Re: ISA 06 PPTP VPN via NAT

---

• From: "Thomas Tomiczek" <t.tomiczek@xxxxxxxxxxxxxx>
• Date: Wed, 31 Jan 2007 13:14:57 +0100

---

PPTP does not only use port 1723, but also TCP Sub-Protocol 47 - GRE.

If this is not properly handled and filtered, you will get severe issues. Like "server does not respond". In fact, GRE packets are what is used to transfer the data, while the TCP connection is only used for command channels.

A LOT of cheap/stupid equipment and admins are unaware of this fact - and then, for example, filter out GRE.

"Daniel Hooper" <daniel.hooper@xxxxxxxxxxxxxx> wrote in message news:CCA45108-2B0C-4873-9C7C-8080A9FDBE04@xxxxxxxxxxxxxxxx

Hi,

I've recently stumbled on a pearler that I can not seem to get my head around, hopefully somebody here can point me in the right direction.

I have an ISA 2006 installation running on a Windows 2003 R2 machine, the system has only 2 network interfaces, a public and an internal. If any of my users try and connect to a remote VPN server they recieve an error and the connection does not iniaite, I can see packets on port tcp/1723 leaving the box, none of the users are running the ISA firewall client.

My ISP connection is just plain old ethernet with no pppoe just a static IP address, if I plug my laptop into it I can VPN no problems at all, my cisco PIX can also NAT PPTP connections out of it, I've even gone so far as rolling back to Windows 2003 & ISA 2004 with no success, formatted and started again a couple of times.

I also sense that it's something that the provider is doing or filtering, another customer down the street on the same provider with the exact same ISA 06 configuration has the exact same issue.

Where can I look to put this back onto the provider? I've complained / whinged / asked / threatend them many times with no result, they say it's an issue with ISA and they are semi correct as I can use any other NAT enabled box and the PPTP vpn's work.


Cheerio

Daniel Hooper

.

---

• References:
  • ISA 06 PPTP VPN via NAT
    • From: Daniel Hooper

• Prev by Date: ISA 06 PPTP VPN via NAT
• Previous by thread: ISA 06 PPTP VPN via NAT
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: SBS 2003 and ISA content types running slow ... types filter and extension filter and the Internet access slow. ... Open ISA 2004 console, extend Monitoring, click Dashboard tap in middle ... Please follow the link and download and run the Microsoft Internet ... Clear the current existing W3C logs. ... (microsoft.public.windows.server.sbs) Re: Unable to make VPN connection to ISA 2006 Standard ... Router and the isa server this nat enabled, then the pptp tunnel will fail? ... If i initialize an vpn connection with a windows client, ... (microsoft.public.isa.vpn) Re: VPN connect error 691 help - new postings ... I did and now I get a VPN connection but it is limited and un authenticated. ... Based on the research of the main error message we received during the GRE ... please also enable ISA logging and reproduce this ... Clear the current existing W3C logs. ... (microsoft.public.windows.server.sbs) RE: VPN connection not passing the password auth stage. ... The Generic Route Encapsulation protocol is used ... One thing I want to clarify is that GRE protocol is based on Internet ... We can also use PPTP Ping utility to determine whether any hardware router ... This newsgroup only focuses on SBS technical issues. ... (microsoft.public.windows.server.sbs) Re: Outgoing VPN Error 619 ... With the outgoing PPTP VPN's I have that allow all rule but they are still ... PPTP clients are configured to use ISA as a hop to the Internet (SecureNET ... Neither a web proxy client nor a Firewall client host ... SecureNAT Clients while still trying to have Web and Firewall Client ... (microsoft.public.isa.vpn)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > ISA  > microsoft.public.isa.vpn  > 2007-01