RE: VPN Questions

Hi Joseph,

Did I ever mention that I wish Cisco was at the bottom of the sea? :-\

There seems to be a lot of options you can set with the Cisco VPN
blackbox and the client. From what I've heard, you can configure NAT-T
to use UDP or TCP. TCP definitely does not seem to work, but UDP works
for a lot of people. You have to configure NAT-T to work in thus and
such way, and blah blah blah. Of course, its all NOT IETF. 

I think the best solution is to find out what the EXACT configuration
and requirements are on the VPN server. That will allow you and the
three other people in the world behind NAT devices to figure out how to
connect to their server ;-)

HTH,
Tom

Thomas W Shinder 
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1 
Configuring ISA Server: http://tinyurl.com/1llp 



-----Original Message-----
From: cismic [mailto:cismic@xxxxxxx] 
Sent: Wednesday, March 05, 2003 12:00 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Questions
Sensitivity: Confidential


http://www.ISAserver.org


Hi Thomas,

Yup that's what is happening!  I have the CISCO VPN Client on a laptop
that
they sent me.  Really sucks. I've tried the UDP 500 AND 10000 with
send/receive, created packet filters for 50 and 51 as custom.  Still no
go.
I can uncheck use transparent tunneling and things seem to connect just
fine. However, I don't have any access to the network resources. When
that
box is checked, I don't get squat.

Still scratching my head and trying to figure out what else to look at.


Thanks,
Joseph

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Tuesday, March 04, 2003 5:53 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Questions
Sensitivity: Confidential


http://www.ISAserver.org


Hi Joseph,

You don't need to start RRAS on any of the ISA Server to allow outbound
PPTP. Just configure PPTP passthrough in the Packet Filters Properties
dialog box on both of the ISA Servers. Then you'll be able to test. Of
course, I'm sure the next problem will be that the VPN server you're
calling
it going to require some pinhead implementation of NAT-T for IPSec ;-)

HTH,
Tom

Thomas W Shinder 
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1 
Configuring ISA Server: http://tinyurl.com/1llp 



-----Original Message-----
From: cismic [mailto:cismic@xxxxxxx] 
Sent: Tuesday, March 04, 2003 7:46 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Questions
Sensitivity: Confidential


http://www.ISAserver.org


Hi Thomas,

When I tried to load VPN on my internal ISA machine, I wasn't able to
start
the RRAS service.  I looked at all the KB articles out on MS and wasn't
able
to come up with a solution.  Except maybe rebuilding that box.  I'm
still
looking for a way to reinstall RRAS without having to do that.  Then I
can
see if the double NAT thing will get me stuck.  Right now just can't
gain
access through both firewalls to make a connection to a client located
in CA
via VPN.  If your time has been anything like mine..None I would
appreciate
any other ideas that you or others have on this list.

Thank you,

Joseph

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Tuesday, March 04, 2003 5:14 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Questions
Sensitivity: Confidential


http://www.ISAserver.org


Hi Joseph,

The DNS comment was just sort of a "oh, by the way", in that if you have
servers on the DMZ that need to resolve either DMZ host names or
published
servers on the internal network, you can put that DNS server on the
internal
network and publish it. That's how I usually handle things when doing
the
split DNS thing.

Outbound VPN access should not require the same setup, as you can use
the
PPTP passthrough feature to access external VPN servers. IIRC, the
double
NAT doesn't cause too much of a problem ;-)

HTH,
Tom

Thomas W Shinder 
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1 
Configuring ISA Server: http://tinyurl.com/1llp 



-----Original Message-----
From: cismic [mailto:cismic@xxxxxxx] 
Sent: Tuesday, March 04, 2003 1:24 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] VPN Questions
Sensitivity: Confidential


http://www.ISAserver.org


Hi Thomas,

I've been re-reading the VPN in a back to back setting and have a
question
about the following statement and how it applies to DNS.

http://www.isaserver.org/tutorials/Configuring_VPN_Access_in_a_Back_to_B
ack_
ISA_Server_Environment.html
"One other thing you might want to do is configure a DNS server
publishing
rule on the internal ISA Server, if you wish the DMZ hosts to use a DNS
server on your internal network. This is not required by the back to
back
ISA Server VPN configuration, but it's something you should think
about."  

I'm not sure if you meant that it is a good thing to publish the DNS
server
on the internal network or not and just looking for clarification on
that
issue. Also, would this be the same setup to VPN out through the back to
back setup?  From my internal network through the internal firewall
through
the dmz and out through the external vpn?  




------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows
Security
Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax
Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows
Security
Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax
Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


Other related posts: