Hi Peter, Unfortunately, that is one of the valid reasons to use a PIX instead of an ISA firewall :( If you have a NAT relationship between the internet and the DMZ between the PIX and the ISA firewall, then you only need to forward UDP 500 and UDP 4500 from the Internet to the ISA firewall's external interface. Be careful with WinXP VPN clients. If SP2 is installed, its break NAT-T by default. However, a reg fix is available to cure that ill. HTH, Tom -----Original Message----- From: Peter [mailto:pladd@xxxxxxxx] Sent: Friday, July 08, 2005 2:10 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN through a PIX to an ISA Server 2004 http://www.ISAserver.org Jim, I have tried to pass PPTP but had no luck. Ideally, I would like to pass L2TP because I am using eToken Smart Cards and Certificates for authentication. My goal was to utilize the PIX for packet layer and the ISA for Application layer inspection. I have been searching Cisco's site as well as many others with no luck. I would settle for a good article on how to do it if I could find it. Most of what I find is how to allow ISA to pass UDP 500, 1701, and 4500. But my understanding is that L2TP is more secure (especially when using Certs) and thus, I would really like to go that route. Also, another reason for using the PIX in front is that my understanding is that the ISA will not allow a one to one NAT. Thus, because so many mail systems are doing reverse-dns these days, I would have to use my current MX DNS IP Address as the external IP address of the ISA in order for mail to be sent 'from' that IP. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx