Re: How to allow all in and out traffic for one internal address

• From: "Jeff Sloan" <jsloan@xxxxxxxxxxxx>
• To: "ISALists" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 20 Feb 2004 10:33:09 -0600

It has to be a hardware VPN, which I said does not work through ISA
server

Jeff Sloan 
Network Administrator 
Cross Oil Refining & Marketing, Inc. 
484 E. 6th St. 
Smackover, AR 71762 

Phone 870-864-8688
Fax     870-864-8689 
Cell     870-866-9941 



-----Original Message-----
From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx] 
Sent: Thursday, February 19, 2004 5:36 PM
To: ISALists
Subject: [isalist] Re: How to allow all in and out traffic for one
internal address


http://www.ISAserver.org

So is there any reason you can't do a VPN from home to the office?

----- Original Message ----- 
From: "Jeff Sloan" <jsloan@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, February 19, 2004 12:06 PM
Subject: [isalist] Re: How to allow all in and out traffic for one
internal address


http://www.ISAserver.org

The phone system (PBX) is 3Com NBX.
This system operates out of the box as an Ethernet only system. The
phones and PBX communicate at the layer 2 level. These phones only
connect via Ethernet, and will not work unless they can see the main PBX
box. NO IP involved.

What I am trying to get done is put one of these phones at home on my
DSL connection, and use it to communicate with the internal PBX. For
this to work, the phone at home is assigned an IP address, and tries to
communicate to the main PBX over IP. The main PBX is behind ISA, so a
server publishing thing would have to be done with the correct protocols
and ports. Once it reaches the PBX, the PBX will decide what other
device the home phone is trying to call, and then assign that target
phone an IP address, so that it can communicate over the internet.

Now that a second internal IP is involved, a second one to one
translation would have to be done, so another server publish rule? Once
the hand off of the conversation takes place, the PBX could die, and the
conversation would still work, because there is no more communication
with the PBX, it is strait phone to phone over the network.

They sold us an upgrade that made talking to a phone behind a home
router possible, but it turns out the main PBX cant be behind a firewall
per say. I am told by the reseller that the possible fix to make the
system work better would be a software upgrade that would make the calls
use the main PBX as a proxy for the communication between two phones,
but that is yet to be seen.

People that are doing it successfully have their phone system behind a
hardware VPN, and another hardware VPN at the users home, then it will
work. That wont work with ISA, because the hardware VPN they suggest
will not complete a tunnel with ISA. They want certificates and such
that ISA2000 doesn't do.

IF RRAS will provide some one to one translation "around" ISA, maybe
that will work. I just don't know if it is possible.

Thanks for any help in advance.

Jeff Sloan
Network Administrator
Cross Oil Refining & Marketing, Inc.
484 E. 6th St.
Smackover, AR 71762

Phone 870-864-8688
Fax     870-864-8689
Cell     870-866-9941



-----Original Message-----
From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx]
Sent: Thursday, February 19, 2004 11:18 AM
To: ISALists
Subject: [isalist] Re: How to allow all in and out traffic for one
internal address


http://www.ISAserver.org

Can you give an example of what the connection topography is?  Is this
phone connecting to an internet provider like vonage or something?  Or
is the phone trying to talk back to a central PBX in another office? Are
you trying to use a PBX based VOIP phone from the office at home (cisco,
avaya, or inter-tel, etc.)?

----- Original Message ----- 
From: "Jeff Sloan" <jsloan@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, February 19, 2004 8:55 AM
Subject: [isalist] Re: How to allow all in and out traffic for one
internal address


http://www.ISAserver.org

Is there a way I can use RRAS on the ISA server to get what I need?

I am told by the phone system vendor that SIP is not used in this
system. He also told me of someone who configured his PIX to work by
mapping several internal IP's to external IP's, then configuring the
ports for those IP's only.

Here is how the system works.

When a call comes in from an outside IP phone, it communicates with the
call processor, which would be mapped from the public address to the
private. The processor determines which internal phone the call is for,
which at this point has no IP address, (its MAC based), and then assigns
the internal phone an IP for this call, and says, "phone one, meet phone
two, you two talk, I'm outta here"

So I would need to set up mapping for any internal IP's I would assign
to external IP's we have available.

I can't put the phone system outside the firewall, because we use one
wire to connect the phone to the network, then connect the desktop to
the phone. The gateways would have to be different.

I need to be able to define my own server publishing protocols, which
does not seem to be possible.

Jeff Sloan
Network Administrator
Cross Oil Refining & Marketing, Inc.
484 E. 6th St.
Smackover, AR 71762

Phone 870-864-8688
Fax     870-864-8689
Cell     870-866-9941



-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, February 18, 2004 7:01 PM
To: ISALists
Subject: [isalist] Re: How to allow all in and out traffic for one
internal address


Hi Ray,

Bad news for ya. Still no SIP support for ISA 2004 :(

The first third party to create a SIP gateway for ISA 2004 will do very
well for themselves.

HTH,
Tom

-----Original Message-----
From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx]
Sent: Wednesday, February 18, 2004 5:07 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: How to allow all in and out traffic for one
internal address

It won't work.  ISA, like most firewalls, does not play nice with the
SIP protocol.  This may have changed in ISA 2004, but you would have to
ask others on the list that have been using 2004 to see if there is any
additional support for SIP yet.  Your best bet is to simply hang a NAT
box infront of the ISA box if you only have one IP, or just hang it out
on the internet if you have to.

----- Original Message -----
From: "Jeff Sloan" <jsloan@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, February 18, 2004 2:31 PM
Subject: [isalist] How to allow all in and out traffic for one internal
address

Time to get my phone system working for VOIP across ISA.
It really needs to be like a published server, but I cant get the
protocols ironed out. I cant get an answer on which directions the
protocols/ports need to be configured, send, send/receive, receive/send,
etc. So I thought there would be a way to allow everything going and
coming from the external address to the system itself.

Will it work?
I don't have a DMZ or tri-homed ISA Box.

Jeff Sloan
Network Administrator
Cross Oil Refining & Marketing, Inc.
484 E. 6th St.
Smackover, AR 71762

Phone 870-864-8688
Fax     870-864-8689
Cell     870-866-9941


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rdzek@xxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jsloan@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rdzek@xxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jsloan@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

Other related posts:

• » How to allow all in and out traffic for one internal address
• » Re: How to allow all in and out traffic for one internal address
• » Re: How to allow all in and out traffic for one internal address
• » Re: How to allow all in and out traffic for one internal address
• » Re: How to allow all in and out traffic for one internal address
• » Re: How to allow all in and out traffic for one internal address
• » Re: How to allow all in and out traffic for one internal address
• » Re: How to allow all in and out traffic for one internal address
• » Re: How to allow all in and out traffic for one internal address
• » Re: How to allow all in and out traffic for one internal address

1. Home
2. isalist
3. Archive
4. 02-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---