How to enable a Cisco IPSec VPN client to connect to a Cisco VPN concentrator through ISA Server 2000

This step-by-step article describes how to enable a Cisco Systems virtual private network (VPN) client computer using the IPSec protocol, on the internal network, to connect to an external Cisco VPN Concentrator using the "transparent tunneling" feature through Microsoft Internet Security and Acceleration Server 2000.

Provide Support for the Cisco VPN Client

In most cases, IPSec VPN traffic does not pass through ISA Server 2000. However, Cisco Concentrator 3300, with the latest firmware updates, uses "transparent tunneling" that uses User Datagram Protocol (UDP) ports 500, 4500, and 10000 to communicate securely between VPN clients and concentrators.

To provide support for this configuration, create the following protocol definitions:

Note The client computer must be configured as a SecureNat client.


By creating these protocol definitions, you enable the SecureNat client to connect to the Cisco VPN server through ISA Server as all traffic is passed as UDP traffic. According to the Cisco Transparent tunneling technology, this traffic can traverse Network Address Translation (NAT) firewalls.

Note You must make sure that your Access Policy permits these three custom protocols.

Create the Protocol Definitions

Create the new custom protocols to enable the transparent tunneling feature. To do so, follow these steps:

1. Start the ISA Management snap-in. To do so, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
2. Under Policy Elements, locate the Protocol Definitions container.
3. Right-click Protocol Definitions, point to New, and then click Definition.
4. In the Protocol definition name box, type a descriptive name for the definition (for example, type Port 500 UDP Send Receive), and then click Next.
5. In the Port number box, type 500. In the Protocol type list, click UDP. In the Direction list, click Send Receive (do not click Receive Send), and then click Next.
6. Under Do you want to use Secondary connections?, click No, and then click Next.
7. Confirm your settings, and then click Finish.
8. In the left pane, right-click Protocol Definitions, point to New, and then click Definition.
9. In the Protocol definition name box, type a descriptive name for the definition (for example, type Port 4500 UDP Send Receive), and then click Next.
10. In the Port number box, type 4500. In the Protocol type list, click UDP. In the Direction list, click Send Receive (do not click Receive Send), and then click Next.
11. Under Do you want to use Secondary connections?, click No, and then click Next.
12. Confirm your settings, and then click Finish.
13. Repeat the steps above to create the protocol using a value of 10000 in steps 9 and 10.

The new custom protocols are listed in the right pane under Available Protocols.

Create a Protocol Rule

Create a protocol rule to allow access using the new custom protocols that you created. To do so, follow these steps:

1. Start the ISA Management snap-in. To do this, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
2. Under Access Policy, locate to the Protocol Rules container.
3. Right-click Protocol Rules, point to New, and then click Rule.
4. In the Protocol rule name box, type a name for the rule (for example, type Allow Cisco IPSec VPN Client), and then click Next.
5. Click Allow, and then click Next.
6. In the Apply this rule to list, click Selected protocols.
7. In the Protocols list, click to select the check boxes that correspond to the three custom protocols that you created earlier, and then click Next.
8. In the Use this schedule list, click the schedule that you want to use when allowing these protocols (for example, click Work hours), and then click Next.
9. Under Apply the rule to requests from, click Any request (unless you want to restrict these protocols to certain client address sets), and then click Next.
10. Confirm the configuration selections, and then click Finish.

The new protocol rule is listed under Available Protocol Rules in the right pane.

Note After you perform the steps to add UDP Port 10000 as a protocol definition, you may also have to add UDP port 20000 to be able to work with some of the newer Cisco VPN Concentrators.

Note This article is designed for SecureNAT clients. You must remove the ISA Firewall client software.

For information about how to obtain ISA Server 2000 Service Pack 1 (SP1), visit the following Microsoft Web site:For additional help and support with Microsoft Internet Security and Acceleration (ISA) Server, visit the following Microsoft Web site: For more information about ISA Server, visit the following non-Microsoft Web site:For additional information about Cisco Systems VPN devices, visit the following Cisco Web site: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.