VPN pass thru to my ISA server?

I know this maybe stupid but I want to make sure I am not overlooking something.
I thought SMTP traffic was going to be easy to route through my ASA NOT!
But figured that out..

I am setting up an ISA server 2004 on my inside LAN and am going to use it as a VPN server
exclusively. So is there anything I should look out for while passing through my ASA 5505
with IOS 8.0 ?

I just set up a static route to the ISA right using the PPTP or L2TP port???? and allow it of course..isnt there some other protocol 41 is it i need to allow.I seem to recall there is some other protocol I need to allow???
thanks guys

Find more posts tagged with

Comments

mikearama

I've had to do the same kinda thing a few times, and I've always found the easiest thing to do is add the device, create the object in the ASA, but wait until you start seeing "Deny" in the syslogs before knowing all the required ports that need to be opened.

The last big change to our systems was the addition of middleware called "MQ", but even our MQ admin didn't know all the ports that needed to be opened. The syslog is your best friend in these scenerios. They will tell you everything.

itdaddy

Thanks a lot mikearama

here is an ACL I found..and it was that "gre" I needed allow..
but sounds like a good idea allow like and onion layer at a time vs
just assuming but this is what I have or am going to convert to
ASA ACLs:
access-list OUTSIDE permit gre any host OUTSIDEIP
access-list OUTSIDE permit tcp any host OUTSIDEIP eq pptp
access-list OUTSIDE permit udp any host OUTSIDEIP eq 1701
access-list OUTSIDE permit udp any host OUTSIDEIP eq 4500
access-list OUTSIDE permit udp any host OUTSIDEIP eq isakmp

It looks about right but I am going to do what yu said and watch my friend
mr syslog and see what is blocked when I set it up...Thanks for your help

robert(itdaddy)

cisco_trooper

mikearama wrote: »

I've had to do the same kinda thing a few times, and I've always found the easiest thing to do is add the device, create the object in the ASA, but wait until you start seeing "Deny" in the syslogs before knowing all the required ports that need to be opened.

The last big change to our systems was the addition of middleware called "MQ", but even our MQ admin didn't know all the ports that needed to be opened. The syslog is your best friend in these scenerios. They will tell you everything.

+1

capture can be used alongside syslogs as well.