RE: VPN to a cisco VPN server that uses ipsec


Hi Stefaan

Because it is a question of which way the connection is initiated - not
how traffic flows. Since ISA is a stateful inspection firewall, it
allows or disallows packets based on state information. It knows which
packets are
Expected as replies to a connection initiated from the inside and allows
them. That`s the reason we can work with protocol definitions and not be
constrained to mere packet filtering.
In my understanding, send/receive should work equally well, as it just
says
that the connection can be initiated either way. But I just could not
get it to work. By trial and error, i found that the send only setting
does work in this particular case. I would appreciate being enlightened.

 David Elmquist

-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] 
Sent: 21. marts 2002 11:39
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN to a cisco VPN server that uses ipsec

Hi David,

but if you say "it should be send only", how get the replies back?
Really, I don't understand it :-(

Regards,
Stefaan

-----Original Message-----
From: David Elmquist [mailto:david@xxxxxxxxxx]
Sent: donderdag 21 maart 2002 11:07
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN to a cisco VPN server that uses ipsec


http://www.ISAserver.org



Hmm...my mistake again. It`s been a while, since I have seen a ISA
server and I have no access to one right now.
However, if the options you mention are the correct ones for UDP, I
would say that it should be send only - not send/receive.

I think I`d better build med e new ISA server, before I forget where I
put
The CD :-)

 David Elmquist

-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] 
Sent: 21. marts 2002 09:46
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN to a cisco VPN server that uses ipsec

Hi David,

sorry, but in my ISA (SP1 v122.166) for UDP protocol directions you can
NOT select direction outbound. The only choices are: send/receive
(equivalent of TCP outbound), receive/send (equivalent of TCP inbound),
send and receive. Could you clarify your definition of outbound.

Regards,
STefaan

-----Original Message-----
From: David Elmquist [mailto:david@xxxxxxxxxx]
Sent: donderdag 21 maart 2002 8:11
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN to a cisco VPN server that uses ipsec


http://www.ISAserver.org



I should clarify my mixup of the terminology:

The needed protocol definitions:

UDP 500 outbound
UDP 10000 outbound

I tried the send receive mode first, but never got it to work.
Can`t explain why.
Some suitable protocol rule has to allow the definitions.
It only works with securenat clients. Firewall clients has to be
Disabled temporarily.

 David Elmquist


-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] 
Sent: 21. marts 2002 00:37
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN to a cisco VPN server that uses ipsec

Hi David,

can you post the protocol definitions and rules you have to create?
I think UDP 500 send receive and UDP 10000 send receive is all you need.
Correct?

Regards,
Stefaan

-----Original Message-----
From: David Elmquist [mailto:david@xxxxxxxxxx]
Sent: donderdag 21 maart 2002 0:26
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN to a cisco VPN server that uses ipsec


http://www.ISAserver.org



Provided that you are using the 3000 series client, it will
Provide the option of UDP encapsulation. It is up to you to enable
It. You do not have to create packet filters, but you do have to
Define the described protocol rules and disable the firewall client.
I don`t know why, though I`m sure some tweaking of the clients .ini
File could fix this

 David Elmquist

-----Original Message-----
From: skip [mailto:skip@xxxxxxxxxxxxxxxxx] 
Sent: 20. marts 2002 23:47
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN to a cisco VPN server that uses ipsec

http://www.ISAserver.org


I think If install the Cisco clients vpn software on the machine, then
will it provide the udp encapsulation for me or do i have to apply
filters
to the isa server to allow this to go through?

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
david@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


Other related posts: