cisco VPN and ISA server 2006

All Replies

• Wednesday, August 18, 2010 5:04 AM

  Moderator

   

   
  

  0

  Hi,

   

  Thank you for the post.

   

  Before going any further, I’d like to know the following questions:

  1.     what is your network topology? Which of the following is true?

  1)     Winxp-----------cisco vpn---------ISA Server-------external

  2)     Winxp-----------cisco vpn---------external(VPN)----------ISA Server

  2.     Do you have configured site to site vpn? How do you do that? On Cisco or ISA Server?

  3.     What do you mean “I'm not able to connect to any device at the remote network”? ping or http?

   

  Regards,

  ---

  Nick Gu - MSFT
   
• Wednesday, August 18, 2010 10:06 AM

   

   
  

  0

   

  Hi,

  Thanks for your reply.

  regarding to the first question. This is my network topology

       (  Winxp-----------cisco vpn client )---------ISA Server-------external

  where cisco vpn client  is software installed at Winxp and I use secureNat

  regarding to the second question,

   I create two firewall access rule

   the first rule, I allow all outbound traffic form all networks (and localhost) to all networks (and localhost) for all users

   the second rule, I create create a protocol called cisco UDP and allow the following ports (500, 4500, 62151) with send receive direction then create rule that  allow cisco UDP protocal  form all networks (and localhost) to all networks (and localhost) for all users

  I didn't configure site to site vpn and I don't think this work because I don't have pre-shared key or certificate

  for the third question, after I connect with cisco VPN client and have IP from remote network, I cann't reach to any remote device like   ping or ssh.

   
• Wednesday, August 18, 2010 1:28 PM

   

   
  

  0

  Hi Ramy

  First one question, why do you have a firewall like ISA and then allow all traffic?

  Does ISA server block any traffic when you log the traffic from the VPN client?
  Try to disable "Enforce strict RPC Compliance" by right click on your rules.

  There should not be a problem to get Cisco VPN client through a ISA Server.
  Are you sure that this works if you dont have a ISA before the VPN gateway?

   

   
• Wednesday, August 18, 2010 4:20 PM

   

   
  

  0

  Hi MrAnders,

  thanks for your response,

  I tried to disable  "Enforce strict RPC Compliance" but it didn't work

  and I'm sure that VPN cisco client works properly without ISA server

  here some information may be useful

  when I connect VPN client through ISA server and get ipconfig, the result related to VPN cisco client

  Ethernet adapter Local Area Connection 5

          Connection-specific DNS Suffix  . :
          Description . . . . . . . . . . . : Cisco Systems VPN Adapter
          Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
          Dhcp Enabled. . . . . . . . . . . : No
          IP Address. . . . . . . . . . . . : 10.20.20.225
          Subnet Mask . . . . . . . . . . . : 255.255.255.255
          Default Gateway . . . . . . . . . :
          DNS Servers . . . . . . . . . . . : 212.103.160.18
                                              212.103.160.22

  but when I try to ping or tracert to 10.20.20.20 where it is device at remote netwok, the result is Request timed out. and I'm not able to SSH

  and I found drop packet and graceful shutdown from ISA server like

  0x80074e20 FWX_E_GRACEFUL_SHUTDOWN

  0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED

  0x80074e21 FWX_E_ABORTIVE_SHUTDOWN

   

  Original Client IP Client Agent Authenticated Client Service Referring Server Destination Host Name Transport HTTP Method MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Cache Information Error Information Authentication Server Log Time Client IP Destination IP Destination Port Protocol Action Rule Result Code HTTP Status Code Client Username Source Network Destination Network URL Server Name Log Record Type

  192.168.59.1    -  UDP - -      -    8/19/2010 12:49:51 PM 62515 59000 40 0 0x0 0x0 - 8/19/2010 5:49:51 AM 192.168.59.1 81.21.102.25 62515 Cisco UDP Closed Connection Cisco UDP 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN   Internal External - MYSERVER Firewall
  192.168.59.1    -  UDP - -      -    8/19/2010 12:49:59 PM 62515 0 0 0 0x0 0x0 - 8/19/2010 5:49:59 AM 192.168.59.1 81.21.102.25 62515 Cisco UDP Initiated Connection Cisco UDP 0x0 ERROR_SUCCESS   Internal External - MYSERVER Firewall
  10.98.6.11    -  TCP - -      -    8/19/2010 12:50:11 PM 1160 0 737 253 0x0 0x0 - 8/19/2010 5:50:11 AM 10.98.6.11 74.125.43.113 80 HTTP Closed Connection  0x80074e20 FWX_E_GRACEFUL_SHUTDOWN   Local Host External - MYSERVER Firewall

   

  10.98.6.11    -  TCP - -      -    8/19/2010 12:51:30 PM 1159 0 0 0 0x0 0x0 - 8/19/2010 5:51:30 AM 10.98.6.11 74.125.43.104 80 HTTP Denied Connection  0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED   Local Host External - MYSERVER Firewall
  10.98.6.11    -  TCP - -      -    8/19/2010 12:51:37 PM 1158 0 0 0 0x0 0x0 - 8/19/2010 5:51:37 AM 10.98.6.11 74.125.43.103 80 HTTP Denied Connection  0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED   Local Host External - MYSERVER Firewall
  10.98.6.11    -  TCP - -      -    8/19/2010 12:51:37 PM 1160 0 0 0 0x0 0x0 - 8/19/2010 5:51:37 AM 10.98.6.11 74.125.43.113 80 HTTP Denied Connection  0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED   Local Host External - MYSERVER Firewall

   

  10.98.0.204    -  TCP - -      -    8/19/2010 12:58:48 PM 46711 0 48 40 0x0 0x0 - 8/19/2010 5:58:48 AM 10.98.0.204 10.98.6.11 445 Microsoft CIFS (TCP) Closed Connection Allow All connection 0x80074e21 FWX_E_ABORTIVE_SHUTDOWN   External Local Host - MYSERVER Firewall
  10.98.0.204    -  TCP - -      -    8/19/2010 12:58:51 PM 46711 0 0 0 0x0 0x0 - 8/19/2010 5:58:51 AM 10.98.0.204 10.98.6.11 445 Microsoft CIFS (TCP) Initiated Connection Allow All connection 0x0 ERROR_SUCCESS   External Local Host - MYSERVER Firewall
  10.98.0.204    -  TCP - -      -    8/19/2010 12:58:51 PM 46711 0 48 40 0x0 0x0 - 8/19/2010 5:58:51 AM 10.98.0.204 10.98.6.11 445 Microsoft CIFS (TCP) Closed Connection Allow All connection 0x80074e21 FWX_E_ABORTIVE_SHUTDOWN   External Local Host - MYSERVER Firewall

   

  thanks

   
• Thursday, August 19, 2010 2:41 AM

  Moderator

   

   
  

  0

  Hi,

   

  Thank you for the post.

   

  To allow access cisco vpn client to connect behind the ISA Server, you should create the following access rule:

   

  Protocols: IKE Client

                   IPSec NAT-T Client

  Sources: internal

  Destinations: external

  User sets: all users

   

  Regards,

  ---

  Nick Gu - MSFT
   
• Thursday, August 19, 2010 3:10 PM

   

   
  

  0

  Hi

  thanks for your reply.

  I create this access rule but the problem still exists

  At ISA logs I found some errors like

  Original Client IP Client Agent Authenticated Client Service Referring Server Destination Host Name Transport HTTP Method MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Cache Information Error Information Authentication Server Log Time Client IP Destination IP Destination Port Protocol Action Rule Result Code HTTP Status Code Client Username Source Network Destination Network URL Server Name Log Record Type

  192.168.59.1    -  UDP - -      -    8/19/2010 11:29:10 AM 3909 61000 44 0 0x0 0x0 - 8/19/2010 4:29:10 AM 192.168.59.1 81.21.102.25 62515 Cisco UDP Closed Connection Cisco UDP 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN   Internal External - MYSERVER Firewall

  10.98.44.131    -  TCP - -      -    8/19/2010 11:32:40 AM 1164 0 0 0 0x0 0x0 - 8/19/2010 4:32:40 AM 10.98.44.131 89.202.157.227 80 HTTP Denied Connection  0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED   Local Host External - MYSERVER Firewall

  10.98.13.243    -  TCP - -      -    8/19/2010 11:36:41 AM 3415 0 48 40 0x0 0x0 - 8/19/2010 4:36:41 AM 10.98.13.243 10.98.44.131 445 Microsoft CIFS (TCP) Closed Connection Allow All connection 0x80074e21 FWX_E_ABORTIVE_SHUTDOWN   External Local Host - MYSERVER Firewall

   

  and when I make a connection using Cisco VPN Cient and take IP from remote network like 10.20.20.163

  and try tracert 10.20.20.20 where this server at the remote netwok, the result is

  C:\Documents and Settings\User>tracert 10.20.20.20

  Tracing route to 10.20.20.20. [10.20.20.20]
  over a maximum of 30 hops:

    1     *        *        *     Request timed out.
    2     *        *        *     Request timed out.
    3     *        *        *     Request timed out.
    4     *        *        *     Request timed out.
    5     *        *        *     Request timed out.
    6     *        *        *     Request timed out.
    7     *        *        *     Request timed out.
    8     *        *        *     Request timed out.
    9     *        *        *     Request timed out.
   10     *        *        *     Request timed out.
   11     *        *        *     Request timed out.
   12     *        *        *     Request timed out.
   13     *        *        *     Request timed out.
   14     *        *        *     Request timed out.
   15     *        *        *     Request timed out.
   16     *        *        *     Request timed out.
   17     *        *        *     Request timed out.
   18     *        *        *     Request timed out.
   19     *        *        *     Request timed out.
   20     *        *        *     Request timed out.
   21     *        *        *     Request timed out.
   22     *        *        *     Request timed out.
   23     *        *        *     Request timed out.
   24     *        *        *     Request timed out.
   25     *        *        *     Request timed out.
   26     *        *        *     Request timed out.
   27     *        *        *     Request timed out.
   28     *        *        *     Request timed out.
   29     *        *        *     Request timed out.
   30     *        *        *     Request timed out.

  Trace complete.

   

  this mean that I cann't go through ISA server to reach to the remote netwok.

  but when I tracert google.com, this is the result

  C:\Documents and Settings\User>tracert google.com

  Tracing route to google.com [173.194.36.104]
  over a maximum of 30 hops:

    1     1 ms    <1 ms    <1 ms  192.168.59.128
    2     *        *        *     Request timed out.
    3     *        *        *     Request timed out.
    4     *        *        *     Request timed out.
    5   140 ms   109 ms   202 ms  41.153.0.3
    6     *        *        *     Request timed out.
    7   149 ms   160 ms   159 ms  if-0-1-0.core1.WYN-Marseille.as6453.net [80.231.165.37]
    8   178 ms   140 ms   141 ms  ix-7-0-0.core1.WYN-Marseille.as6453.net [80.231.165.18]
    9   167 ms   139 ms   150 ms  216.239.43.156
   10   177 ms   186 ms   149 ms  216.239.43.68
   11   168 ms   219 ms   180 ms  216.239.49.46
   12   179 ms   140 ms   148 ms  209.85.251.62
   13   147 ms   746 ms   142 ms  173.194.36.104

  Trace complete.

  where the first hop go to the ISA server (gateway).

  how can I solve this ?

   
• Friday, August 27, 2010 11:36 PM

  Moderator

   

   
  

  0

  HI

  Can you provide us with the ipconfig of your client once it has connected with the VPN and the IP address range of the remote network that you are trying to reach?
  Is the remote network in any way defined as a network in ISA? What kind of rules do you have for the remote network on ISA?

  The logs you provided above will not help since they all are going to different IPs and I dont see the remote network IP anywhere in those logs. From the tracert it looks like you are faling on the first hop. Have you tried adding a persistent route to the remote network on the client and have ISA as the DG for the remote network?

   
• Monday, August 30, 2010 1:59 PM

   

   
  

  0

  HI

  thanks for your reply

  ipconfig of the client once it has connected

   

  C:\Documents and Settings\User>ipconfig /all

  Windows IP Configuration

          Host Name . . . . . . . . . . . . : user
          Primary Dns Suffix  . . . . . . . :
          Node Type . . . . . . . . . . . . : Unknown
          IP Routing Enabled. . . . . . . . : No
          WINS Proxy Enabled. . . . . . . . : No

  Ethernet adapter Network Adapter LAN1:

          Connection-specific DNS Suffix  . :
          Description . . . . . . . . . . . : Ethernet Adapter for LAN1
          Physical Address. . . . . . . . . : 00-50-56-C0-00-01
          Dhcp Enabled. . . . . . . . . . . : No
          IP Address. . . . . . . . . . . . : 192.168.59.1
          Subnet Mask . . . . . . . . . . . : 255.255.255.0
          Default Gateway . . . . . . . . . : 192.168.59.128
          DNS Servers . . . . . . . . . . . : 10.64.40.2

  Ethernet adapter Local Area Connection 5:

          Connection-specific DNS Suffix  . :
          Description . . . . . . . . . . . : Cisco Systems VPN Adapter
          Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
          Dhcp Enabled. . . . . . . . . . . : No
          IP Address. . . . . . . . . . . . : 10.20.20.226              <-- IP taken from remote network
          Subnet Mask . . . . . . . . . . . : 255.255.255.255
          Default Gateway . . . . . . . . . :
          DNS Servers . . . . . . . . . . . : 212.103.160.18
                                              212.103.160.22

   

  the remote network is not defined as network in ISA. how can I define the remote network and I can't use IPsec (need certificate authority or pre-shared key) or PPTP (need username and passwod)

  how can I add a persistent route to the remote network on the client and have ISA as the DG (DG what does it stand for ? ) for the remote network ?

   
• Monday, September 13, 2010 4:50 AM

  Moderator

   

   
  

  0

  DG= Default Gateway

  So the route you will add on this client would be
  route add (remote network) subnet (VPN IP address of ISA provided by the remote network)

  Is  192.168.59.128 the IP of the ISA server?

   
• Tuesday, September 14, 2010 7:15 PM

   

   
  

  0

  Hi,

   

  thanks for your reply,

  192.168.59.128 is ISA server at my network that I use it as gateway for my client.

  so the correct command I will write at my client to connect to the remote network and send and receive data is

  route -p add 10.20.20.0 mask 255.255.255.0 192.168.59.128

  is that right ?

   

   
• Friday, September 17, 2010 6:45 PM

  Moderator

   

   
  

  0
  yes that should be correct.
   
• Saturday, September 25, 2010 8:42 AM

   

   
  

  0

  Hi,

  thanks for your answer.

  unfortunately it didn't work.

  any answer will be appreciated

   
• Monday, September 27, 2010 10:58 PM

  Moderator

   

   
  

  0

  Hi Ramy,

  Looks like we will have to collect oakley logs and TMG data Analyzer logs to understand whats going on. Is there a way you can open up a case to work with us?

  Thanks.