• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

MS ISA VPN Behind A Firewall

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> MS ISA VPN Behind A Firewall Page: [1]
Login
Message << Older Topic   Newer Topic >>
MS ISA VPN Behind A Firewall - 26.Jul.2002 12:03:00 PM   
sk_koh

 

Posts: 63
Joined: 30.May2002
Status: offline
Hi,

Need help on MSISA VPN. I plan to configure
a vpn between HQ and Branch.

HQ setting.

Client---->MSISA---->Router with Firewall---> Internet.

MSIsa external IP 192.168.2.1
MSIsa internal IP 192.168.1.1

Branch Setting.
Client---->MSISA---->Router with Firewall---> Internet.

MSIsa external IP 192.168.20.1
MSIsa internal IP 192.168.21.1

Can i configure VPN on this, What i have to take care on my Router Firewall?

Do i need to open port?
What port i have to open?

Tks
Post #: 1
RE: MS ISA VPN Behind A Firewall - 27.Jul.2002 7:39:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi skkoh,

seeing the IP addresses, I assume that the firewall/router will do NAT/PAT. In that case only the PPTP protocol can be used for the VPN connection. L2TP/IPSec and IPSec are *not* NAT/PAT compatible.

The PPTP protocol uses TCP port 1723 and IP protocol 47 (GRE).

HTH,
Stefaan

(in reply to sk_koh)
Post #: 2
RE: MS ISA VPN Behind A Firewall - 28.Jul.2002 4:24:00 AM   
sk_koh

 

Posts: 63
Joined: 30.May2002
Status: offline
hi spouseele,

Thank for reply.

Can i open the port 500 and 1701 on the router firewall in order to use L2TP/IPSec and IPSec for NAT/PAT, port 500 and 1701 is the port that L2TP/IPSec and IPSec in MS ISA?

Or

If in order to use L2TP/IPSec and IPSec should i need to disable the router firewall? This mean that i have Ms Isa at outside.

What is your suggestion?

Current configuration on HQ.

Router Firewall
Port 1 --> Firewall --> Primary DNS Server
( DMZ ) Secondary DNS Server
Mail Server
WebServer
Port 2 --> Nat/Pat ---> MS ISA Firewall
( SMZ ) For all internet Zone.

Port 3 is new to implement for VPN to LAN.
What is your suggest here? ( Ms ISA VPN )

Branch Office.
Router Firewall --> MS ISA VPN
But for router in branch they will be a dymanic ip asign by ISP.

Could you give me some suggestion on this.

Need your help

Tks / koh

(in reply to sk_koh)
Post #: 3
RE: MS ISA VPN Behind A Firewall - 28.Jul.2002 11:40:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi skkoh,

I can only repeat what I've said before: the current implementation of IPSec and L2TP/IPsec on W2K and ISA is *not* NAT/PAT compatible. This means that any NAT/PAT device in the path between the IPSec VPN endpoints will break the IPSec protocol.

BTW --- to learn more about the Microsoft VPN implementation, check out http://www.microsoft.com/vpn .

HTH,
Stefaan

(in reply to sk_koh)
Post #: 4
RE: MS ISA VPN Behind A Firewall - 29.Jul.2002 5:51:00 AM   
sk_koh

 

Posts: 63
Joined: 30.May2002
Status: offline
Hi spouseele,

I have check out http://www.microsoft.com/vpn
i no what i have to do.

Tks you for help.

(in reply to sk_koh)
Post #: 5
RE: MS ISA VPN Behind A Firewall - 29.Jul.2002 10:20:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi skkoh,

glad to hear I could help! [Smile]

Thanks,
Stefaan

(in reply to sk_koh)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> MS ISA VPN Behind A Firewall Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts