Re: Cisco VPN Connection Problems

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

HI ZVR,

Thanks for the article. Does it mean that I need to get PIX configured as
per section 5.2?



"ZVR" <nospamever@xxxxxx> wrote in message
news:n_mdnYoWZbdqMsveRVn-2w@xxxxxxxxxxxxx
> Your solution is a "workaround" at best. These issues with VPN clients
> from behind ISA occur usually because the clients are not configured for
> VPN NAT traversal (by encapsulating IPSEC packets in UDP packets which is
> an accepted form of NAT-T). Not to mention that the remote VPN server (PIX
> in your case) should also support the NAT traversal and not all of them
> do, especially those with old(er) firmwares.
>
> Here's an excellent article I recently found about this topic, that goes
> into great lengths to explain the background of this issue and what needs
> to be done to overcome the barrier. The article also features links to MS
> KB articles on this topic. See section "5.2 Cisco" of the article for your
> scenario.
>
> http://tinyurl.com/bjzyg
>
> Virgil
>
>
>
> "Miguel" <miguel@xxxxxxxxx> wrote in message
> news:Or6rINN1FHA.2348@xxxxxxxxxxxxxxxxxxxxxxx
>> Hi Chris.
>>
>> I just solved my problem adding remote machine IP address in my Internal
>> Network Address Interval. So when the tunnel is established, ISA dont
>> "touch" this traffic allowing Cisco client routing to the correct
>> destination.
>>
>> Well, the issue was solved but I am very interesting to replace Cisco
>> Clients on the internal machines for a Site-toSite conection with our
>> customer (the customer side infraestructure is out of my control)...
>>
>> I hope that it help you, Chris.
>>
>> Miguel.
>>
>> "Chris Rees" <chrisr@xxxxxxxxxxxxxxxxxxxxxxxxx> escribió en el mensaje
>> news:u4pp68L1FHA.2072@xxxxxxxxxxxxxxxxxxxxxxx
>>>I can not connect to two customer sites. One site has a CISCO PIX 506E
>>>and another has a CISCO PIX 515.
>>>
>>> If I could configure ISA 2004 to connect directly to them it would be
>>> great.
>>>
>>> The problem is I dont know how to do this! Can anybody direct me to any
>>> help setting this up? I dont have much control over our customers CISCO
>>> firewall so that may make things more difficult.
>>>
>>>
>>> "Miguel" <miguel@xxxxxxxxx> wrote in message
>>> news:ONsIzyL1FHA.2072@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Hi
>>>>
>>>> I'm on your same trouble and I would like go far away with this issue.
>>>> It´s possible to implement a Site-to-site VPN with ISA 2004? so we can
>>>> forget use Cisco Vpn client on internal Machines. I've configured some
>>>> site-to-site VPN with PPTP, but not with IPsec.
>>>>
>>>> Chris, I hope that you can apply the idea... if we find the solution,
>>>> of course :).
>>>>
>>>> Thanks for any help.
>>>>
>>>> "Chris Rees" <chrisr@xxxxxxxxxxxxxxxxxxxxxxxxx> escribió en el mensaje
>>>> news:%23AjVWNJ1FHA.164@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> Hi,
>>>>>
>>>>> We have recently changed our firewall from a linux firewall to an
>>>>> ISA2004 server.
>>>>>
>>>>> We connect to 3 customer sites using CISCO VPN Client. The CISCO
>>>>> client is installed on the Windows XP workstations behind the ISA
>>>>> server.
>>>>>
>>>>> Ever since installing ISA 2004 we have been able to connect to the
>>>>> sites VPN but can not commuinicate with servers on site using RDP,
>>>>> SQL, PING etc. Is there anthing that needs to be configured on the
>>>>> ISA server? I have opened all protocols outbound to the customers VPN
>>>>> IP address and as far as I can see nothing is being blocked.
>>>>>
>>>>> One other thing I have noticed is that there doesnt seem to be
>>>>> anything being recieved in the byte count on the CISCO vpn client
>>>>> statistics.
>>>>>
>>>>> Is there any way to configure the ISA 2004 server to route VPN traffic
>>>>> on behalf of the clients instead of installing VPN client on each
>>>>> workstation?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Chris Rees.
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>


.

Relevant Pages

  • Re: Cisco VPN Connection Problems
    ... machine on client site. ... So when the tunnel is established, ISA dont ... the issue was solved but I am very interesting to replace Cisco ... > customer... ...
    (microsoft.public.isaserver)
  • Cisco PIX 515E vs. Fortinet Fortigate-300
    ... Firewall Evaluation ... Cisco PIX 515E vs. Fortinet Fortigate-300 ... Fortigate firewall. ...
    (comp.security.firewalls)
  • RE: Firewall Hardware Recommendations
    ... but Cisco makes for good medicine also. ... next time I setup a PIX I'll have to load it on up and give it a shot. ... WatchGuard has you pay for VPN lic's. ...
    (Security-Basics)
  • RE: Router with security features
    ... Subject: Router with security features ... Cisco makes an even cheaper and smaller pix firewall. ... Pix 520's it just does not come with more powerful hardware. ...
    (Security-Basics)
  • RE: VPN overkill?
    ... Since you guys sound like a Cisco shop, any of the Cisco 1700, 2600 or ... IOS IOS ... IOS PIX ... If your future plans are to increase the number of sites connecting via ...
    (Security-Basics)