RRAS Firewall functionality consists of two parts: static filters and basic firewall. Static filters are pure stateless filters (source/dest ip, port numbers, etc.) and can be used for VPN alone scenarios - both for protecting the box as well as network behind it. Whereas basic firewall is a simple stateful packet filter and can be used for VPN or VPN+NAT scenarios - only for protecting the box (not the network behind it).
ISA firewall is a more advanced "stateful packet firewall" for VPN as well as VPN+NAT scenarios - to protect the box as well as network behind it.
Depending on the complexity of configuration and security needs either of the two can be used. ISA builds on top of RRAS.
Software Design Engineer/Test
Windows Networking Group
[This posting is provided "AS IS" with no warranties, and confers no rights.]