Thanks for the reply. I figured it out last night. The clue was the fact that I wasn't seeing any rejected or dropped log entries. I created a static mapping to my workstation using a pubic IP, thus providing a path back in. Now I'm going to try the IPSEC connection. Thanks again Tom -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] Sent: Tuesday, February 08, 2005 4:22 PM To: [ISAserver.org Discussion List] Subject: Spam: [isalist] RE: VPN Outbound http://www.ISAserver.org Hi Thomas, First of all thanks for the complements on my article :-) Personaly I have no experience with Checkpoint NG. However, for the previous version 'FW-1 4.X' you should have the following rules: 1) PPTP ------- Source,Destination,Service,Action,Track,Time,Install Any,VPN-Gateway,PPTP,accept,Long,Any,Gateways VPN-Gateway,Any,PPTP,accept,Long,Any,Gateways So, you need two rules! 2) IPSec NAT-T -------------- Source,Destination,Service,Action,Track,Time,Install Any,VPN-Gateway,IKE and NAT-T,accept,Long,Any,Gateways The service IKE is UDP port 500 and Service NAT-T is UDP port 4500 or whatever UDP port is used. HTH, Stefaan ________________________________ From: Thomas P. Endter [mailto:tendter@xxxxxxxxxxx] Sent: dinsdag 8 februari 2005 20:41 To: [ISAserver.org Discussion List] Subject: [isalist] VPN Outbound http://www.ISAserver.org Hello, My thanks go out to Stefaan Pouseele for his great article about allowing IPSEC traffic through the ISA server. It worked so well that now I'm trying to have my Checkpoint NG with Application Intelligence (R55) 091 do the same. Stefaan's article showed clearly how to pass the SecureClient traffic through the ISA. I would like to pass the Windows VPN client pptp and then IPSEC traffic through my office's checkpoint to my ISA 2004 server at home. The CP web site sucks and there doesn't seem to be a web site like this one for that product, so please don't flame me for asking a CP question in this forum. I tried my best to convince the boss to go with the ISA server but he insisted on the CP. I thought I'd start with passing pptp traffic and the trying the IPSEC NAT-T once I got the pptp to pass. For the pptp I've allowed tcp 1723 and gre protocol 47. The ms vpn client gets as far as verifying the username/password and then the ms client reports that the remote system didn't responded. The cp does not log any rejects or drops as it relates to the connection. What other ports do I need oped to allow this traffic to pass? Thanks, Thomas P. Endter Information Technology Manager ChildNet "To protect Broward's abused, neglected and abandoned children" 1400 West Commercial Blvd, 2nd Floor Ft. Lauderdale, FL 33309 (954) 557-6597 Phone (954) 202-3897 Fax ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tendter@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx