How to enable a Cisco IPSec VPN client to connect to a Cisco VPN concentrator through ISA Server 2000 (812076)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000
  • Microsoft BackOffice Server 2000
  • Microsoft Small Business Server 2000

IN THIS TASK

SUMMARY

This step-by-step article describes how to enable a Cisco Systems virtual private network (VPN) client computer using the IPSec protocol, on the internal network, to connect to an external Cisco VPN Concentrator using the "transparent tunneling" feature through Microsoft Internet Security and Acceleration Server 2000.

back to the top

Provide Support for the Cisco VPN Client

In most cases, IPSec VPN traffic does not pass through ISA Server 2000. However, Cisco Concentrator 3300, with the latest firmware updates, uses "transparent tunneling" that uses User Datagram Protocol (UDP) ports 500, 4500, and 10000 to communicate securely between VPN clients and concentrators.

To provide support for this configuration, create the following protocol definitions:

Note The client computer must be configured as a SecureNat client.

Port number: 500
Protocol type: UDP
Direction: Send Receive

Port number: 4500
Protocol type: UDP
Direction: Send Receive

Port number: 10000
Protocol type: UDP
Direction: Send Recieve




By creating these protocol definitions, you enable the SecureNat client to connect to the Cisco VPN server through ISA Server as all traffic is passed as UDP traffic. According to the Cisco Transparent tunneling technology, this traffic can traverse Network Address Translation (NAT) firewalls.

Note You must make sure that your Access Policy permits these three custom protocols.

back to the top

Create the Protocol Definitions

Create the new custom protocols to enable the transparent tunneling feature. To do so, follow these steps:
  1. Start the ISA Management snap-in. To do so, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
  2. Under Policy Elements, locate the Protocol Definitions container.
  3. Right-click Protocol Definitions, point to New, and then click Definition.
  4. In the Protocol definition name box, type a descriptive name for the definition (for example, type Port 500 UDP Send Receive), and then click Next.
  5. In the Port number box, type 500. In the Protocol type list, click UDP. In the Direction list, click Send Receive (do not click Receive Send), and then click Next.
  6. Under Do you want to use Secondary connections?, click No, and then click Next.
  7. Confirm your settings, and then click Finish.
  8. In the left pane, right-click Protocol Definitions, point to New, and then click Definition.
  9. In the Protocol definition name box, type a descriptive name for the definition (for example, type Port 4500 UDP Send Receive), and then click Next.
  10. In the Port number box, type 4500. In the Protocol type list, click UDP. In the Direction list, click Send Receive (do not click Receive Send), and then click Next.
  11. Under Do you want to use Secondary connections?, click No, and then click Next.
  12. Confirm your settings, and then click Finish.
  13. Repeat the steps above to create the protocol using a value of 10000 in steps 9 and 10.
The new custom protocols are listed in the right pane under Available Protocols.

back to the top

Create a Protocol Rule

Create a protocol rule to allow access using the new custom protocols that you created. To do so, follow these steps:
  1. Start the ISA Management snap-in. To do this, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
  2. Under Access Policy, locate to the Protocol Rules container.
  3. Right-click Protocol Rules, point to New, and then click Rule.
  4. In the Protocol rule name box, type a name for the rule (for example, type Allow Cisco IPSec VPN Client), and then click Next.
  5. Click Allow, and then click Next.
  6. In the Apply this rule to list, click Selected protocols.
  7. In the Protocols list, click to select the check boxes that correspond to the three custom protocols that you created earlier, and then click Next.
  8. In the Use this schedule list, click the schedule that you want to use when allowing these protocols (for example, click Work hours), and then click Next.
  9. Under Apply the rule to requests from, click Any request (unless you want to restrict these protocols to certain client address sets), and then click Next.
  10. Confirm the configuration selections, and then click Finish.
The new protocol rule is listed under Available Protocol Rules in the right pane.

Note After you perform the steps to add UDP Port 10000 as a protocol definition, you may also have to add UDP port 20000 to be able to work with some of the newer Cisco VPN Concentrators.

Note This article is designed for SecureNAT clients. You must remove the ISA Firewall client software.

back to the top

REFERENCES

For information about how to obtain ISA Server 2000 Service Pack 1 (SP1), visit the following Microsoft Web site:

http://www.microsoft.com/isaserver/downloads/sp1.asp

For additional help and support with Microsoft Internet Security and Acceleration (ISA) Server, visit the following Microsoft Web site:

http://www.microsoft.com/isaserver

For more information about ISA Server, visit the following non-Microsoft Web site:

http://www.isaserver.org

For additional information about Cisco Systems VPN devices, visit the following Cisco Web site:

http://www.cisco.com/warp/public/44/jump/vpn_devices.shtml

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

back to the top
Modification Type:MajorLast Reviewed:1/4/2005
Keywords:kbHOWTOmaster kbhowto KB812076
©2004 Microsoft Corporation. All rights reserved.