ISA Firewall Quick Tip : How To Allow Cisco VPN Client To Connect Through ISA Server
 




ISA Firewall Quick Tip : How To Allow Cisco VPN Client To Connect Through ISA Server


Published
:
August 18, 2007
Last Updated : August 18, 2007
     
Introduction

Lots of you use the CISCO VPN Client, for example you might have visitors to your company that might need to connect to their corporate and they need to establish the connection using the Cisco VPN Client. In this article, we will see how to enable CISCO VPN Client to connect from behind ISA Server.

 In order to be able to do this, we need to :

  • Create an allow rule to allow the required protocols

  • Make sure to place anonymous rules above rules that require Authentication

  • Configure the Client as SecureNet

 
  Configuration on ISA Server

  1. Open ISA Management Console
  2. Right click Firewall Policy > Click on New > Click on Access Rule



  3. Give a name to your Access rule, I will name it Cisco Client VPN Outbound



  4. On the Rule Action page, select Allow  > Click Next



  5. On the Protocols page, from the drop down list, choose Selected Protocols > then Click Add
  6. The Add Protocols Page will open, Expand the VPN and IPsec Container



  7. We need two protocols, the IKE Client & The IPSec NAT-T Client , so click on each of these protocols and click on Add, once you add both protocols, click on Close , Click Next



  8. On the Access Rule Sources page, click the Add button. In the Add Network Entities dialog box, click on the Networks folder. Double click on the Internal network, then click the Close button in the Add Network Entities dialog box. Click Next
  9. On the Access Rule Destinations page, Click the Add button on the Access Rule Destinations page. In the Add Network Entities dialog box, click the Networks folder. Double click the External entry and click Close in the Add Network Entities dialog box. Click Next .
  10. On the User Sets page, accept the default setting of All Users, click Next
  11. Review your settings and click Finish on the Completing the New Access Rule Wizard page.



  12. Click the Apply button to save the changes and update the firewall policy.

 

Configuration on Client Machine

  1. Make sure to set the Client as SecureNet , that is the Default Gateway for this client should be pointing to ISA Server Internal IP

  2. If you have the Firewall Client installed on the client machine, make sure you disable the Firewall Client before trying to connect using the CISCO VPN Client.
Summary

 With ISA Server 2004/2006 , the protocols require by the Cisco VPN Client are built-in under the VPN and IPSec container, all you have to do is to create the appropriate allow rule for these protocols and configure your client as SecureNet Client.

Now Whenever you have visitors to your Network, and they ask you to allow them to Connect to their corporate using the Cisco VPN Client, you will know how to do it .