Microsoft KB Archive/812076

= How to enable a Cisco IPSec VPN client to connect to a Cisco VPN concentrator through ISA Server 2000 =

Article ID: 812076

Article Last Modified on 11/22/2006

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition
 * Microsoft BackOffice Server 2000
 * Microsoft Small Business Server 2000 Standard Edition

-



IN THIS TASK

 * SUMMARY
 * Provide Support for the Cisco VPN Client
 * Create the Protocol Definitions
 * Create a Protocol Rule
 * REFERENCES



SUMMARY
This step-by-step article describes how to enable a Cisco Systems virtual private network (VPN) client computer using the IPSec protocol, on the internal network, to connect to an external Cisco VPN Concentrator using the &quot;transparent tunneling&quot; feature through Microsoft Internet Security and Acceleration Server 2000.

back to the top

Provide Support for the Cisco VPN Client
In most cases, IPSec VPN traffic does not pass through ISA Server 2000. However, Cisco Concentrator 3300, with the latest firmware updates, uses &quot;transparent tunneling&quot; that uses User Datagram Protocol (UDP) ports 500, 4500, and 10000 to communicate securely between VPN clients and concentrators.

To provide support for this configuration, create the following protocol definitions:

Note The client computer must be configured as a SecureNat client.

Port number: 500

Protocol type: UDP

Direction: Send Receive

Port number: 4500

Protocol type: UDP

Direction: Send Receive

Port number: 10000

Protocol type: UDP

Direction: Send Recieve

By creating these protocol definitions, you enable the SecureNat client to connect to the Cisco VPN server through ISA Server as all traffic is passed as UDP traffic. According to the Cisco Transparent tunneling technology, this traffic can traverse Network Address Translation (NAT) firewalls.

Note You must make sure that your Access Policy permits these three custom protocols.

back to the top

Create the Protocol Definitions
Create the new custom protocols to enable the transparent tunneling feature. To do so, follow these steps:
 * 1) Start the ISA Management snap-in. To do so, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
 * 2) Under Policy Elements, locate the Protocol Definitions container.
 * 3) Right-click Protocol Definitions, point to New, and then click Definition.
 * 4) In the Protocol definition name box, type a descriptive name for the definition (for example, type Port 500 UDP Send Receive ), and then click Next.
 * 5) In the Port number box, type 500 . In the Protocol type list, click UDP. In the Direction list, click Send Receive (do not click Receive Send), and then click Next.
 * 6) Under Do you want to use Secondary connections?, click No, and then click Next.
 * 7) Confirm your settings, and then click Finish.
 * 8) In the left pane, right-click Protocol Definitions, point to New, and then click Definition.
 * 9) In the Protocol definition name box, type a descriptive name for the definition (for example, type Port 4500 UDP Send Receive ), and then click Next.
 * 10) In the Port number box, type 4500 . In the Protocol type list, click UDP. In the Direction list, click Send Receive (do not click Receive Send), and then click Next.
 * 11) Under Do you want to use Secondary connections?, click No, and then click Next.
 * 12) Confirm your settings, and then click Finish.
 * 13) Repeat the steps above to create the protocol using a value of 10000 in steps 9 and 10.

The new custom protocols are listed in the right pane under Available Protocols.

back to the top

Create a Protocol Rule
Create a protocol rule to allow access using the new custom protocols that you created. To do so, follow these steps:
 * 1) Start the ISA Management snap-in. To do this, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
 * 2) Under Access Policy, locate to the Protocol Rules container.
 * 3) Right-click Protocol Rules, point to New, and then click Rule.
 * 4) In the Protocol rule name box, type a name for the rule (for example, type Allow Cisco IPSec VPN Client ), and then click Next.
 * 5) Click Allow, and then click Next.
 * 6) In the Apply this rule to list, click Selected protocols.
 * 7) In the Protocols list, click to select the check boxes that correspond to the three custom protocols that you created earlier, and then click Next.
 * 8) In the Use this schedule list, click the schedule that you want to use when allowing these protocols (for example, click Work hours), and then click Next.
 * 9) Under Apply the rule to requests from, click Any request (unless you want to restrict these protocols to certain client address sets), and then click Next.
 * 10) Confirm the configuration selections, and then click Finish.

The new protocol rule is listed under Available Protocol Rules in the right pane.

Note After you perform the steps to add UDP Port 10000 as a protocol definition, you may also have to add UDP port 20000 to be able to work with some of the newer Cisco VPN Concentrators.

Note This article is designed for SecureNAT clients. You must remove the ISA Firewall client software.

back to the top

