Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 2006 Site to Site troubles

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> ISA 2006 Site to Site troubles Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA 2006 Site to Site troubles - 24.Oct.2008 7:15:26 AM   
baszim

 

Posts: 1
Joined: 24.Oct.2008
Status: offline 		Hi,

I have a Site to Site VPN connection established between an ISA 2006 server and a Cisco 1841 router.

Network A range is 10.168.0.0 mask 255.224.0.0 which is the internal netwerk behind the ISA 2006 server.
Network B range is 192.168.6.0 mask 255.255.255.0 and is behind the Cisco 1841 router.

A Site to Site VPN is established.
I am able to ping from network A tot servers in network B 
I am able to ping from network B tot servers in network A
I am able to perform a traceroute from network B to a client in network A.

Strangely a traceroute from a client in network A times out 9 time before completing:
1   <1 ms   <1 ms   <1 ms  xxxxxxxx.local [10.168.1.162]
2     *        *        *     Time-out bij opdracht.
3     *        *        *     Time-out bij opdracht.
4     *        *        *     Time-out bij opdracht.
5     *        *        *     Time-out bij opdracht.
6     *        *        *     Time-out bij opdracht.
7     *        *        *     Time-out bij opdracht.
8     *        *        *     Time-out bij opdracht.
9     *        *        *     Time-out bij opdracht.
10     *        *        *     Time-out bij opdracht.
11    20 ms    20 ms    28 ms  192.168.6.10

I am able to use RDP from network A to servers in network B.
I am unable to use http traffic from clients in network A to servers in network B. (With or without using ISA2006 as a proxy server)

Anybody any suggestions?

Kind regards,

Bas
Post #: 1
RE: ISA 2006 Site to Site troubles - 25.Oct.2008 2:30:02 PM   
adimcev

 

Posts: 232
Joined: 19.Oct.2008
Status: offline 		On ISA, add the VPN tunnel address of the Cisco router in the address range of the remote site.

On the Cisco router add to the ACL specifying the VPN local and remote subnets these two lines(I think the first one will do, the second one is used to test connectivity from the Cisco router itself to hosts behind ISA without using the extended ping command):

permit ip 192.168.6.0 0.0.0.255 host "ISA's IP address(VPN tunnel address)"
permit ip host "Cisco's IP address(VPN tunnel address)" 10.160.0.0 0.31.255.255

If you have some NAT rules on the Cisco router do not forget to add there:
deny ip 192.168.6.0 0.0.0.255 host "ISA's IP address(VPN tunnel address)".

You can take a look here.

If I remember correctly, after doing these, you should be able to access your web servers located behind the Cisco router.
By the way, the subnet behind ISA is correct, or was a typo somewhere...

Adrian

< Message edited by adimcev -- 25.Oct.2008 2:53:09 PM >

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to baszim)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> ISA 2006 Site to Site troubles Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts