RE: VPN through a PIX to an ISA Server 2004

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 8 Jul 2005 14:18:54 -0500

Hi Peter,

Unfortunately, that is one of the valid reasons to use a PIX instead of
an ISA firewall :(

If you have a NAT relationship between the internet and the DMZ between
the PIX and the ISA firewall, then you only need to forward UDP 500 and
UDP 4500 from the Internet to the ISA firewall's external interface. 

Be careful with WinXP VPN clients. If SP2 is installed, its break NAT-T
by default. However, a reg fix is available to cure that ill.

HTH,
Tom

-----Original Message-----
From: Peter [mailto:pladd@xxxxxxxx] 
Sent: Friday, July 08, 2005 2:10 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN through a PIX to an ISA Server 2004

http://www.ISAserver.org

Jim,

I have tried to pass PPTP but had no luck.  Ideally, I would like to
pass
L2TP because I am using eToken Smart Cards and Certificates for
authentication.

My goal was to utilize the PIX for packet layer and the ISA for
Application layer inspection.  I have been searching Cisco's site as
well
as many others with no luck.  I would settle for a good article on how
to
do it if I could find it.  Most of what I find is how to allow ISA to
pass
UDP 500, 1701, and 4500.  But my understanding is that L2TP is more
secure
(especially when using Certs) and thus, I would really like to go that
route.

Also, another reason for using the PIX in front is that my understanding
is that the ISA will not allow a one to one NAT.  Thus, because so many
mail systems are doing reverse-dns these days, I would have to use my
current MX DNS IP Address as the external IP address of the ISA in order
for mail to be sent 'from' that IP.

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » VPN through a PIX to an ISA Server 2004
• » RE: VPN through a PIX to an ISA Server 2004
• » RE: VPN through a PIX to an ISA Server 2004
• » RE: VPN through a PIX to an ISA Server 2004
• » RE: VPN through a PIX to an ISA Server 2004
• » RE: VPN through a PIX to an ISA Server 2004
• » RE: VPN through a PIX to an ISA Server 2004
• » RE: VPN through a PIX to an ISA Server 2004
• » RE: VPN through a PIX to an ISA Server 2004
• » RE: VPN through a PIX to an ISA Server 2004
• » RE: VPN through a PIX to an ISA Server 2004
• » RE: VPN through a PIX to an ISA Server 2004
• » RE: VPN through a PIX to an ISA Server 2004
• » RE: VPN through a PIX to an ISA Server 2004

1. Home
2. isalist
3. Archive
4. 07-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---