Sign in with
Sign up | Sign in
Your question

VPN USERS

Last response: in Windows 2000/NT
Share
Anonymous
February 15, 2005 1:09:23 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I have a LAN with 192.168.0.0/24 which is protected by a Cisco PIX Firewall,
and the internal interface is 192.168.0.1.
I have implemented ISA 2004 for testing inside the network and I have setup
a few users with firewall client (with autodiscovery and stuff) so they're
(test clients) are NAt-ed by the ISA before they reach the PIX.

PIX Firewall comes with a VPN Software, and I have set it up to mobile users
so they can connect from outside and access resources. By default, PIX
Firewall doesn't allow outbound connection through the same interface the
inbound connection was initially made; therefore, the mobile clients once
connected they cannot browse the internet (in my case they cannot use our
email server, which is hosted outside the company), so I am looking at a way
to set ISA up as gateway for them. The mobile clients take their ip
addresses from the PIX firewall as 192.168.254.1-10. I have set up all kind
of combinations for them, they still cannot ping ISA nor browse the net as
webproxy clients.
Am I missing something here?

Thanks,

Julian Dragut

More about : vpn users

Anonymous
February 15, 2005 2:34:19 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Since you are using ISA 2004 I would not use the PIX for VPN or for DHCP.
Just have it allow pptp/l2tp traffic to the ISA 2004 server and configure
ISA as the VPN server, starting out with pptp before you try to implement
l2tp and if do want to try l2tp start with preshared key [if using XP Pro]
to make sure it works. Use the built in Windows VPN client to connect to the
ISA 2004 server - not the Cisco. ISA 2004 installs in a locked down mode, so
you need to configure access for VPN clients by access rules. ISA 2004 will
allow VPN users to access the internet with the proper access rules also.
Pptp requires the use of port 1723 TCP and protocol 47/GRE. The ISA 2004
logs can be helpful when trying to grant access by seeing what traffic is
being blocked. The links below may help. --- Steve

http://www.isaserver.org/articles/2004vpnserver.html
http://www.microsoft.com/seminar/events/series/isaserve...
http://www.microsoft.com/technet/community/events/isa/t...

"Julian Dragut" <julianmd@groups.com> wrote in message
news:cQdQd.27017$Sw6.846421@weber.videotron.net...
> Hi,
>
> I have a LAN with 192.168.0.0/24 which is protected by a Cisco PIX
> Firewall, and the internal interface is 192.168.0.1.
> I have implemented ISA 2004 for testing inside the network and I have
> setup a few users with firewall client (with autodiscovery and stuff) so
> they're (test clients) are NAt-ed by the ISA before they reach the PIX.
>
> PIX Firewall comes with a VPN Software, and I have set it up to mobile
> users so they can connect from outside and access resources. By default,
> PIX Firewall doesn't allow outbound connection through the same interface
> the inbound connection was initially made; therefore, the mobile clients
> once connected they cannot browse the internet (in my case they cannot use
> our email server, which is hosted outside the company), so I am looking at
> a way to set ISA up as gateway for them. The mobile clients take their ip
> addresses from the PIX firewall as 192.168.254.1-10. I have set up all
> kind of combinations for them, they still cannot ping ISA nor browse the
> net as webproxy clients.
> Am I missing something here?
>
> Thanks,
>
> Julian Dragut
>
Anonymous
February 15, 2005 10:11:44 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Steven,

As usual your quality and prompt responses are truly helpful, thank you.

The setup is a little more complex than what I presented to make my problem
easyer, but....PIXes are VPN-ed Site to Site to all my domain sites and the
data center, two by two for redundancy, and it's been tested, the best
perfomance and reliability for vpn-ing is the cisco vpn client, so after
years of using it without any probs, that would be a hard task for me to
convince them to change it to win native software.

I could make the vpn connection through the pix transparent, but then I
would expose the network to the home and mobile pc's infected with all kinds
of bs; therefore my only solution is to find out how to give them access by
using ISA as webproxy.

Thank you,
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:ejnxx$xEFHA.3908@TK2MSFTNGP12.phx.gbl...
> Since you are using ISA 2004 I would not use the PIX for VPN or for DHCP.
> Just have it allow pptp/l2tp traffic to the ISA 2004 server and configure
> ISA as the VPN server, starting out with pptp before you try to implement
> l2tp and if do want to try l2tp start with preshared key [if using XP Pro]
> to make sure it works. Use the built in Windows VPN client to connect to
> the ISA 2004 server - not the Cisco. ISA 2004 installs in a locked down
> mode, so you need to configure access for VPN clients by access rules. ISA
> 2004 will allow VPN users to access the internet with the proper access
> rules also. Pptp requires the use of port 1723 TCP and protocol 47/GRE.
> The ISA 2004 logs can be helpful when trying to grant access by seeing
> what traffic is being blocked. The links below may help. --- Steve
>
> http://www.isaserver.org/articles/2004vpnserver.html
> http://www.microsoft.com/seminar/events/series/isaserve...
> http://www.microsoft.com/technet/community/events/isa/t...
>
> "Julian Dragut" <julianmd@groups.com> wrote in message
> news:cQdQd.27017$Sw6.846421@weber.videotron.net...
>> Hi,
>>
>> I have a LAN with 192.168.0.0/24 which is protected by a Cisco PIX
>> Firewall, and the internal interface is 192.168.0.1.
>> I have implemented ISA 2004 for testing inside the network and I have
>> setup a few users with firewall client (with autodiscovery and stuff) so
>> they're (test clients) are NAt-ed by the ISA before they reach the PIX.
>>
>> PIX Firewall comes with a VPN Software, and I have set it up to mobile
>> users so they can connect from outside and access resources. By default,
>> PIX Firewall doesn't allow outbound connection through the same interface
>> the inbound connection was initially made; therefore, the mobile clients
>> once connected they cannot browse the internet (in my case they cannot
>> use our email server, which is hosted outside the company), so I am
>> looking at a way to set ISA up as gateway for them. The mobile clients
>> take their ip addresses from the PIX firewall as 192.168.254.1-10. I have
>> set up all kind of combinations for them, they still cannot ping ISA nor
>> browse the net as webproxy clients.
>> Am I missing something here?
>>
>> Thanks,
>>
>> Julian Dragut
>>
>
>
Related resources
Anonymous
February 15, 2005 10:12:51 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Steven,

As usual your quality and prompt responses are truly helpful, thank you.

The setup is a little more complex than what I presented to make my problem
easyer, but....PIXes are VPN-ed Site to Site to all my domain sites and the
data center, two by two for redundancy, and it's been tested, the best
perfomance and reliability for vpn-ing is the cisco vpn client, so after
years of using it without any probs, that would be a hard task for me to
convince them to change it to win native software.

I could make the vpn connection through the pix transparent and the users
would be able to surf the net , but then I would expose the network to the
home and mobile pc's infected with all kinds of bs; therefore my only
solution is to find out how to give them access by
using ISA as webproxy.

Thank you,
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:ejnxx$xEFHA.3908@TK2MSFTNGP12.phx.gbl...
> Since you are using ISA 2004 I would not use the PIX for VPN or for DHCP.
> Just have it allow pptp/l2tp traffic to the ISA 2004 server and configure
> ISA as the VPN server, starting out with pptp before you try to implement
> l2tp and if do want to try l2tp start with preshared key [if using XP Pro]
> to make sure it works. Use the built in Windows VPN client to connect to
> the ISA 2004 server - not the Cisco. ISA 2004 installs in a locked down
> mode, so you need to configure access for VPN clients by access rules. ISA
> 2004 will allow VPN users to access the internet with the proper access
> rules also. Pptp requires the use of port 1723 TCP and protocol 47/GRE.
> The ISA 2004 logs can be helpful when trying to grant access by seeing
> what traffic is being blocked. The links below may help. --- Steve
>
> http://www.isaserver.org/articles/2004vpnserver.html
> http://www.microsoft.com/seminar/events/series/isaserve...
> http://www.microsoft.com/technet/community/events/isa/t...
>
> "Julian Dragut" <julianmd@groups.com> wrote in message
> news:cQdQd.27017$Sw6.846421@weber.videotron.net...
>> Hi,
>>
>> I have a LAN with 192.168.0.0/24 which is protected by a Cisco PIX
>> Firewall, and the internal interface is 192.168.0.1.
>> I have implemented ISA 2004 for testing inside the network and I have
>> setup a few users with firewall client (with autodiscovery and stuff) so
>> they're (test clients) are NAt-ed by the ISA before they reach the PIX.
>>
>> PIX Firewall comes with a VPN Software, and I have set it up to mobile
>> users so they can connect from outside and access resources. By default,
>> PIX Firewall doesn't allow outbound connection through the same interface
>> the inbound connection was initially made; therefore, the mobile clients
>> once connected they cannot browse the internet (in my case they cannot
>> use our email server, which is hosted outside the company), so I am
>> looking at a way to set ISA up as gateway for them. The mobile clients
>> take their ip addresses from the PIX firewall as 192.168.254.1-10. I have
>> set up all kind of combinations for them, they still cannot ping ISA nor
>> browse the net as webproxy clients.
>> Am I missing something here?
>>
>> Thanks,
>>
>> Julian Dragut
>>
>
>
Anonymous
February 15, 2005 10:12:55 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Steven,

As usual your quality and prompt responses are truly helpful, thank you.

The setup is a little more complex than what I presented to make my problem
easyer, but....PIXes are VPN-ed Site to Site to all my domain sites and the
data center, two by two for redundancy, and it's been tested, the best
perfomance and reliability for vpn-ing is the cisco vpn client, so after
years of using it without any probs, that would be a hard task for me to
convince them to change it to win native software.

I could make the vpn connection through the pix transparent and the users
would be able to surf the net , but then I would expose the network to the
home and mobile pc's infected with all kinds of bs; therefore my only
solution is to find out how to give them access by
using ISA as webproxy.

Thank you,
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:ejnxx$xEFHA.3908@TK2MSFTNGP12.phx.gbl...
> Since you are using ISA 2004 I would not use the PIX for VPN or for DHCP.
> Just have it allow pptp/l2tp traffic to the ISA 2004 server and configure
> ISA as the VPN server, starting out with pptp before you try to implement
> l2tp and if do want to try l2tp start with preshared key [if using XP Pro]
> to make sure it works. Use the built in Windows VPN client to connect to
> the ISA 2004 server - not the Cisco. ISA 2004 installs in a locked down
> mode, so you need to configure access for VPN clients by access rules. ISA
> 2004 will allow VPN users to access the internet with the proper access
> rules also. Pptp requires the use of port 1723 TCP and protocol 47/GRE.
> The ISA 2004 logs can be helpful when trying to grant access by seeing
> what traffic is being blocked. The links below may help. --- Steve
>
> http://www.isaserver.org/articles/2004vpnserver.html
> http://www.microsoft.com/seminar/events/series/isaserve...
> http://www.microsoft.com/technet/community/events/isa/t...
>
> "Julian Dragut" <julianmd@groups.com> wrote in message
> news:cQdQd.27017$Sw6.846421@weber.videotron.net...
>> Hi,
>>
>> I have a LAN with 192.168.0.0/24 which is protected by a Cisco PIX
>> Firewall, and the internal interface is 192.168.0.1.
>> I have implemented ISA 2004 for testing inside the network and I have
>> setup a few users with firewall client (with autodiscovery and stuff) so
>> they're (test clients) are NAt-ed by the ISA before they reach the PIX.
>>
>> PIX Firewall comes with a VPN Software, and I have set it up to mobile
>> users so they can connect from outside and access resources. By default,
>> PIX Firewall doesn't allow outbound connection through the same interface
>> the inbound connection was initially made; therefore, the mobile clients
>> once connected they cannot browse the internet (in my case they cannot
>> use our email server, which is hosted outside the company), so I am
>> looking at a way to set ISA up as gateway for them. The mobile clients
>> take their ip addresses from the PIX firewall as 192.168.254.1-10. I have
>> set up all kind of combinations for them, they still cannot ping ISA nor
>> browse the net as webproxy clients.
>> Am I missing something here?
>>
>> Thanks,
>>
>> Julian Dragut
>>
>
>
!