VPN USERS

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I have a LAN with 192.168.0.0/24 which is protected by a Cisco PIX Firewall,
and the internal interface is 192.168.0.1.
I have implemented ISA 2004 for testing inside the network and I have setup
a few users with firewall client (with autodiscovery and stuff) so they're
(test clients) are NAt-ed by the ISA before they reach the PIX.

PIX Firewall comes with a VPN Software, and I have set it up to mobile users
so they can connect from outside and access resources. By default, PIX
Firewall doesn't allow outbound connection through the same interface the
inbound connection was initially made; therefore, the mobile clients once
connected they cannot browse the internet (in my case they cannot use our
email server, which is hosted outside the company), so I am looking at a way
to set ISA up as gateway for them. The mobile clients take their ip
addresses from the PIX firewall as 192.168.254.1-10. I have set up all kind
of combinations for them, they still cannot ping ISA nor browse the net as
webproxy clients.
Am I missing something here?

Thanks,

Julian Dragut
4 answers Last reply
More about users
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Since you are using ISA 2004 I would not use the PIX for VPN or for DHCP.
    Just have it allow pptp/l2tp traffic to the ISA 2004 server and configure
    ISA as the VPN server, starting out with pptp before you try to implement
    l2tp and if do want to try l2tp start with preshared key [if using XP Pro]
    to make sure it works. Use the built in Windows VPN client to connect to the
    ISA 2004 server - not the Cisco. ISA 2004 installs in a locked down mode, so
    you need to configure access for VPN clients by access rules. ISA 2004 will
    allow VPN users to access the internet with the proper access rules also.
    Pptp requires the use of port 1723 TCP and protocol 47/GRE. The ISA 2004
    logs can be helpful when trying to grant access by seeing what traffic is
    being blocked. The links below may help. --- Steve

    http://www.isaserver.org/articles/2004vpnserver.html
    http://www.microsoft.com/seminar/events/series/isaserversecurity.mspx
    http://www.microsoft.com/technet/community/events/isa/tnt1-125.mspx

    "Julian Dragut" <julianmd@groups.com> wrote in message
    news:cQdQd.27017$Sw6.846421@weber.videotron.net...
    > Hi,
    >
    > I have a LAN with 192.168.0.0/24 which is protected by a Cisco PIX
    > Firewall, and the internal interface is 192.168.0.1.
    > I have implemented ISA 2004 for testing inside the network and I have
    > setup a few users with firewall client (with autodiscovery and stuff) so
    > they're (test clients) are NAt-ed by the ISA before they reach the PIX.
    >
    > PIX Firewall comes with a VPN Software, and I have set it up to mobile
    > users so they can connect from outside and access resources. By default,
    > PIX Firewall doesn't allow outbound connection through the same interface
    > the inbound connection was initially made; therefore, the mobile clients
    > once connected they cannot browse the internet (in my case they cannot use
    > our email server, which is hosted outside the company), so I am looking at
    > a way to set ISA up as gateway for them. The mobile clients take their ip
    > addresses from the PIX firewall as 192.168.254.1-10. I have set up all
    > kind of combinations for them, they still cannot ping ISA nor browse the
    > net as webproxy clients.
    > Am I missing something here?
    >
    > Thanks,
    >
    > Julian Dragut
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Steven,

    As usual your quality and prompt responses are truly helpful, thank you.

    The setup is a little more complex than what I presented to make my problem
    easyer, but....PIXes are VPN-ed Site to Site to all my domain sites and the
    data center, two by two for redundancy, and it's been tested, the best
    perfomance and reliability for vpn-ing is the cisco vpn client, so after
    years of using it without any probs, that would be a hard task for me to
    convince them to change it to win native software.

    I could make the vpn connection through the pix transparent, but then I
    would expose the network to the home and mobile pc's infected with all kinds
    of bs; therefore my only solution is to find out how to give them access by
    using ISA as webproxy.

    Thank you,
    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:ejnxx$xEFHA.3908@TK2MSFTNGP12.phx.gbl...
    > Since you are using ISA 2004 I would not use the PIX for VPN or for DHCP.
    > Just have it allow pptp/l2tp traffic to the ISA 2004 server and configure
    > ISA as the VPN server, starting out with pptp before you try to implement
    > l2tp and if do want to try l2tp start with preshared key [if using XP Pro]
    > to make sure it works. Use the built in Windows VPN client to connect to
    > the ISA 2004 server - not the Cisco. ISA 2004 installs in a locked down
    > mode, so you need to configure access for VPN clients by access rules. ISA
    > 2004 will allow VPN users to access the internet with the proper access
    > rules also. Pptp requires the use of port 1723 TCP and protocol 47/GRE.
    > The ISA 2004 logs can be helpful when trying to grant access by seeing
    > what traffic is being blocked. The links below may help. --- Steve
    >
    > http://www.isaserver.org/articles/2004vpnserver.html
    > http://www.microsoft.com/seminar/events/series/isaserversecurity.mspx
    > http://www.microsoft.com/technet/community/events/isa/tnt1-125.mspx
    >
    > "Julian Dragut" <julianmd@groups.com> wrote in message
    > news:cQdQd.27017$Sw6.846421@weber.videotron.net...
    >> Hi,
    >>
    >> I have a LAN with 192.168.0.0/24 which is protected by a Cisco PIX
    >> Firewall, and the internal interface is 192.168.0.1.
    >> I have implemented ISA 2004 for testing inside the network and I have
    >> setup a few users with firewall client (with autodiscovery and stuff) so
    >> they're (test clients) are NAt-ed by the ISA before they reach the PIX.
    >>
    >> PIX Firewall comes with a VPN Software, and I have set it up to mobile
    >> users so they can connect from outside and access resources. By default,
    >> PIX Firewall doesn't allow outbound connection through the same interface
    >> the inbound connection was initially made; therefore, the mobile clients
    >> once connected they cannot browse the internet (in my case they cannot
    >> use our email server, which is hosted outside the company), so I am
    >> looking at a way to set ISA up as gateway for them. The mobile clients
    >> take their ip addresses from the PIX firewall as 192.168.254.1-10. I have
    >> set up all kind of combinations for them, they still cannot ping ISA nor
    >> browse the net as webproxy clients.
    >> Am I missing something here?
    >>
    >> Thanks,
    >>
    >> Julian Dragut
    >>
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Steven,

    As usual your quality and prompt responses are truly helpful, thank you.

    The setup is a little more complex than what I presented to make my problem
    easyer, but....PIXes are VPN-ed Site to Site to all my domain sites and the
    data center, two by two for redundancy, and it's been tested, the best
    perfomance and reliability for vpn-ing is the cisco vpn client, so after
    years of using it without any probs, that would be a hard task for me to
    convince them to change it to win native software.

    I could make the vpn connection through the pix transparent and the users
    would be able to surf the net , but then I would expose the network to the
    home and mobile pc's infected with all kinds of bs; therefore my only
    solution is to find out how to give them access by
    using ISA as webproxy.

    Thank you,
    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:ejnxx$xEFHA.3908@TK2MSFTNGP12.phx.gbl...
    > Since you are using ISA 2004 I would not use the PIX for VPN or for DHCP.
    > Just have it allow pptp/l2tp traffic to the ISA 2004 server and configure
    > ISA as the VPN server, starting out with pptp before you try to implement
    > l2tp and if do want to try l2tp start with preshared key [if using XP Pro]
    > to make sure it works. Use the built in Windows VPN client to connect to
    > the ISA 2004 server - not the Cisco. ISA 2004 installs in a locked down
    > mode, so you need to configure access for VPN clients by access rules. ISA
    > 2004 will allow VPN users to access the internet with the proper access
    > rules also. Pptp requires the use of port 1723 TCP and protocol 47/GRE.
    > The ISA 2004 logs can be helpful when trying to grant access by seeing
    > what traffic is being blocked. The links below may help. --- Steve
    >
    > http://www.isaserver.org/articles/2004vpnserver.html
    > http://www.microsoft.com/seminar/events/series/isaserversecurity.mspx
    > http://www.microsoft.com/technet/community/events/isa/tnt1-125.mspx
    >
    > "Julian Dragut" <julianmd@groups.com> wrote in message
    > news:cQdQd.27017$Sw6.846421@weber.videotron.net...
    >> Hi,
    >>
    >> I have a LAN with 192.168.0.0/24 which is protected by a Cisco PIX
    >> Firewall, and the internal interface is 192.168.0.1.
    >> I have implemented ISA 2004 for testing inside the network and I have
    >> setup a few users with firewall client (with autodiscovery and stuff) so
    >> they're (test clients) are NAt-ed by the ISA before they reach the PIX.
    >>
    >> PIX Firewall comes with a VPN Software, and I have set it up to mobile
    >> users so they can connect from outside and access resources. By default,
    >> PIX Firewall doesn't allow outbound connection through the same interface
    >> the inbound connection was initially made; therefore, the mobile clients
    >> once connected they cannot browse the internet (in my case they cannot
    >> use our email server, which is hosted outside the company), so I am
    >> looking at a way to set ISA up as gateway for them. The mobile clients
    >> take their ip addresses from the PIX firewall as 192.168.254.1-10. I have
    >> set up all kind of combinations for them, they still cannot ping ISA nor
    >> browse the net as webproxy clients.
    >> Am I missing something here?
    >>
    >> Thanks,
    >>
    >> Julian Dragut
    >>
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Steven,

    As usual your quality and prompt responses are truly helpful, thank you.

    The setup is a little more complex than what I presented to make my problem
    easyer, but....PIXes are VPN-ed Site to Site to all my domain sites and the
    data center, two by two for redundancy, and it's been tested, the best
    perfomance and reliability for vpn-ing is the cisco vpn client, so after
    years of using it without any probs, that would be a hard task for me to
    convince them to change it to win native software.

    I could make the vpn connection through the pix transparent and the users
    would be able to surf the net , but then I would expose the network to the
    home and mobile pc's infected with all kinds of bs; therefore my only
    solution is to find out how to give them access by
    using ISA as webproxy.

    Thank you,
    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:ejnxx$xEFHA.3908@TK2MSFTNGP12.phx.gbl...
    > Since you are using ISA 2004 I would not use the PIX for VPN or for DHCP.
    > Just have it allow pptp/l2tp traffic to the ISA 2004 server and configure
    > ISA as the VPN server, starting out with pptp before you try to implement
    > l2tp and if do want to try l2tp start with preshared key [if using XP Pro]
    > to make sure it works. Use the built in Windows VPN client to connect to
    > the ISA 2004 server - not the Cisco. ISA 2004 installs in a locked down
    > mode, so you need to configure access for VPN clients by access rules. ISA
    > 2004 will allow VPN users to access the internet with the proper access
    > rules also. Pptp requires the use of port 1723 TCP and protocol 47/GRE.
    > The ISA 2004 logs can be helpful when trying to grant access by seeing
    > what traffic is being blocked. The links below may help. --- Steve
    >
    > http://www.isaserver.org/articles/2004vpnserver.html
    > http://www.microsoft.com/seminar/events/series/isaserversecurity.mspx
    > http://www.microsoft.com/technet/community/events/isa/tnt1-125.mspx
    >
    > "Julian Dragut" <julianmd@groups.com> wrote in message
    > news:cQdQd.27017$Sw6.846421@weber.videotron.net...
    >> Hi,
    >>
    >> I have a LAN with 192.168.0.0/24 which is protected by a Cisco PIX
    >> Firewall, and the internal interface is 192.168.0.1.
    >> I have implemented ISA 2004 for testing inside the network and I have
    >> setup a few users with firewall client (with autodiscovery and stuff) so
    >> they're (test clients) are NAt-ed by the ISA before they reach the PIX.
    >>
    >> PIX Firewall comes with a VPN Software, and I have set it up to mobile
    >> users so they can connect from outside and access resources. By default,
    >> PIX Firewall doesn't allow outbound connection through the same interface
    >> the inbound connection was initially made; therefore, the mobile clients
    >> once connected they cannot browse the internet (in my case they cannot
    >> use our email server, which is hosted outside the company), so I am
    >> looking at a way to set ISA up as gateway for them. The mobile clients
    >> take their ip addresses from the PIX firewall as 192.168.254.1-10. I have
    >> set up all kind of combinations for them, they still cannot ping ISA nor
    >> browse the net as webproxy clients.
    >> Am I missing something here?
    >>
    >> Thanks,
    >>
    >> Julian Dragut
    >>
    >
    >
Ask a new question

Read More

Firewalls Windows