Hi Thor, if NAT-T is used you don't have control over the source port because there is somewhere NAT done along the path ;-) Regards, Stefaan -----Original Message----- From: Thor [mailto:thor@xxxxxxxxxxxxxxx] Sent: woensdag 1 september 2004 14:19 To: [ISAserver.org Discussion List] Subject: [isalist] KB 832017 http://www.ISAserver.org Hey Jim- you might want to get on your KB folks: <snip> Routing and Remote Access The Routing and Remote Access service provides multiprotocol LAN-to-LAN, LAN-to-WAN, VPN, and NAT routing services. Additionally, the Routing and Remote Access service also provides dial-up and VPN remote access services. Although Routing and Remote Access can use all the following protocols, the service typically uses only a subset of them. For example, if you configure a VPN gateway that lies behind a filtering router, you will probably use only one technology. If you use L2TP with IPSec, you must allow IPSec ESP (IP protocol 50), NAT-T (TCP on port 4500), and IPSec ISAKMP (TCP on port 500) through the router. </snip> NAT-T and ISAKMP are UDP, not TCP. And the article should also mention that source and destination ports are the same for NAT-T, ISAKMP and L2TP (UDP 1701) so that people can have more secure rules in place. Now that I mention that, there is a NAT-T oriented article on ISAServer.Org that builds the IP Packet Filters for these protocols with "All Ports" on the back end. They should really be source and destination of 500/1701/4500... T ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx