Once again I'm impressed that people don't want to use multiple layers in defense..... =?( ACL's are an easy way of mass screening traffic that flows into your network.... With a few minutes of typing, you can screen out just about everything you don't want coming in, to leave the ISA to do the job it does best, payload inspection...... You could have just pointed him to Cisco's web page, and all the documentation you could ever want is located right there. Plenty of bathroom reading there too about security in depth and layered approaches. Even if you don't agree with it, it is something you should understand. -----Original Message----- From: Steve Moffat [mailto:steve@xxxxxxxxxx] Sent: Friday, July 08, 2005 1:09 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN through a PIX to an ISA Server 2004 http://www.ISAserver.org The first correct thing that you have uttered...I'm impressed....:)) -----Original Message----- From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] Sent: Friday, July 08, 2005 3:08 PM To: ISA Mailing List Subject: [isalist] RE: VPN through a PIX to an ISA Server 2004 http://www.ISAserver.org Do this: Internet - ISA Server - LAN Or Internet - PIX (open all ports to ISA Server) - ISA Server - LAN Andrew ;) -----Original Message----- From: Peter [mailto:pladd@xxxxxxxx] Sent: Friday, July 08, 2005 11:09 AM To: [ISAserver.org Discussion List] Subject: [isalist] VPN through a PIX to an ISA Server 2004 http://www.ISAserver.org Greetings, I have a PIX 515e running the latest IOS (7.0). I am setting up a back to back scenario where the PIX is the perimeter firewall with the ISA2004 connected to the inside interface of the PIX. I am able to pass SMTP and Web Traffic fine. However, I want to use the ISA as VPN server. Thus, I need the PIX to allow the VPN traffic through to the ISA Server so that it can authenticate and created the tunnel. Here is my config Internet - PIX - ISA Server - LAN PIX external: x.x.x.166 PIX Internal 10.0.10.1 ISA exteranl: 10.0.10.2 ISA Internal 192.168.50.3 I guess what I really need is the commands/Caveats to allow the PIX to pass the vpn traffic. Any suggestion or comments welcome and appreciated. Thank you ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: andrew@xxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: isalist@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx The correct technical term for haggis stalking is "havering". ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tradtke@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx