Problems connection to Cisco VPN from behind MS ISA and a PIX firewall

Problems connection to Cisco VPN from behind MS ISA and a PIX firewall

Post by Ned Ha » Tue, 08 Jun 2004 00:33:26


I'm having trouble connecting to a Cisco VPN from behind a
back-to-back ISA/PIX firewall.  I've read all the documentation on ISA
for doing this and I've enabled NAT-T on my PIX as well as opened
ports 500, 4500, and 10000 (UDP) on ISA.  As a test, I placed the
workstation with the Cisco VPN client directly behind the PIX
(bypassing ISA) and I was successful at connecting to the VPN.
Although it seems as though the problem is with ISA, I found this
document that seems to confirm that it is possible to do.;en-us;812076
So I'm wondering if there is something the admin at the VPN endpoint
needs to do because I am using ISA behind a PIX (NAT-T?).  I plan to
call him on Monday and would appreciate hearing your suggestions or

Here is my config, I hope I haven't done too bad a job describing it.
IP) -> ISP Router

Thanks for your help


1. ESP problem with MS RRAS to Cisco 3000 VPN passing through PIX 515E Firewall.


I'm having a problem creating a MS RRAS server to a Cisco 3000 VPN
concentrator passing through a PIX 515E Firewall (6.1). The
configuration is as follows. The MS RRAS server has a configure IPSEC
policy creating a tunnel withe the external interface of the PIX
firewall. The PIX firewall passes that traffic to one of its internal
interface connected to the VPN concentrator. There is a sepearate
internal interface connecting to the internal LAN for internet
connectivity. UDP 500 is static translated to the VPN concentrator.
UDP 10000 is also static translated to the VPN concentrator. I am able
to estrablish the tunnel but if I try to pass traffic through it I get
"Regular Translation Creation failed for IP protocol 50" on the PIX.
Obviously this results from the fact that I can't static IP protocol
50. If I try to connect with the Cisco client from the outside it
works because it is encapsulating ESP in UDP 10000. Is there a way to
make the RRAS server do this? If I can't get RRAS to work this way
it's not a big deal because I can use L2TP but I will have other VPN
concentrators connecting through the PIX from the outside. Will they
have the same problem or will they encapsulate ESP in UDP 10000?
Any suggestions or thoughts would be greatly appreciated.


2. dvi to pdf

3. Cisco VPN Client 4.0 versus PIX 501 trough MS ISA

4. Follow Up To 'Anyone Solve This Boot Mystery'

5. Cisco VPN Client behind PIX Firewall

6. Creating a Calendar to show when people are on Holidays

7. Cisco VPN Client connection from BEHIND a firewall

8. Linux NATing/forwarding addresses from Inet to Internal LAN

9. MS IPSEClient VPN to Cisco PIX Firewall using RADUIS Authentication

10. Symantec Firewall/VPN Appliance - problems with connection to Cisco VPN Concetrator

11. Forwarding Protocol 47 (GRE) through MS ISA Server (Firewall) to VPN-PPTP-Server

12. Forwarding Port 47 (GRE) through MS ISA Server (Firewall) to VPN-PPTP-Server

13. Incoming VPN traffic passing through PIX to be authenticated via MS ISA