RE: ISA VPN behind PIX

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 25 Mar 2003 18:18:22 -0600

Hi William,

Don't know and if I did, I couldn't say anything. 

Thanks!
Tom

Thomas W Shinder 
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1 
Configuring ISA Server: http://tinyurl.com/1llp 



-----Original Message-----
From: William Robertson [mailto:william.robertson@xxxxxxxxx] 
Sent: Monday, March 24, 2003 11:20 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA VPN behind PIX


http://www.ISAserver.org


Ha, does that mean you think it may be possible in ISA Server .NET?

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: 25 March 2003 03:48 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA VPN behind PIX

http://www.ISAserver.org


Hi William,

Not with ISA Server 2000.

HTH,
Tom

Thomas W Shinder 
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1 
Configuring ISA Server: http://tinyurl.com/1llp 



-----Original Message-----
From: William Robertson [mailto:william.robertson@xxxxxxxxx] 
Sent: Monday, March 24, 2003 10:08 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA VPN behind PIX


http://www.ISAserver.org


Hi there

Yes, my next hurdle is in fact to start using L2TP/IPSec and I do look
forward to that :)

Can you perhaps tell me though, is it at all possible to "firewall" a
VPN Connection? For example, I want to provide someone with the facility
of connecting to my site via a VPN, but I don't want to allow him to use
any protocol such as RDP, SMB etc. I would like to say even though you
are connected via a VPN, you are still only allowed to use a specific
list of protocols.

Is this at all possible?

Cheers
William R.


-----Original Message-----
From: Jens von Bülow [mailto:jens@xxxxxxxxx] 
Sent: 24 March 2003 16:51 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA VPN behind PIX

http://www.ISAserver.org


None that I am aware of, all the logic about the connection is contained
in the tcp connection - PPTP just uses GRE to move the packets around...

Anyone else have any comments on this?

PS: An alternative would be for you to install a server and workstation
digital certificate and then use the LT2P VPN connectivity between the
remote user and home network...


-----Original Message-----
From: William Robertson [mailto:william.robertson@xxxxxxxxx] 
Sent: 24 March 2003 04:34
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA VPN behind PIX


http://www.ISAserver.org


Hi Jens

Thanks very much for your help. I didn't use your exact code as I do not
have a Gateway-to-Gateway VPN, but I did do the following:

access-list outside_interface permit gre any host <isa-server>

Do you know of any security risks that I may be running by doing this?

Cheers
William R.




-----Original Message-----
From: Jens von Bülow [mailto:jens@xxxxxxxxx] 
Sent: 24 March 2003 15:49 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA VPN behind PIX

http://www.ISAserver.org


William,

By default ISA tries to establish a PPTP VPN connection

Try the following on your pix

        access-list outside_access_in permit gre host <isa-server-1>
host <isa-server-2>

Regards
Jens


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows
Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT
Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows
Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT
Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jens@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


Other related posts: