnel will be established however, you will not be able to pass any data. In order for NAT-T to work, you must have the NAT-T checked on the concentrator and NAT transparency (over UDP) checked on the client.

After authentication VPN client shows my parameters:

"Client IP address: 146.197.203.11
Server IP address:146.197.27.32
Transparent tunneling: inactive (SHOULD BE ACTIVE)
Tunnel port:0 (SHOULD BE UDP 500, 10000, WHATEVER)
"

In VPN client "transparency" is actually checked!
If NAT-T is not checked on VPN Concentrator, how could other companies (I contacted some of them) succeed with non-CISCO NAT devices such as
"SMC Barricade Plus" and "ZyWall10W"? One of admins told me there was absolutely nothing to configure.

Can some of you guys take a look at CISCO VPN client IKE/IPSec log I recorded during authentication and attempt of application usage?

I know that you are not CISCO experts but this is more up to IPSec level! If you are willing to investigate this, please say how to send you a log file.

Regards,
Vladimir

(in reply to majstorv)
Post #: 18
RE: CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 5.Dec.2003 10:55:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Vladimir,

we seems to agree it is very likely not an ISA server problem! [Cool]

Probably the other guys are using the Cisco propriatery TCP encapsulation method and not the IETF normalized NAT-T encapsulation method. That could explain a lot.

If you like, zip the log file and send it to 'stefaan.pouseele@cevi.be'. Although I never seen such a log, I will take a look at it and see what I can find out. Just make sure you enabled the maximum level of logging.

HTH,
Stefaan

(in reply to majstorv)
Post #: 19
RE: CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator - 6.Dec.2003 4:22:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Vladimir,

you have luck! I have just received a request to test a Cisco VPN client through a back-to-back DMZ scenario to a Cisco 3000 VPN Concentrator. As inner firewall we use an ISA server and as outer firewall a Checkpoint. So, it is the first time I will have the chance to test it myself ! [Cool]

Therefore, I have started studying that Cisco article in more depth, particular the Cisco VPN client logging. I did also receive an example of a client logging for a working NAT-T VPN connection through a Cisco NAT device. What have I learned so far?

In the first IKE message the client (Inititiator) should announce his NAT-T capability:
SENDING : ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 212.63.225.193

Likewise, the responder should do the same in his first IKE response and include the NAT-D payloads (aggressive mode):
RECEIVING : ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?), VID(?)) from 212.63.225.193

In the logging you should then find an entry:
Peer supports NAT-T

After that, the Initiater (Cisco client) sends his NAT-D payloads:
SENDING : ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 212.63.225.193

... and move the IKE and following traffic to the new NAT-T UDP port 4500:
IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194
Automatic NAT Detection Status:
Remote end IS behind a NAT device
This end IS behind a NAT device

Now, if I look in your logging I don't find that sequence at all! So, unless you have not enabled the full logging in the Cisco VPN client, I can only conclude that the client does not even propose the NAT-T capability. In other words, if you look into the ISA Firewall log you will only find traffic on UDP port 500, and in the IP packet filter log you should see blocked packet for IP protocol 50 and/or 51. With the available info, definitely a Cisco VPN client and/or gateway configuration problem.

HTH,
Stefaan

[ December 07, 2003, 11:49 AM: Message edited by: spouseele ]

(in reply to majstorv)
Post #: 20

Page:   [1] 2 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> CISCO VPN client ->ISA 2000-> CISCO VPN Concentrator Page: [1] 2 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts