VPN pass thru to my ISA server?
itdaddy
Member Posts: 2,089 ■■■■□□□□□□
I know this maybe stupid but I want to make sure I am not overlooking something.
I thought SMTP traffic was going to be easy to route through my ASA NOT!
But figured that out..
I am setting up an ISA server 2004 on my inside LAN and am going to use it as a VPN server
exclusively. So is there anything I should look out for while passing through my ASA 5505
with IOS 8.0 ?
I just set up a static route to the ISA right using the PPTP or L2TP port???? and allow it of course..isnt there some other protocol 41 is it i need to allow.I seem to recall there is some other protocol I need to allow???
thanks guys
I thought SMTP traffic was going to be easy to route through my ASA NOT!
But figured that out..
I am setting up an ISA server 2004 on my inside LAN and am going to use it as a VPN server
exclusively. So is there anything I should look out for while passing through my ASA 5505
with IOS 8.0 ?
I just set up a static route to the ISA right using the PPTP or L2TP port???? and allow it of course..isnt there some other protocol 41 is it i need to allow.I seem to recall there is some other protocol I need to allow???
thanks guys
Comments
-
mikearama Member Posts: 749I've had to do the same kinda thing a few times, and I've always found the easiest thing to do is add the device, create the object in the ASA, but wait until you start seeing "Deny" in the syslogs before knowing all the required ports that need to be opened.
The last big change to our systems was the addition of middleware called "MQ", but even our MQ admin didn't know all the ports that needed to be opened. The syslog is your best friend in these scenerios. They will tell you everything.There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
itdaddy Member Posts: 2,089 ■■■■□□□□□□Thanks a lot mikearama
here is an ACL I found..and it was that "gre" I needed allow..
but sounds like a good idea allow like and onion layer at a time vs
just assuming but this is what I have or am going to convert to
ASA ACLs:
access-list OUTSIDE permit gre any host OUTSIDEIP
access-list OUTSIDE permit tcp any host OUTSIDEIP eq pptp
access-list OUTSIDE permit udp any host OUTSIDEIP eq 1701
access-list OUTSIDE permit udp any host OUTSIDEIP eq 4500
access-list OUTSIDE permit udp any host OUTSIDEIP eq isakmp
It looks about right but I am going to do what yu said and watch my friend
mr syslog and see what is blocked when I set it up...Thanks for your help
robert(itdaddy) -
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□I've had to do the same kinda thing a few times, and I've always found the easiest thing to do is add the device, create the object in the ASA, but wait until you start seeing "Deny" in the syslogs before knowing all the required ports that need to be opened.
The last big change to our systems was the addition of middleware called "MQ", but even our MQ admin didn't know all the ports that needed to be opened. The syslog is your best friend in these scenerios. They will tell you everything.
+1
capture can be used alongside syslogs as well.