RE: KB 832017
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 1 Sep 2004 23:47:07 +0200
Hi Thor,
The source port on incoming packets *can* be UDP 4500 (i.e. if only 1:1 NAT
is done along the path) but is definitely not the case if N:1 NAT (or PAT)
is done along the path. The goal of NAT-T is to pass IPSec traffic through
any NAT device, whether it is doing NAT (1:1) or PAT (N:1). So, checking the
source port on incoming NAT-T packets might break NAT-T.
Moreover, you will *never* see L2TP (UDP 1701) on the wire because the L2TP
protocol is hidden within the ESP packets, and if NAT-T is used, the ESP
packet is just the payload of the NAT-T packets.
HTH,
Stefaan
-----Original Message-----
From: Thor [mailto:thor@xxxxxxxxxxxxxxx]
Sent: woensdag 1 september 2004 23:23
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: KB 832017
http://www.ISAserver.org
In normal NAT circumstances, yes. But not in NAT-T... I mean, that's why we
have NAT-T-- so that L2TP will work over NAT without having to worry about
stuff like that. As far as the local and remote endpoints are concerned,
L2TP/NAT-T traffic will always be UDP source 4500/dest 4500. Even with
multiple remote devices behind a NAT device all VPN'ing at the same time...
I have this setup at work (clients -> NAT -> Internet -> ISA -> Local) and
have for a long time-- My Cisco in front of my ISA VPN box only lets UDP
from 4500 to 4500 to the IP of my ISA box, and the ISA box has the same
rules.
You can reference the MS "Configuring Firewalls" technet article--
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy
guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de
ployguide/en-us/dnsbj_ips_schx.asp
<snip>
Configuring Firewalls
The most secure firewall configuration is one in which the firewall permits
only IKE and IPSec traffic to flow between the specific IP addresses of the
peers. However, if these addresses are not static, or if there are many
addresses, a less secure configuration might be required to permit IPSec and
IKE traffic to flow between subnets.
When a firewall or filtering router exists between IPSec peers, it must be
configured to forward IPSec traffic on UDP source and destination port 500,
IP protocol 50 (ESP), or IP protocol 51 (AH). If you are using IPSec NAT-T,
the firewall or filtering router must also be configured to forward IPSec
traffic on UDP source and destination port 4500.
First, to permit IPSec traffic on UDP source and destination port 500, use
the following settings to create a firewall filter called Permit ISAKMP
traffic on UDP port 500:
a.. Source address = Specific_IP_address
b.. Destination address = Specific_IP_address
c.. Protocol = UDP
d.. Source port = 500
e.. Destination port = 500
If you are using IPSec NAT-T, to permit traffic on UDP source and
destination port 4500, use the following settings to create a firewall
filter called Permit ISAKMP traffic on UDP port 4500:
a.. Source address = Specific_IP_address
b.. Destination address = Specific_IP_address
c.. Protocol = UDP
d.. Source port = 4500
e.. Destination port = 4500
</snip>
Dem's Da FActs!!!
T
----- Original Message -----
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, September 01, 2004 1:31 PM
Subject: [isalist] RE: KB 832017
http://www.ISAserver.org
Hi Tim,
I think if I said "all ports", then it probably was because that was the
only option that worked. But I'll test it with the new ISA firewall and
update the article with the correct source ports in both NAT and non-NAT
environments. Like Stefaan said, if the remote clients is behind a NAT,
it's a good bet that the source port will be changed, although of
course, the destination port will remain unchanged.
Thanks!
Tom
-----Original Message-----
From: Thor [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Wednesday, September 01, 2004 7:19 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] KB 832017
http://www.ISAserver.org
Hey Jim- you might want to get on your KB folks:
<snip>
Routing and Remote Access
The Routing and Remote Access service provides multiprotocol LAN-to-LAN,
LAN-to-WAN, VPN, and NAT routing services. Additionally, the Routing and
Remote Access service also provides dial-up and VPN remote access
services.
Although Routing and Remote Access can use all the following protocols,
the service typically uses only a subset of them. For example, if you
configure a VPN gateway that lies behind a filtering router, you will
probably use only one technology. If you use L2TP with IPSec, you must
allow IPSec ESP (IP protocol 50), NAT-T (TCP on port 4500), and IPSec
ISAKMP (TCP on port
500) through the router.
</snip>
NAT-T and ISAKMP are UDP, not TCP. And the article should also mention
that source and destination ports are the same for NAT-T, ISAKMP and
L2TP (UDP 1701) so that people can have more secure rules in place. Now
that I mention that, there is a NAT-T oriented article on ISAServer.Org
that builds the IP Packet Filters for these protocols with "All Ports"
on the back end.
They should really be source and destination of 500/1701/4500...
T
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
