Quick question: When a Secure NAT user has an access policy that allows him the "All IP Traffic" option, does that mean all conceivable IP traffic or only access to all the Protocol Definitions that have been defined?
For example, I gave a Cisco VPN client All IP Traffic rights just as an experiment and he couldn't connect to his VPN. I thought I would start this way and then narrow it down with other protocol definitions ,but he couldn't even access it with All Ip Traffic rights.
Thanks in advance if someone can clear this up for me.
for a SecureNAT client 'all IP traffic' means all defined protocol definitions. However, keep in mind that a SecureNAT can only use simple protocol definitions (no secondary connections) unless there is an application filter on ISA supporting the complex protocols (with secondary connections).
1. Create two protocol definitions: - UDP Port 500 Send Receive : this is for the IKE protocol (key negotiation). - UDP Port XXXX Send Receive : this is for the UDP encapsulated ESP packets. The administrator of the VPN gateway should be able to tell you the exact portnumber to use. For the older versions the port number is mostly 10000. For the latest version, the port number is 4500 by default (IETF NAT-T defined port).
2. Next, create a protocol rule who allows those two created protocols.
3. One thing you must keep in mind is that the client must be a SecureNAT client and that the firewall client must be disabled when setting up the VPN connection. Also, when certificates are involved disable filtering of IP fragments on ISA.
Thanks for that. I was obvoiusly taking "All IP Traffic" in its literal sense of allowing any and all traffic rather than the narrower definition of "All DEFINED ip traffic"
Thanks for pointing that out and I'm glad you did as I would have presumed that the Firewall client's "All IP Traffic" would have worked the same way as SNAT's and been restricted to all defined protocols.
I'm also a little surprised as I once tried to configure Kazaa for a user to work through ISA and he was a firewall client. So as an experiment I gave him All IP Traffic rights to see if he could connect to Kazaa and it didn't work until I created the protocol definition for him. Odd!
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2000 Firewall] >> General >> Access Policy for "All IP Traffic" 
Access Policy for "All IP Traffic" - 
![[Smile]](/image/smiles/smile.gif)
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread