RE: KB 832017

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 1 Sep 2004 15:31:49 -0500

Hi Tim,

I think if I said "all ports", then it probably was because that was the
only option that worked. But I'll test it with the new ISA firewall and
update the article with the correct source ports in both NAT and non-NAT
environments. Like Stefaan said, if the remote clients is behind a NAT,
it's a good bet that the source port will be changed, although of
course, the destination port will remain unchanged.

Thanks!
Tom 

-----Original Message-----
From: Thor [mailto:thor@xxxxxxxxxxxxxxx] 
Sent: Wednesday, September 01, 2004 7:19 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] KB 832017

http://www.ISAserver.org

Hey Jim- you might want to get on your KB folks:

<snip>
Routing and Remote Access
The Routing and Remote Access service provides multiprotocol LAN-to-LAN,
LAN-to-WAN, VPN, and NAT routing services. Additionally, the Routing and
Remote Access service also provides dial-up and VPN remote access
services. 
Although Routing and Remote Access can use all the following protocols,
the service typically uses only a subset of them. For example, if you
configure a VPN gateway that lies behind a filtering router, you will
probably use only one technology. If you use L2TP with IPSec, you must
allow IPSec ESP (IP protocol 50), NAT-T (TCP on port 4500), and IPSec
ISAKMP (TCP on port
500) through the router.

</snip>

NAT-T and ISAKMP are UDP, not TCP.   And the article should also mention

that source and destination ports are the same for NAT-T, ISAKMP and
L2TP (UDP 1701) so that people can have more secure rules in place.  Now
that I mention that, there is a NAT-T oriented article on ISAServer.Org
that builds the IP Packet Filters for these protocols with "All Ports"
on the back end. 
They should really be source and destination of 500/1701/4500...

T 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » KB 832017
• » RE: KB 832017
• » RE: KB 832017
• » RE: KB 832017
• » Re: KB 832017
• » RE: KB 832017
• » RE: KB 832017
• » RE: KB 832017
• » RE: KB 832017
• » RE: KB 832017
• » RE: KB 832017

1. Home
2. isalist
3. Archive
4. 09-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---