CISCO VPN client -> ISA 2000 -> CISCO VPN Concentrator

CISCO VPN client -> ISA 2000 -> CISCO VPN Concentrator

Post by majstorvla » Thu, 20 Nov 2003 07:16:23


Hello,

we have notebooks with applications using CISCO VPN Clients connecting to
CISCO VPN Concentrator somewhere on Internet.
We have ISA 2000 "integrated" on our way out.

This VPN server uses IPSec and IKE tunelling . It also uses so called
"Transparent tunelling" .This is a part of instrauction manual :

"Transparent tunneling allows secure transmission between the VPN Client and
a secure gateway through a router serving as a firewall, which may also be
performing Network Address Translation (NAT) or Port Address Translations
(PAT). Transparent tunneling encapsulates Protocol 50 (ESP) traffic within
UDP packets and can allow for both IKE (UDP 500) and Protocol 50 to be
encapsulated in TCP packets before they are sent through the NAT or PAT
devices and/or firewalls. The most common application for transparent
tunneling is behind a home router performing PAT.

Then select a mode of transparent tunneling, over UDP or over TCP. The mode
you use must match that used by the secure gateway to which you are
connecting. Either mode operates properly through a PAT device. Multiple
simultaneous connections might work better with TCP, and if you are in an
extranet environment, then in general TCP mode is preferable. UDP does not
operate with stateful firewalls so in this case, use TCP.

1. Allow IPSec over UDP (NAT/PAT)
To enable Allow IP over UDP , click the radio button. With UDP, the port
number is negotiated. UDP is the default mode

2. Use IPSec over TCP (NAT/PAT/Firewall)
To enable Use IPSec over TCP, click the radio button. When using TCP, you
must also enter the port number for TCP in the TCP port field. This port
number must match the port number configured on the secure gateway. The
default port number is 10000. "

So,
notebooks configured good, everything works normally over dial-up to ISP
(because of public address assigned to notebook).

1) Now, how to make this work over ISA 2000 firewall?
2) What ports need to be opened between ISA and Concentrator?
3) If ISA NAT/PAT does not suppport all this, would it help to reserve one
public address for specific internal(notebook) address on ISA 2000 and how
to do that?

Regards,
Vladimir
 
 
 

CISCO VPN client -> ISA 2000 -> CISCO VPN Concentrator

Post by Dieter Rau » Thu, 20 Nov 2003 21:17:05

Hallo majstorvlada,



(...)


Look at this:
http://www.yqcomputer.com/
http://www.yqcomputer.com/

Regards,
Dieter

--
Dieter Rauscher - MVP ISA / Exchange Server
German help & info on ISA Server: http://www.yqcomputer.com/
Please do ask/answer only in the newsgroups.

 
 
 

CISCO VPN client -> ISA 2000 -> CISCO VPN Concentrator

Post by Thomas W S » Fri, 28 Nov 2003 12:51:28

Hi Dieter,

Thanks for recommending the ISA Server 2000 VPN Deployment Kit!




: Hallo majstorvlada,
:
:
: > we have notebooks with applications using CISCO VPN Clients
: > connecting to CISCO VPN Concentrator somewhere on Internet.
: > We have ISA 2000 "integrated" on our way out.
:
: (...)
:
: > 1) Now, how to make this work over ISA 2000 firewall?
: > 2) What ports need to be opened between ISA and Concentrator?
: > 3) If ISA NAT/PAT does not suppport all this, would it help to
: > reserve one public address for specific internal(notebook) address on
: > ISA 2000 and how to do that?
:
: Look at this:
: http://www.yqcomputer.com/
: http://www.yqcomputer.com/
:
: Regards,
: Dieter
:
: --
: Dieter Rauscher - MVP ISA / Exchange Server
: German help & info on ISA Server: http://www.yqcomputer.com/
: Please do ask/answer only in the newsgroups.
:
: