locked
Issues with Outbound Cisco VPN Client connection through ISA 2004 RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    We have a few computers which need to be able to connect to a database on a server inside an external network. From these computers a VPN tunnel is created to the VPN Server in the external network using the Cisco VPN Client with IKE Client - UDP port 500 and IPSec NAT-T Client - UDP port 4500. I have created a rule on our ISA 2004 server which allows these Protocols between the IP addresses of our computers and the external VPN Server.

     

    On the computers, the VPN connection shows that it has been connected and the ISA logs confirm this. However, no traffic is actually passed through the VPN tunnel with the Firewall Client installed on the computers. Immediately, I can see DNS traffic bound for the external network in the ISA logs, traffic which should be passing through the VPN tunnel. The same is true for the SQL traffic when attempting to create the ODBC connection, no connection can be established.

     

    With the firewall client uninstalled, the ISA logs show the connection of the VPN Tunnel and then nothing else as the DNS and SQL traffic are passed through the VPN Tunnel and connection to the database is established.

     

    What do I need to do for the traffic to be passed through the VPN Tunnel, with the Firewall Client installed on the computers?

    Thursday, November 5, 2009 12:04 AM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote
    Do this:
    1. Look in the ISA logs for traffic from that client to the remote IP addresses used by the VPN servers.
    2. Make note of the data contained in the client-agent field for those entries. This is the name of the application that is being redirected by the FWC.
    3. Add that name in the ISA Firewall Client Application Settings with the values; "disable=1", and "disableex=1".
    4. at the VPN client host, open an elevated cmd window and type:
        net stop fwcagent & net start fwcagent

    You should be able to use your VPN tunnel normally after this.

    Jim Harrison Forefront Edge CS
    Thursday, November 5, 2009 2:43 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

     

    Thank you for the post.

     

    As far as I know, it is normal behavior. After you have created an allow rule to allow the required protocols, please make sure to set the Client as Secure Nat , that is the Default Gateway for this client should be pointing to ISA Server Internal IP. if you have the Firewall Client installed on the client machine, make sure you disable the Firewall Client before trying to connect using the CISCO VPN Client.

     

    Regards,

    Nick Gu - MSFT
    Thursday, November 5, 2009 4:01 AM
    Moderator
  • Question
    Sign in to vote
    1
    Sign in to vote
    Do this:
    1. Look in the ISA logs for traffic from that client to the remote IP addresses used by the VPN servers.
    2. Make note of the data contained in the client-agent field for those entries. This is the name of the application that is being redirected by the FWC.
    3. Add that name in the ISA Firewall Client Application Settings with the values; "disable=1", and "disableex=1".
    4. at the VPN client host, open an elevated cmd window and type:
        net stop fwcagent & net start fwcagent

    You should be able to use your VPN tunnel normally after this.

    Jim Harrison Forefront Edge CS
    Thursday, November 5, 2009 2:43 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thank you both for your rapid replies to this issue.

    Jim, you were right on the money. That worked perfectly!

    Friday, November 6, 2009 12:05 AM