RE: Spam: RE: VPN Outbound
- From: "Thomas P. Endter" <tendter@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 9 Feb 2005 07:48:12 -0500
Thanks for the reply. I figured it out last night. The clue was the fact
that I wasn't seeing any rejected or dropped log entries. I created a
static mapping to my workstation using a pubic IP, thus providing a path
back in.
Now I'm going to try the IPSEC connection.
Thanks again
Tom
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx]
Sent: Tuesday, February 08, 2005 4:22 PM
To: [ISAserver.org Discussion List]
Subject: Spam: [isalist] RE: VPN Outbound
http://www.ISAserver.org
Hi Thomas,
First of all thanks for the complements on my article :-)
Personaly I have no experience with Checkpoint NG. However, for the
previous
version 'FW-1 4.X' you should have the following rules:
1) PPTP
-------
Source,Destination,Service,Action,Track,Time,Install
Any,VPN-Gateway,PPTP,accept,Long,Any,Gateways
VPN-Gateway,Any,PPTP,accept,Long,Any,Gateways
So, you need two rules!
2) IPSec NAT-T
--------------
Source,Destination,Service,Action,Track,Time,Install
Any,VPN-Gateway,IKE and NAT-T,accept,Long,Any,Gateways
The service IKE is UDP port 500 and Service NAT-T is UDP port 4500 or
whatever UDP port is used.
HTH,
Stefaan
________________________________
From: Thomas P. Endter [mailto:tendter@xxxxxxxxxxx]
Sent: dinsdag 8 februari 2005 20:41
To: [ISAserver.org Discussion List]
Subject: [isalist] VPN Outbound
http://www.ISAserver.org
Hello,
My thanks go out to Stefaan Pouseele for his great article about
allowing
IPSEC traffic through the ISA server. It worked so well that now I'm
trying
to have my Checkpoint NG with Application Intelligence (R55) 091 do the
same. Stefaan's article showed clearly how to pass the SecureClient
traffic
through the ISA. I would like to pass the Windows VPN client pptp and
then
IPSEC traffic through my office's checkpoint to my ISA 2004 server at
home.
The CP web site sucks and there doesn't seem to be a web site like this
one
for that product, so please don't flame me for asking a CP question in
this
forum. I tried my best to convince the boss to go with the ISA server
but he
insisted on the CP.
I thought I'd start with passing pptp traffic and the trying the IPSEC
NAT-T
once I got the pptp to pass. For the pptp I've allowed tcp 1723 and gre
protocol 47. The ms vpn client gets as far as verifying the
username/password and then the ms client reports that the remote system
didn't responded. The cp does not log any rejects or drops as it relates
to
the connection. What other ports do I need oped to allow this traffic
to
pass?
Thanks,
Thomas P. Endter
Information Technology Manager
ChildNet
"To protect Broward's abused, neglected and abandoned children"
1400 West Commercial Blvd, 2nd Floor
Ft. Lauderdale, FL 33309
(954) 557-6597 Phone
(954) 202-3897 Fax
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tendter@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
- » RE: Spam: RE: VPN Outbound
