Hi Thor, The source port on incoming packets *can* be UDP 4500 (i.e. if only 1:1 NAT is done along the path) but is definitely not the case if N:1 NAT (or PAT) is done along the path. The goal of NAT-T is to pass IPSec traffic through any NAT device, whether it is doing NAT (1:1) or PAT (N:1). So, checking the source port on incoming NAT-T packets might break NAT-T. Moreover, you will *never* see L2TP (UDP 1701) on the wire because the L2TP protocol is hidden within the ESP packets, and if NAT-T is used, the ESP packet is just the payload of the NAT-T packets. HTH, Stefaan -----Original Message----- From: Thor [mailto:thor@xxxxxxxxxxxxxxx] Sent: woensdag 1 september 2004 23:23 To: [ISAserver.org Discussion List] Subject: [isalist] RE: KB 832017 http://www.ISAserver.org In normal NAT circumstances, yes. But not in NAT-T... I mean, that's why we have NAT-T-- so that L2TP will work over NAT without having to worry about stuff like that. As far as the local and remote endpoints are concerned, L2TP/NAT-T traffic will always be UDP source 4500/dest 4500. Even with multiple remote devices behind a NAT device all VPN'ing at the same time... I have this setup at work (clients -> NAT -> Internet -> ISA -> Local) and have for a long time-- My Cisco in front of my ISA VPN box only lets UDP from 4500 to 4500 to the IP of my ISA box, and the ISA box has the same rules. You can reference the MS "Configuring Firewalls" technet article-- http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de ployguide/en-us/dnsbj_ips_schx.asp <snip> Configuring Firewalls The most secure firewall configuration is one in which the firewall permits only IKE and IPSec traffic to flow between the specific IP addresses of the peers. However, if these addresses are not static, or if there are many addresses, a less secure configuration might be required to permit IPSec and IKE traffic to flow between subnets. When a firewall or filtering router exists between IPSec peers, it must be configured to forward IPSec traffic on UDP source and destination port 500, IP protocol 50 (ESP), or IP protocol 51 (AH). If you are using IPSec NAT-T, the firewall or filtering router must also be configured to forward IPSec traffic on UDP source and destination port 4500. First, to permit IPSec traffic on UDP source and destination port 500, use the following settings to create a firewall filter called Permit ISAKMP traffic on UDP port 500: a.. Source address = Specific_IP_address b.. Destination address = Specific_IP_address c.. Protocol = UDP d.. Source port = 500 e.. Destination port = 500 If you are using IPSec NAT-T, to permit traffic on UDP source and destination port 4500, use the following settings to create a firewall filter called Permit ISAKMP traffic on UDP port 4500: a.. Source address = Specific_IP_address b.. Destination address = Specific_IP_address c.. Protocol = UDP d.. Source port = 4500 e.. Destination port = 4500 </snip> Dem's Da FActs!!! T ----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, September 01, 2004 1:31 PM Subject: [isalist] RE: KB 832017 http://www.ISAserver.org Hi Tim, I think if I said "all ports", then it probably was because that was the only option that worked. But I'll test it with the new ISA firewall and update the article with the correct source ports in both NAT and non-NAT environments. Like Stefaan said, if the remote clients is behind a NAT, it's a good bet that the source port will be changed, although of course, the destination port will remain unchanged. Thanks! Tom -----Original Message----- From: Thor [mailto:thor@xxxxxxxxxxxxxxx] Sent: Wednesday, September 01, 2004 7:19 AM To: [ISAserver.org Discussion List] Subject: [isalist] KB 832017 http://www.ISAserver.org Hey Jim- you might want to get on your KB folks: <snip> Routing and Remote Access The Routing and Remote Access service provides multiprotocol LAN-to-LAN, LAN-to-WAN, VPN, and NAT routing services. Additionally, the Routing and Remote Access service also provides dial-up and VPN remote access services. Although Routing and Remote Access can use all the following protocols, the service typically uses only a subset of them. For example, if you configure a VPN gateway that lies behind a filtering router, you will probably use only one technology. If you use L2TP with IPSec, you must allow IPSec ESP (IP protocol 50), NAT-T (TCP on port 4500), and IPSec ISAKMP (TCP on port 500) through the router. </snip> NAT-T and ISAKMP are UDP, not TCP. And the article should also mention that source and destination ports are the same for NAT-T, ISAKMP and L2TP (UDP 1701) so that people can have more secure rules in place. Now that I mention that, there is a NAT-T oriented article on ISAServer.Org that builds the IP Packet Filters for these protocols with "All Ports" on the back end. They should really be source and destination of 500/1701/4500... T ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx