RE: VPN with checkpoint

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 7 Aug 2003 14:43:52 -0500

Hi Daniel,

I don't know if ISA supports VPN client/server connections using IPSec
tunnel mode, but I doubt it for the same reasons that ISA doesn't
support gateway to gateway VPN connections.

If you want to establish a gateway to gateway configure between two ISA
Servers, or an ISA Server firewall/VPN server, and a Windows 2000
machine, I've got that scenario covered  over at
www.isaserver.org/shinder:

Joining Networks over the Internet with a Gateway to Gateway VPN: ISA
Server to Windows 2000 RRAS - Part 1
    Date - Mar 20, 2003       Section - Tutorials :: Configuration -
General 
One scenario frequently comes up on the Web boards and mailing list is
how to configure a gateway to gateway VPN when one side is running ISA
Server and the other side is running only the Windows 2000 RRAS NAT and
VPN Server. This is a common scenario for companies who are willing to
make the expenditure for a heavy duty firewall at the main office, but
only want to provide basic NAT and VPN gateway services at a remote
office. 
Joining Networks over the Internet with a Gateway to Gateway VPN: ISA
Server to Windows 2000 RRAS - Part 2
    Date - Mar 23, 2003       Section - Articles 
We finish up our discussion on configuring an ISA Server to Win2k RRAS
gateway to gateway VPN link in part 2 of this article. 

If there is a CP firewall in front of the ISA firewall, or in front of
the Windows 2000 RRAS VPN, then you need to pass through the VPN
protocols to the ISA VPN gateway or Windows 2000 VPN gateway. For
example:

Win2k VPN -- CP -- Internet -- ISA Firewall

The gateway to gateway link can be established between the ISA firewall
and the Win2k VPN as long as you pass the PPTP through the CP box to the
Windows 2000 VPN. And if you were using Windows Server 2003 for the VPN
gateway behind the CP box on on the ISA firewall, you could take
advantage of NAT-T and just pass the UDP 500 and UDP 4500, plus IP
Protocol 50 (ESP) through. In fact, you do not even need to pass UDP
1701 through the CP box because its encapsulated in the UDP 4500 header,
but that filter does need to be enabled on the ISA firewall. 

Check out:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt
echnol/windowsserver2003/proddocs/deployguide/dnsbf_vpn_uzuu.asp

For help on the static packet filter config on an upstream
firewall/router.

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Accioly, Daniel [mailto:daniel.accioly@xxxxxxxxxxxxx] 
Sent: Thursday, August 07, 2003 2:11 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN with checkpoint


http://www.ISAserver.org


Tom,

So ISA just supports client-to-gateway VPN connections? 

I need to establish a site-to-site VPN and I have an ISA on one side and
a
Checkpoint VPN-1 SmallOficce on the other. Would be a good solution to
install a W2K Server behind my checkpoint FW and establish the VPN
connection between the ISA and the Server? Can you also tell me where
can I
find more information about it?

Thank you!

Daniel

Other related posts:

• » VPN with checkpoint
• » RE: VPN with checkpoint
• » RE: VPN with checkpoint
• » RE: VPN with checkpoint

1. Home
2. isalist
3. Archive
4. 08-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---