Hi Tim, I think if I said "all ports", then it probably was because that was the only option that worked. But I'll test it with the new ISA firewall and update the article with the correct source ports in both NAT and non-NAT environments. Like Stefaan said, if the remote clients is behind a NAT, it's a good bet that the source port will be changed, although of course, the destination port will remain unchanged. Thanks! Tom -----Original Message----- From: Thor [mailto:thor@xxxxxxxxxxxxxxx] Sent: Wednesday, September 01, 2004 7:19 AM To: [ISAserver.org Discussion List] Subject: [isalist] KB 832017 http://www.ISAserver.org Hey Jim- you might want to get on your KB folks: <snip> Routing and Remote Access The Routing and Remote Access service provides multiprotocol LAN-to-LAN, LAN-to-WAN, VPN, and NAT routing services. Additionally, the Routing and Remote Access service also provides dial-up and VPN remote access services. Although Routing and Remote Access can use all the following protocols, the service typically uses only a subset of them. For example, if you configure a VPN gateway that lies behind a filtering router, you will probably use only one technology. If you use L2TP with IPSec, you must allow IPSec ESP (IP protocol 50), NAT-T (TCP on port 4500), and IPSec ISAKMP (TCP on port 500) through the router. </snip> NAT-T and ISAKMP are UDP, not TCP. And the article should also mention that source and destination ports are the same for NAT-T, ISAKMP and L2TP (UDP 1701) so that people can have more secure rules in place. Now that I mention that, there is a NAT-T oriented article on ISAServer.Org that builds the IP Packet Filters for these protocols with "All Ports" on the back end. They should really be source and destination of 500/1701/4500... T ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx