RE: VPN Client to Non-ISA VPN Network

• From: "Joseph" <cismic@xxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 8 Mar 2002 17:50:51 -0800

There is lots of info when you go searching for the "AH Protocol"
INT 14 - HUNTER 16 - GET PROTOCOL NAME

        AH = 28h
        AL = protocol handle
        DS:BX -> 8 character buffer for protocol name
Return: AH = status
            00h successful
                DS:BX buffer filled with the protocol name
            FFh failed
SeeAlso: AH=27h"HUNTER",AH=29h"HUNTER"

http://www.networksorcery.com/enp/protocol/ah.htm

So, what you really need to do is not worry about weather or not it's a
port like dns or such. You need to create a packet filter with a custom
protocol and that would be custom for protocol 51
Under PACKET Filters create a new packet filter selecting custom
protocol and create that using 51 as the protocol type.


In/Out  Port            Protocol   Protocol Nbr
> In+Out        XX              ESP                     50  Define as
both
> In+Out        XX              AH                      51  Define as
both
> In+Out        500             UDP                     17
> Out           389             TCP                6 
> Out           709             TCP                      6
> Out           5080            TCP                      6
                                ICMP               1

Now based on what the actual ports of the client are then you set the
port using the newly established protocol.

If you need more information drop me a line.

Joseph

-----Original Message-----
From: Daniel [mailto:drbohner@xxxxxxxxxxxxxxxxx] 
Sent: Friday, March 08, 2002 5:33 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Client to Non-ISA VPN Network

http://www.ISAserver.org


I really did try to go 24hrs - waiting for any sort of positive
reponse...

Since there hasn't been one - and I have to use the one specific VPN
client to get to my network - I guess I will be removing ISA from the
server and unsubscribing from the list...

Sorry for being 'just another AH thread'

Daniel

-----Original Message-----
From: Daniel [mailto:drbohner@xxxxxxxxxxxxxxxxx] 
Sent: Thursday, March 07, 2002 6:53 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Client to Non-ISA VPN Network

http://www.ISAserver.org


OK, I have a consensus 'from the world' that I can't use the provided
VPN Client with ISA - because the client uses the AH protocol.

So...  What are my options.  I have to use the client - but I can't go
through ISA to get there.  I know that the client does allow NAT - a
coworker has a Linksys gateway (doing NAT) plugged in between his cable
modem and his client.

Options?? Options?? And replacing the client isn't currently one of
them.

Thanks

Daniel Bohner
drbohner@xxxxxxxxxxxxxxxxx

ps - I'll reward anyone that can 'appropriately' resolve this issue with
a six-pack of Mt. Dew....

-----Original Message-----
From: Kevin Egan [mailto:KEgan@xxxxxxxxx] 
Sent: Friday, March 01, 2002 3:55 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Client to Non-ISA VPN Network

http://www.ISAserver.org


I had a similar situation trying to connect with the Nortel VPN client.
As
stated, NAT breaks AH so ISA Server is out if this is all you can get.
However, Nortel was in the process of implementing support for a "UDP
Wrapper" which basically wraps everything in UDP before sending it
through
the firewall and thus allows the packets to traverse a many-to-one NAT
firewall.  At the other end, it's just stripped down layer by layer.  My
knowledge of this subject is limited so I don't really know what was
done on
the Nortel side to make it all happen.  To make this work for the client
side, I opened up port 500 (Send Receive) UDP and port 10001 UDP (Send
Receive).  Port 10001 was the UDP port used to wrap everything in.  Note
again that support on the host side is required along with the
appropriate
VPN client in order for this to work so this is something you might
inquire
about from the VPN server vendor.

Kevin.

> -----Original Message-----
> From: Daniel [mailto:drbohner@xxxxxxxxxxxxxxxxx]
> Sent: March 1, 2002 5:21 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: VPN Client to Non-ISA VPN Network
> 
> 
> http://www.ISAserver.org
> 
> 
> OK, here's the fun.  I am told:
> 
> In/Out        Port            Protocol
> In+Out        50              ESP
> In+Out        51              AH
> In+Out        500             UDP
> Out           389             TCP
> Out           709             TCP
> Out           5080            TCP
> 
> So, how do I configure the ESP and AH Protocols?
> 
> Hmmm
> 
> TIA
> 
> Daniel
> 
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] 
> Sent: Friday, March 01, 2002 3:02 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: VPN Client to Non-ISA VPN Network
> 
> http://www.ISAserver.org
> 
> 
> Hi Daniel,
> 
> new to ISA and you have already to solve this problem..... very good
> luck
> ;-)
> 
> Now seriously, about which type of VPN are you talking: PPTP,
> L2TP/IPSec,
> IPSec, etc... You'll have to know the protocols and port numbers used
> before
> you can do anything on ISA.
> 
> Regards,
> Stefaan
> 
> -----Original Message-----
> From: Daniel [mailto:drbohner@xxxxxxxxxxxxxxxxx]
> Sent: vrijdag 1 maart 2002 22:52
> To: [ISAserver.org Discussion List]
> Subject: [isalist] VPN Client to Non-ISA VPN Network
> 
> 
> http://www.ISAserver.org
> 
> 
> Howdy,
> 
> I am new to ISA - and thus still have a lot to learn(don't we all).
> 
> My employer has supplied me with ATT Global Network Client software to
> connect from home to the internal network.
> 
> If I plug in - on the non-firewalled side of the Ether, I get
> connected...  But, if I plug in on the protected side(ISA between) I
> cannot get connected.
> 
> What do I need to look at - to allow the VPN software to go 
> through the
> ISA Sever - in order to connect to the non-ISA VPN?
> 
> Thanks in Advance!
> 
> Daniel
> 
> 
> 
> 
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxx
> To unsubscribe send a blank email to 
> $subst('Email.Unsub')
> 
> 
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> drbohner@xxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to 
> $subst('Email.Unsub')
> 
> 
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: kegan@xxxxxxxxx
> To unsubscribe send a blank email to 
> $subst('Email.Unsub')
> 

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
drbohner@xxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
drbohner@xxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » VPN Client to Non-ISA VPN Network
• » RE: VPN Client to Non-ISA VPN Network
• » RE: VPN Client to Non-ISA VPN Network
• » RE: VPN Client to Non-ISA VPN Network
• » RE: VPN Client to Non-ISA VPN Network
• » RE: VPN Client to Non-ISA VPN Network
• » RE: VPN Client to Non-ISA VPN Network
• » RE: VPN Client to Non-ISA VPN Network
• » RE: VPN Client to Non-ISA VPN Network
• » RE: VPN Client to Non-ISA VPN Network
• » RE: VPN Client to Non-ISA VPN Network
• » RE: VPN Client to Non-ISA VPN Network
• » RE: VPN Client to Non-ISA VPN Network
• » RE: VPN Client to Non-ISA VPN Network

1. Home
2. isalist
3. Archive
4. 03-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---