VPN pass thru to my ISA server?

itdaddyitdaddy Senior MemberMember Posts: 2,089 ■■■■□□□□□□
I know this maybe stupid but I want to make sure I am not overlooking something.
I thought SMTP traffic was going to be easy to route through my ASA NOT!
But figured that out..


I am setting up an ISA server 2004 on my inside LAN and am going to use it as a VPN server
exclusively. So is there anything I should look out for while passing through my ASA 5505
with IOS 8.0 ?

I just set up a static route to the ISA right using the PPTP or L2TP port???? and allow it of course..isnt there some other protocol 41 is it i need to allow.I seem to recall there is some other protocol I need to allow???
thanks guys

Comments

  • mikearamamikearama Member Posts: 749
    I've had to do the same kinda thing a few times, and I've always found the easiest thing to do is add the device, create the object in the ASA, but wait until you start seeing "Deny" in the syslogs before knowing all the required ports that need to be opened.

    The last big change to our systems was the addition of middleware called "MQ", but even our MQ admin didn't know all the ports that needed to be opened. The syslog is your best friend in these scenerios. They will tell you everything.
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    Thanks a lot mikearama

    here is an ACL I found..and it was that "gre" I needed allow..
    but sounds like a good idea allow like and onion layer at a time vs
    just assuming but this is what I have or am going to convert to
    ASA ACLs:
    access-list OUTSIDE permit gre any host OUTSIDEIP
    access-list OUTSIDE permit tcp any host OUTSIDEIP eq pptp
    access-list OUTSIDE permit udp any host OUTSIDEIP eq 1701
    access-list OUTSIDE permit udp any host OUTSIDEIP eq 4500
    access-list OUTSIDE permit udp any host OUTSIDEIP eq isakmp

    It looks about right but I am going to do what yu said and watch my friend
    mr syslog and see what is blocked when I set it up...Thanks for your help

    robert(itdaddy)
  • cisco_troopercisco_trooper Too many Member Posts: 1,442 ■■■■□□□□□□
    mikearama wrote: »
    I've had to do the same kinda thing a few times, and I've always found the easiest thing to do is add the device, create the object in the ASA, but wait until you start seeing "Deny" in the syslogs before knowing all the required ports that need to be opened.

    The last big change to our systems was the addition of middleware called "MQ", but even our MQ admin didn't know all the ports that needed to be opened. The syslog is your best friend in these scenerios. They will tell you everything.


    +1

    capture can be used alongside syslogs as well.
Sign In or Register to comment.