RE: ISA to PIX VPN connection

["Claussen, Ken" <Ken () kccweb com>]

Wes,
It appears the Pix does support a IPSec/L2TP VPN according to this link
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a
0080094e6d.shtml
This link shows a confifguration for straight IPSec between Win2K and a
Pix (No L2TP).
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_e
xample09186a00800b12b5.shtml#pix_config
Here is a config for L2TP over IPSec between Win2K and Pix.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_e
xample09186a00800942ad.shtml
(Watch word wrap on links)
Did you find out anything new when you went on site? Have you run into
any error codes or specific problems yet?
As I said before I think ISA will only affect your ability to send
traffic from the LAN side into the tunnel. It should not impact the
tunnel establishment itself unless you are using the Packet Filter
feature. The Packet Filters Allow you to define Custom Filters by
protocol number, this should work for ESP and AH. The Packet Filtering
component only affects traffic destined fro the ISA server itself. After
that you will likely need Protocol Rules for the traffic you want to
allow into the tunnel. If my guess is correct the IPSec configuration
itself will remain unchanged(compared with a non-ISA Win2k Server). HTH.

Ken Claussen MCSE(NT42K) CCNA CCA
"In Theory it should work as you describe, but the difference between
theory and reality is the truth! For this we all strive"



-----Original Message-----
From: H. Morrow Long [mailto:morrow.long () yale edu] 
Sent: Wednesday, February 12, 2003 8:28 PM
To: Hoang, Binh P,,DMDCWEST
Cc: 'Noonan, Wesley'; firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] ISA to PIX VPN connection


Hoang, Binh P,,DMDCWEST wrote:
> If you can get the Cisco PIX to do L2TP over IPSec for site-to-site 
> traffic, then yes. Otherwise, no.

Note that the CISCO PIX can do PPTP as well,
although that would normally be used for remote
node PC to PIX configurations rather than
Firewall to Firewall (e.g. LAN to LAN) tunnelling.

Morrow

> What PIX model do you have? Check PIX documentation for L2TP over 
> IPSec support. Regards,
> Binh
>
> -----Original Message-----
> From: Noonan, Wesley [mailto:Wesley_Noonan () bmc com]
> Sent: Tuesday, February 11, 2003 7:01 PM
> To: firewall-wizards () honor icsalabs com
> Subject: [fw-wiz] ISA to PIX VPN connection
>
>
> Does anyone have any references for configuring a site-to-site VPN 
> between Microsoft ISA server and a Cisco PIX firewall? I have looked 
> at Cisco's website, but it doesn't have a good, definitive reference. 
> I also checked Microsoft and... well... yeah.
>
> I have seen the stuff about configuring IPSEC between "Microsoft" and 
> a PIX, but I just don't think it is that simple with ISA in the mix.
>
> Any help would be appreciated. Thanks.
>
> Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
> Senior QA Rep.
> BMC Software, Inc.
> (713) 918-2412
> wnoonan () bmc com
> http://www.bmc.com <http://www.bmc.com/>
>
>
> _______________________________________________
> firewall-wizards mailing list firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards