There is lots of info when you go searching for the "AH Protocol" INT 14 - HUNTER 16 - GET PROTOCOL NAME AH = 28h AL = protocol handle DS:BX -> 8 character buffer for protocol name Return: AH = status 00h successful DS:BX buffer filled with the protocol name FFh failed SeeAlso: AH=27h"HUNTER",AH=29h"HUNTER" http://www.networksorcery.com/enp/protocol/ah.htm So, what you really need to do is not worry about weather or not it's a port like dns or such. You need to create a packet filter with a custom protocol and that would be custom for protocol 51 Under PACKET Filters create a new packet filter selecting custom protocol and create that using 51 as the protocol type. In/Out Port Protocol Protocol Nbr > In+Out XX ESP 50 Define as both > In+Out XX AH 51 Define as both > In+Out 500 UDP 17 > Out 389 TCP 6 > Out 709 TCP 6 > Out 5080 TCP 6 ICMP 1 Now based on what the actual ports of the client are then you set the port using the newly established protocol. If you need more information drop me a line. Joseph -----Original Message----- From: Daniel [mailto:drbohner@xxxxxxxxxxxxxxxxx] Sent: Friday, March 08, 2002 5:33 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN Client to Non-ISA VPN Network http://www.ISAserver.org I really did try to go 24hrs - waiting for any sort of positive reponse... Since there hasn't been one - and I have to use the one specific VPN client to get to my network - I guess I will be removing ISA from the server and unsubscribing from the list... Sorry for being 'just another AH thread' Daniel -----Original Message----- From: Daniel [mailto:drbohner@xxxxxxxxxxxxxxxxx] Sent: Thursday, March 07, 2002 6:53 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN Client to Non-ISA VPN Network http://www.ISAserver.org OK, I have a consensus 'from the world' that I can't use the provided VPN Client with ISA - because the client uses the AH protocol. So... What are my options. I have to use the client - but I can't go through ISA to get there. I know that the client does allow NAT - a coworker has a Linksys gateway (doing NAT) plugged in between his cable modem and his client. Options?? Options?? And replacing the client isn't currently one of them. Thanks Daniel Bohner drbohner@xxxxxxxxxxxxxxxxx ps - I'll reward anyone that can 'appropriately' resolve this issue with a six-pack of Mt. Dew.... -----Original Message----- From: Kevin Egan [mailto:KEgan@xxxxxxxxx] Sent: Friday, March 01, 2002 3:55 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN Client to Non-ISA VPN Network http://www.ISAserver.org I had a similar situation trying to connect with the Nortel VPN client. As stated, NAT breaks AH so ISA Server is out if this is all you can get. However, Nortel was in the process of implementing support for a "UDP Wrapper" which basically wraps everything in UDP before sending it through the firewall and thus allows the packets to traverse a many-to-one NAT firewall. At the other end, it's just stripped down layer by layer. My knowledge of this subject is limited so I don't really know what was done on the Nortel side to make it all happen. To make this work for the client side, I opened up port 500 (Send Receive) UDP and port 10001 UDP (Send Receive). Port 10001 was the UDP port used to wrap everything in. Note again that support on the host side is required along with the appropriate VPN client in order for this to work so this is something you might inquire about from the VPN server vendor. Kevin. > -----Original Message----- > From: Daniel [mailto:drbohner@xxxxxxxxxxxxxxxxx] > Sent: March 1, 2002 5:21 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: VPN Client to Non-ISA VPN Network > > > http://www.ISAserver.org > > > OK, here's the fun. I am told: > > In/Out Port Protocol > In+Out 50 ESP > In+Out 51 AH > In+Out 500 UDP > Out 389 TCP > Out 709 TCP > Out 5080 TCP > > So, how do I configure the ESP and AH Protocols? > > Hmmm > > TIA > > Daniel > > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] > Sent: Friday, March 01, 2002 3:02 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: VPN Client to Non-ISA VPN Network > > http://www.ISAserver.org > > > Hi Daniel, > > new to ISA and you have already to solve this problem..... very good > luck > ;-) > > Now seriously, about which type of VPN are you talking: PPTP, > L2TP/IPSec, > IPSec, etc... You'll have to know the protocols and port numbers used > before > you can do anything on ISA. > > Regards, > Stefaan > > -----Original Message----- > From: Daniel [mailto:drbohner@xxxxxxxxxxxxxxxxx] > Sent: vrijdag 1 maart 2002 22:52 > To: [ISAserver.org Discussion List] > Subject: [isalist] VPN Client to Non-ISA VPN Network > > > http://www.ISAserver.org > > > Howdy, > > I am new to ISA - and thus still have a lot to learn(don't we all). > > My employer has supplied me with ATT Global Network Client software to > connect from home to the internal network. > > If I plug in - on the non-firewalled side of the Ether, I get > connected... But, if I plug in on the protected side(ISA between) I > cannot get connected. > > What do I need to look at - to allow the VPN software to go > through the > ISA Sever - in order to connect to the non-ISA VPN? > > Thanks in Advance! > > Daniel > > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > stefaan.pouseele@xxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > drbohner@xxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: kegan@xxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: drbohner@xxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: drbohner@xxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')