locked
cisco VPN and ISA server 2006

    Question

  • I have cisco VPN at Windows XP client to connect to another network through ISA server at my network.

    I use secureNat for for Windows XP. I can connect using cisco VPN client but I'm not able to connect to any device at the remote network.

    how can I solve it?

    Tuesday, August 17, 2010 11:49 PM

All replies

  • Hi,

     

    Thank you for the post.

     

    Before going any further, I’d like to know the following questions:

    1.     what is your network topology? Which of the following is true?

    1)     Winxp-----------cisco vpn---------ISA Server-------external

    2)     Winxp-----------cisco vpn---------external(VPN)----------ISA Server

    2.     Do you have configured site to site vpn? How do you do that? On Cisco or ISA Server?

    3.     What do you mean “I'm not able to connect to any device at the remote network”? ping or http?

     

    Regards,


    Nick Gu - MSFT
    Wednesday, August 18, 2010 5:04 AM
    Moderator
  •  

    Hi,

    Thanks for your reply.

    regarding to the first question. This is my network topology

         (  Winxp-----------cisco vpn client )---------ISA Server-------external

    where cisco vpn client  is software installed at Winxp and I use secureNat

    regarding to the second question,

     I create two firewall access rule

     the first rule, I allow all outbound traffic form all networks (and localhost) to all networks (and localhost) for all users

     the second rule, I create create a protocol called cisco UDP and allow the following ports (500, 4500, 62151) with send receive direction then create rule that  allow cisco UDP protocal  form all networks (and localhost) to all networks (and localhost) for all users

    I didn't configure site to site vpn and I don't think this work because I don't have pre-shared key or certificate

    for the third question, after I connect with cisco VPN client and have IP from remote network, I cann't reach to any remote device like   ping or ssh.

    Wednesday, August 18, 2010 10:06 AM
  • Hi Ramy

    First one question, why do you have a firewall like ISA and then allow all traffic?

    Does ISA server block any traffic when you log the traffic from the VPN client?
    Try to disable "Enforce strict RPC Compliance" by right click on your rules.

    There should not be a problem to get Cisco VPN client through a ISA Server.
    Are you sure that this works if you dont have a ISA before the VPN gateway?

     

    Wednesday, August 18, 2010 1:28 PM
  • Hi MrAnders,

    thanks for your response,

    I tried to disable  "Enforce strict RPC Compliance" but it didn't work

    and I'm sure that VPN cisco client works properly without ISA server

    here some information may be useful

    when I connect VPN client through ISA server and get ipconfig, the result related to VPN cisco client

    Ethernet adapter Local Area Connection 5

            Connection-specific DNS Suffix  . :
            Description . . . . . . . . . . . : Cisco Systems VPN Adapter
            Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
            Dhcp Enabled. . . . . . . . . . . : No
            IP Address. . . . . . . . . . . . : 10.20.20.225
            Subnet Mask . . . . . . . . . . . : 255.255.255.255
            Default Gateway . . . . . . . . . :
            DNS Servers . . . . . . . . . . . : 212.103.160.18
                                                212.103.160.22

    but when I try to ping or tracert to 10.20.20.20 where it is device at remote netwok, the result is Request timed out. and I'm not able to SSH

    and I found drop packet and graceful shutdown from ISA server like

    0x80074e20 FWX_E_GRACEFUL_SHUTDOWN

    0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED

    0x80074e21 FWX_E_ABORTIVE_SHUTDOWN

     

    Original Client IP Client Agent Authenticated Client Service Referring Server Destination Host Name Transport HTTP Method MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Cache Information Error Information Authentication Server Log Time Client IP Destination IP Destination Port Protocol Action Rule Result Code HTTP Status Code Client Username Source Network Destination Network URL Server Name Log Record Type

    192.168.59.1    -  UDP - -      -    8/19/2010 12:49:51 PM 62515 59000 40 0 0x0 0x0 - 8/19/2010 5:49:51 AM 192.168.59.1 81.21.102.25 62515 Cisco UDP Closed Connection Cisco UDP 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN   Internal External - MYSERVER Firewall
    192.168.59.1    -  UDP - -      -    8/19/2010 12:49:59 PM 62515 0 0 0 0x0 0x0 - 8/19/2010 5:49:59 AM 192.168.59.1 81.21.102.25 62515 Cisco UDP Initiated Connection Cisco UDP 0x0 ERROR_SUCCESS   Internal External - MYSERVER Firewall
    10.98.6.11    -  TCP - -      -    8/19/2010 12:50:11 PM 1160 0 737 253 0x0 0x0 - 8/19/2010 5:50:11 AM 10.98.6.11 74.125.43.113 80 HTTP Closed Connection  0x80074e20 FWX_E_GRACEFUL_SHUTDOWN   Local Host External - MYSERVER Firewall

     

    10.98.6.11    -  TCP - -      -    8/19/2010 12:51:30 PM 1159 0 0 0 0x0 0x0 - 8/19/2010 5:51:30 AM 10.98.6.11 74.125.43.104 80 HTTP Denied Connection  0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED   Local Host External - MYSERVER Firewall
    10.98.6.11    -  TCP - -      -    8/19/2010 12:51:37 PM 1158 0 0 0 0x0 0x0 - 8/19/2010 5:51:37 AM 10.98.6.11 74.125.43.103 80 HTTP Denied Connection  0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED   Local Host External - MYSERVER Firewall
    10.98.6.11    -  TCP - -      -    8/19/2010 12:51:37 PM 1160 0 0 0 0x0 0x0 - 8/19/2010 5:51:37 AM 10.98.6.11 74.125.43.113 80 HTTP Denied Connection  0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED   Local Host External - MYSERVER Firewall

     

    10.98.0.204    -  TCP - -      -    8/19/2010 12:58:48 PM 46711 0 48 40 0x0 0x0 - 8/19/2010 5:58:48 AM 10.98.0.204 10.98.6.11 445 Microsoft CIFS (TCP) Closed Connection Allow All connection 0x80074e21 FWX_E_ABORTIVE_SHUTDOWN   External Local Host - MYSERVER Firewall
    10.98.0.204    -  TCP - -      -    8/19/2010 12:58:51 PM 46711 0 0 0 0x0 0x0 - 8/19/2010 5:58:51 AM 10.98.0.204 10.98.6.11 445 Microsoft CIFS (TCP) Initiated Connection Allow All connection 0x0 ERROR_SUCCESS   External Local Host - MYSERVER Firewall
    10.98.0.204    -  TCP - -      -    8/19/2010 12:58:51 PM 46711 0 48 40 0x0 0x0 - 8/19/2010 5:58:51 AM 10.98.0.204 10.98.6.11 445 Microsoft CIFS (TCP) Closed Connection Allow All connection 0x80074e21 FWX_E_ABORTIVE_SHUTDOWN   External Local Host - MYSERVER Firewall

     

    thanks

    Wednesday, August 18, 2010 4:20 PM
  • Hi,

     

    Thank you for the post.

     

    To allow access cisco vpn client to connect behind the ISA Server, you should create the following access rule:

     

    Protocols: IKE Client

                     IPSec NAT-T Client

    Sources: internal

    Destinations: external

    User sets: all users

     

    Regards,


    Nick Gu - MSFT
    Thursday, August 19, 2010 2:41 AM
    Moderator
  • Hi

    thanks for your reply.

    I create this access rule but the problem still exists

    At ISA logs I found some errors like

    Original Client IP Client Agent Authenticated Client Service Referring Server Destination Host Name Transport HTTP Method MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Cache Information Error Information Authentication Server Log Time Client IP Destination IP Destination Port Protocol Action Rule Result Code HTTP Status Code Client Username Source Network Destination Network URL Server Name Log Record Type

    192.168.59.1    -  UDP - -      -    8/19/2010 11:29:10 AM 3909 61000 44 0 0x0 0x0 - 8/19/2010 4:29:10 AM 192.168.59.1 81.21.102.25 62515 Cisco UDP Closed Connection Cisco UDP 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN   Internal External - MYSERVER Firewall

    10.98.44.131    -  TCP - -      -    8/19/2010 11:32:40 AM 1164 0 0 0 0x0 0x0 - 8/19/2010 4:32:40 AM 10.98.44.131 89.202.157.227 80 HTTP Denied Connection  0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED   Local Host External - MYSERVER Firewall

    10.98.13.243    -  TCP - -      -    8/19/2010 11:36:41 AM 3415 0 48 40 0x0 0x0 - 8/19/2010 4:36:41 AM 10.98.13.243 10.98.44.131 445 Microsoft CIFS (TCP) Closed Connection Allow All connection 0x80074e21 FWX_E_ABORTIVE_SHUTDOWN   External Local Host - MYSERVER Firewall

     

    and when I make a connection using Cisco VPN Cient and take IP from remote network like 10.20.20.163

    and try tracert 10.20.20.20 where this server at the remote netwok, the result is

    C:\Documents and Settings\User>tracert 10.20.20.20

    Tracing route to 10.20.20.20. [10.20.20.20]
    over a maximum of 30 hops:

      1     *        *        *     Request timed out.
      2     *        *        *     Request timed out.
      3     *        *        *     Request timed out.
      4     *        *        *     Request timed out.
      5     *        *        *     Request timed out.
      6     *        *        *     Request timed out.
      7     *        *        *     Request timed out.
      8     *        *        *     Request timed out.
      9     *        *        *     Request timed out.
     10     *        *        *     Request timed out.
     11     *        *        *     Request timed out.
     12     *        *        *     Request timed out.
     13     *        *        *     Request timed out.
     14     *        *        *     Request timed out.
     15     *        *        *     Request timed out.
     16     *        *        *     Request timed out.
     17     *        *        *     Request timed out.
     18     *        *        *     Request timed out.
     19     *        *        *     Request timed out.
     20     *        *        *     Request timed out.
     21     *        *        *     Request timed out.
     22     *        *        *     Request timed out.
     23     *        *        *     Request timed out.
     24     *        *        *     Request timed out.
     25     *        *        *     Request timed out.
     26     *        *        *     Request timed out.
     27     *        *        *     Request timed out.
     28     *        *        *     Request timed out.
     29     *        *        *     Request timed out.
     30     *        *        *     Request timed out.

    Trace complete.

     

    this mean that I cann't go through ISA server to reach to the remote netwok.

    but when I tracert google.com, this is the result

    C:\Documents and Settings\User>tracert google.com

    Tracing route to google.com [173.194.36.104]
    over a maximum of 30 hops:

      1     1 ms    <1 ms    <1 ms  192.168.59.128
      2     *        *        *     Request timed out.
      3     *        *        *     Request timed out.
      4     *        *        *     Request timed out.
      5   140 ms   109 ms   202 ms  41.153.0.3
      6     *        *        *     Request timed out.
      7   149 ms   160 ms   159 ms  if-0-1-0.core1.WYN-Marseille.as6453.net [80.231.165.37]
      8   178 ms   140 ms   141 ms  ix-7-0-0.core1.WYN-Marseille.as6453.net [80.231.165.18]
      9   167 ms   139 ms   150 ms  216.239.43.156
     10   177 ms   186 ms   149 ms  216.239.43.68
     11   168 ms   219 ms   180 ms  216.239.49.46
     12   179 ms   140 ms   148 ms  209.85.251.62
     13   147 ms   746 ms   142 ms  173.194.36.104

    Trace complete.

    where the first hop go to the ISA server (gateway).

    how can I solve this ?

    Thursday, August 19, 2010 3:10 PM
  • HI

    Can you provide us with the ipconfig of your client once it has connected with the VPN and the IP address range of the remote network that you are trying to reach?
    Is the remote network in any way defined as a network in ISA? What kind of rules do you have for the remote network on ISA?

    The logs you provided above will not help since they all are going to different IPs and I dont see the remote network IP anywhere in those logs. From the tracert it looks like you are faling on the first hop. Have you tried adding a persistent route to the remote network on the client and have ISA as the DG for the remote network?

    Friday, August 27, 2010 11:36 PM
    Moderator
  • HI

    thanks for your reply

    ipconfig of the client once it has connected

     

    C:\Documents and Settings\User>ipconfig /all

    Windows IP Configuration

            Host Name . . . . . . . . . . . . : user
            Primary Dns Suffix  . . . . . . . :
            Node Type . . . . . . . . . . . . : Unknown
            IP Routing Enabled. . . . . . . . : No
            WINS Proxy Enabled. . . . . . . . : No

    Ethernet adapter Network Adapter LAN1:

            Connection-specific DNS Suffix  . :
            Description . . . . . . . . . . . : Ethernet Adapter for LAN1
            Physical Address. . . . . . . . . : 00-50-56-C0-00-01
            Dhcp Enabled. . . . . . . . . . . : No
            IP Address. . . . . . . . . . . . : 192.168.59.1
            Subnet Mask . . . . . . . . . . . : 255.255.255.0
            Default Gateway . . . . . . . . . : 192.168.59.128
            DNS Servers . . . . . . . . . . . : 10.64.40.2

    Ethernet adapter Local Area Connection 5:

            Connection-specific DNS Suffix  . :
            Description . . . . . . . . . . . : Cisco Systems VPN Adapter
            Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
            Dhcp Enabled. . . . . . . . . . . : No
            IP Address. . . . . . . . . . . . : 10.20.20.226              <-- IP taken from remote network
            Subnet Mask . . . . . . . . . . . : 255.255.255.255
            Default Gateway . . . . . . . . . :
            DNS Servers . . . . . . . . . . . : 212.103.160.18
                                                212.103.160.22

     

    the remote network is not defined as network in ISA. how can I define the remote network and I can't use IPsec (need certificate authority or pre-shared key) or PPTP (need username and passwod)

    how can I add a persistent route to the remote network on the client and have ISA as the DG (DG what does it stand for ? ) for the remote network ?

    Monday, August 30, 2010 1:59 PM
  • DG= Default Gateway

    So the route you will add on this client would be
    route add (remote network) subnet (VPN IP address of ISA provided by the remote network)

    Is  192.168.59.128 the IP of the ISA server?

    Monday, September 13, 2010 4:50 AM
    Moderator
  • Hi,

     

    thanks for your reply,

    192.168.59.128 is ISA server at my network that I use it as gateway for my client.

    so the correct command I will write at my client to connect to the remote network and send and receive data is

    route -p add 10.20.20.0 mask 255.255.255.0 192.168.59.128

    is that right ?

     

    Tuesday, September 14, 2010 7:15 PM
  • yes that should be correct.
    Friday, September 17, 2010 6:45 PM
    Moderator
  • Hi,

    thanks for your answer.

    unfortunately it didn't work.

    any answer will be appreciated

    Saturday, September 25, 2010 8:42 AM
  • Hi Ramy,

    Looks like we will have to collect oakley logs and TMG data Analyzer logs to understand whats going on. Is there a way you can open up a case to work with us?

    Thanks.

    Monday, September 27, 2010 10:58 PM
    Moderator