RE: KB 832017

  • From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 1 Sep 2004 14:31:35 +0200

Hi Thor, 

if NAT-T is used you don't have control over the source port because there
is somewhere NAT done along the path ;-)

Regards, 
Stefaan 

-----Original Message-----
From: Thor [mailto:thor@xxxxxxxxxxxxxxx] 
Sent: woensdag 1 september 2004 14:19
To: [ISAserver.org Discussion List]
Subject: [isalist] KB 832017

http://www.ISAserver.org

Hey Jim- you might want to get on your KB folks:

<snip>
Routing and Remote Access
The Routing and Remote Access service provides multiprotocol LAN-to-LAN,
LAN-to-WAN, VPN, and NAT routing services. Additionally, the Routing and
Remote Access service also provides dial-up and VPN remote access services. 
Although Routing and Remote Access can use all the following protocols, the
service typically uses only a subset of them. For example, if you configure
a VPN gateway that lies behind a filtering router, you will probably use
only one technology. If you use L2TP with IPSec, you must allow IPSec ESP
(IP protocol 50), NAT-T (TCP on port 4500), and IPSec ISAKMP (TCP on port
500) through the router.

</snip>

NAT-T and ISAKMP are UDP, not TCP.   And the article should also mention 
that source and destination ports are the same for NAT-T, ISAKMP and L2TP
(UDP 1701) so that people can have more secure rules in place.  Now that I
mention that, there is a NAT-T oriented article on ISAServer.Org that builds
the IP Packet Filters for these protocols with "All Ports" on the back end. 
They should really be source and destination of 500/1701/4500...

T 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 09-2004