Cisco VPN Client via Microsoft ISA Firewall
Protocol Definitions and Rules
Cisco VPN Client
I do regular work on behalf of remote clients. I can use basic Windows VPN facilities for most, but where the client uses Cisco routers I must use the Cisco VPN Client to connect.
Microsoft ISA Server
Microsoft Internet Security and Acceleration Server is a firewall and Web page cache. It is very flexible and, in my opinion, easier to configure than most hardware firewalls. However, this level of security can occasionally be it's downfall as I discovered when the Cisco VPN Client would not connect.
Protocol Definitions and Protocol Rules
We need to open certain ports that the Cisco VPN Client uses. In ISA Server we do this by creating a Protocol Definition that will associate a port number with a basic protocol. We then create a Protocol Rule that permits the use of th Protocol Definition by specific users.
Protocol Definitions
The direction is important and it should be noted that in the available directions for UDP in ISA Server there is a "receive send" as well as the "send receive" that you require. They are not the same.
| Name | Port | Protocol | Direction |
|---|---|---|---|
| IPSec IKE | 500 | UDP | send receive |
| IPSec NAT-T | 4500 | UDP | send receive |
| IPSec 10,000 | 10000 | UDP | send receive |
| IPSec Optional * | 1701 | UDP | send receive |
| IPSec TCP | 10000 | TCP | outgoing |
* I believe this one is optional, hence the name.
Protocol Rule
For my purposes this rule was a simple allow rule with no restriction on time or users. You may need something else.
| Name | Allow/Deny | Protocols |
|---|---|---|
| IPSec Outgoing NAT Traversal | Allow | All above listed |
The names of the definitions and the rule are essentially arbitrary as they have no bearing on the functionality of the objects.
Routes
The Cisco VPN Client creates a number of routes within the TCP/IP configuration of the host machine. If the host is a standalone machine this is not an issue, but if the host is networked you will discover that as soon as the VPN Client connects you will lose network connectivity to the local network.
To get around this problem you need to delete one of the routes the Cisco VPN Client has created and add one of your own. The easiest way is to create a batch file you can run easily after you have connected the VPN.
| C: CD WINNT\SYSTEM32 Route delete 192.168.3.0 mask 255.255.255.0 Route add 192.168.3.0 mask 255.255.255.0 192.168.3.25 |
The relevant lines are the two route commands. The earlier lines are only there because my system seems to have lost the PATH environment variable and I have never got around to fixing it. The IP addresses will need to be modified to suit your LAN and host machine.