VPN USERS

J

Julian Dragut

Hi,

I have a LAN with 192.168.0.0/24 which is protected by a Cisco PIX Firewall,
and the internal interface is 192.168.0.1.
I have implemented ISA 2004 for testing inside the network and I have setup
a few users with firewall client (with autodiscovery and stuff) so they're
(test clients) are NAt-ed by the ISA before they reach the PIX.

PIX Firewall comes with a VPN Software, and I have set it up to mobile users
so they can connect from outside and access resources. By default, PIX
Firewall doesn't allow outbound connection through the same interface the
inbound connection was initially made; therefore, the mobile clients once
connected they cannot browse the internet (in my case they cannot use our
email server, which is hosted outside the company), so I am looking at a way
to set ISA up as gateway for them. The mobile clients take their ip
addresses from the PIX firewall as 192.168.254.1-10. I have set up all kind
of combinations for them, they still cannot ping ISA nor browse the net as
webproxy clients.
Am I missing something here?

Thanks,

Julian Dragut
 
S

Steven L Umbach

Since you are using ISA 2004 I would not use the PIX for VPN or for DHCP.
Just have it allow pptp/l2tp traffic to the ISA 2004 server and configure
ISA as the VPN server, starting out with pptp before you try to implement
l2tp and if do want to try l2tp start with preshared key [if using XP Pro]
to make sure it works. Use the built in Windows VPN client to connect to the
ISA 2004 server - not the Cisco. ISA 2004 installs in a locked down mode, so
you need to configure access for VPN clients by access rules. ISA 2004 will
allow VPN users to access the internet with the proper access rules also.
Pptp requires the use of port 1723 TCP and protocol 47/GRE. The ISA 2004
logs can be helpful when trying to grant access by seeing what traffic is
being blocked. The links below may help. --- Steve

http://www.isaserver.org/articles/2004vpnserver.html
http://www.microsoft.com/seminar/events/series/isaserversecurity.mspx
http://www.microsoft.com/technet/community/events/isa/tnt1-125.mspx
 
J

Julian Dragut

Hi Steven,

As usual your quality and prompt responses are truly helpful, thank you.

The setup is a little more complex than what I presented to make my problem
easyer, but....PIXes are VPN-ed Site to Site to all my domain sites and the
data center, two by two for redundancy, and it's been tested, the best
perfomance and reliability for vpn-ing is the cisco vpn client, so after
years of using it without any probs, that would be a hard task for me to
convince them to change it to win native software.

I could make the vpn connection through the pix transparent, but then I
would expose the network to the home and mobile pc's infected with all kinds
of bs; therefore my only solution is to find out how to give them access by
using ISA as webproxy.

Thank you,
Steven L Umbach said:
Since you are using ISA 2004 I would not use the PIX for VPN or for DHCP.
Just have it allow pptp/l2tp traffic to the ISA 2004 server and configure
ISA as the VPN server, starting out with pptp before you try to implement
l2tp and if do want to try l2tp start with preshared key [if using XP Pro]
to make sure it works. Use the built in Windows VPN client to connect to
the ISA 2004 server - not the Cisco. ISA 2004 installs in a locked down
mode, so you need to configure access for VPN clients by access rules. ISA
2004 will allow VPN users to access the internet with the proper access
rules also. Pptp requires the use of port 1723 TCP and protocol 47/GRE.
The ISA 2004 logs can be helpful when trying to grant access by seeing
what traffic is being blocked. The links below may help. --- Steve

http://www.isaserver.org/articles/2004vpnserver.html
http://www.microsoft.com/seminar/events/series/isaserversecurity.mspx
http://www.microsoft.com/technet/community/events/isa/tnt1-125.mspx

Julian Dragut said:
Hi,

I have a LAN with 192.168.0.0/24 which is protected by a Cisco PIX
Firewall, and the internal interface is 192.168.0.1.
I have implemented ISA 2004 for testing inside the network and I have
setup a few users with firewall client (with autodiscovery and stuff) so
they're (test clients) are NAt-ed by the ISA before they reach the PIX.

PIX Firewall comes with a VPN Software, and I have set it up to mobile
users so they can connect from outside and access resources. By default,
PIX Firewall doesn't allow outbound connection through the same interface
the inbound connection was initially made; therefore, the mobile clients
once connected they cannot browse the internet (in my case they cannot
use our email server, which is hosted outside the company), so I am
looking at a way to set ISA up as gateway for them. The mobile clients
take their ip addresses from the PIX firewall as 192.168.254.1-10. I have
set up all kind of combinations for them, they still cannot ping ISA nor
browse the net as webproxy clients.
Am I missing something here?

Thanks,

Julian Dragut
Click to expand...
Click to expand...
 
J

Julian Dragut

Hi Steven,

As usual your quality and prompt responses are truly helpful, thank you.

The setup is a little more complex than what I presented to make my problem
easyer, but....PIXes are VPN-ed Site to Site to all my domain sites and the
data center, two by two for redundancy, and it's been tested, the best
perfomance and reliability for vpn-ing is the cisco vpn client, so after
years of using it without any probs, that would be a hard task for me to
convince them to change it to win native software.

I could make the vpn connection through the pix transparent and the users
would be able to surf the net , but then I would expose the network to the
home and mobile pc's infected with all kinds of bs; therefore my only
solution is to find out how to give them access by
using ISA as webproxy.

Thank you,
Steven L Umbach said:
Since you are using ISA 2004 I would not use the PIX for VPN or for DHCP.
Just have it allow pptp/l2tp traffic to the ISA 2004 server and configure
ISA as the VPN server, starting out with pptp before you try to implement
l2tp and if do want to try l2tp start with preshared key [if using XP Pro]
to make sure it works. Use the built in Windows VPN client to connect to
the ISA 2004 server - not the Cisco. ISA 2004 installs in a locked down
mode, so you need to configure access for VPN clients by access rules. ISA
2004 will allow VPN users to access the internet with the proper access
rules also. Pptp requires the use of port 1723 TCP and protocol 47/GRE.
The ISA 2004 logs can be helpful when trying to grant access by seeing
what traffic is being blocked. The links below may help. --- Steve

http://www.isaserver.org/articles/2004vpnserver.html
http://www.microsoft.com/seminar/events/series/isaserversecurity.mspx
http://www.microsoft.com/technet/community/events/isa/tnt1-125.mspx

Julian Dragut said:
Hi,

I have a LAN with 192.168.0.0/24 which is protected by a Cisco PIX
Firewall, and the internal interface is 192.168.0.1.
I have implemented ISA 2004 for testing inside the network and I have
setup a few users with firewall client (with autodiscovery and stuff) so
they're (test clients) are NAt-ed by the ISA before they reach the PIX.

PIX Firewall comes with a VPN Software, and I have set it up to mobile
users so they can connect from outside and access resources. By default,
PIX Firewall doesn't allow outbound connection through the same interface
the inbound connection was initially made; therefore, the mobile clients
once connected they cannot browse the internet (in my case they cannot
use our email server, which is hosted outside the company), so I am
looking at a way to set ISA up as gateway for them. The mobile clients
take their ip addresses from the PIX firewall as 192.168.254.1-10. I have
set up all kind of combinations for them, they still cannot ping ISA nor
browse the net as webproxy clients.
Am I missing something here?

Thanks,

Julian Dragut
Click to expand...
Click to expand...
 
J

Julian Dragut

Hi Steven,

As usual your quality and prompt responses are truly helpful, thank you.

The setup is a little more complex than what I presented to make my problem
easyer, but....PIXes are VPN-ed Site to Site to all my domain sites and the
data center, two by two for redundancy, and it's been tested, the best
perfomance and reliability for vpn-ing is the cisco vpn client, so after
years of using it without any probs, that would be a hard task for me to
convince them to change it to win native software.

I could make the vpn connection through the pix transparent and the users
would be able to surf the net , but then I would expose the network to the
home and mobile pc's infected with all kinds of bs; therefore my only
solution is to find out how to give them access by
using ISA as webproxy.

Thank you,
Steven L Umbach said:
Since you are using ISA 2004 I would not use the PIX for VPN or for DHCP.
Just have it allow pptp/l2tp traffic to the ISA 2004 server and configure
ISA as the VPN server, starting out with pptp before you try to implement
l2tp and if do want to try l2tp start with preshared key [if using XP Pro]
to make sure it works. Use the built in Windows VPN client to connect to
the ISA 2004 server - not the Cisco. ISA 2004 installs in a locked down
mode, so you need to configure access for VPN clients by access rules. ISA
2004 will allow VPN users to access the internet with the proper access
rules also. Pptp requires the use of port 1723 TCP and protocol 47/GRE.
The ISA 2004 logs can be helpful when trying to grant access by seeing
what traffic is being blocked. The links below may help. --- Steve

http://www.isaserver.org/articles/2004vpnserver.html
http://www.microsoft.com/seminar/events/series/isaserversecurity.mspx
http://www.microsoft.com/technet/community/events/isa/tnt1-125.mspx

Julian Dragut said:
Hi,

I have a LAN with 192.168.0.0/24 which is protected by a Cisco PIX
Firewall, and the internal interface is 192.168.0.1.
I have implemented ISA 2004 for testing inside the network and I have
setup a few users with firewall client (with autodiscovery and stuff) so
they're (test clients) are NAt-ed by the ISA before they reach the PIX.

PIX Firewall comes with a VPN Software, and I have set it up to mobile
users so they can connect from outside and access resources. By default,
PIX Firewall doesn't allow outbound connection through the same interface
the inbound connection was initially made; therefore, the mobile clients
once connected they cannot browse the internet (in my case they cannot
use our email server, which is hosted outside the company), so I am
looking at a way to set ISA up as gateway for them. The mobile clients
take their ip addresses from the PIX firewall as 192.168.254.1-10. I have
set up all kind of combinations for them, they still cannot ping ISA nor
browse the net as webproxy clients.
Am I missing something here?

Thanks,

Julian Dragut
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Default Gateway on different Subnet 2
VPN problem 1
Configuring VPN 1
Vista can't authenticate on VPN connection 4
A "secure" Guest account for ISA server 5
clients cannot authenticate to win2000 vpn 1
VPN users not prompted to change their domain passwords 2
PPTP VPN connection 2

Top