Welcome to ISAserver.org

LAT make VPN didn't work

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 Firewall] >> VPN >> LAT make VPN didn't work

Page: [1]

Message

<< Older Topic Newer Topic >>

LAT make VPN didn't work - 6.Nov.2007 7:00:24 AM

lcr

Posts: 4
Joined: 6.Nov.2007
Status: offline

Hi,
I’m working in a very confused network, and I need some help.
Here's an overview of the network layout:(http://picasaweb.google.com/luanac.rocha/Layout/photo#5129692086145129218).

Well, the point is that the ISA Server was working very well, when the network 10.10.11.x didn’t exist, and his LAT has only this address: From: 10.10.10.0 to 10.10.10.255.
ISA Server was configured to allow VPN Client Connections. And in the IP Packet Filter properties the “PPTP though ISA Firewall” check box was checked.
These VPN is used only once a month by some workstations. These workstations on the network 10.10.10.x use a Windows VPN connection to send some data to some partners, and everything is working.

When they decided to create de new network, linked to the network 10.10.10.x by radio, some changes are made.
The clients on the network 10.10.11.x need access to all the networks and the DMZ.
So, I decided that the ISA Server machine could be our router between these networks.
I add some new address to ISA Server LAT:
From: 10.10.10.0 to 10.10.10.255.
From: 10.10.11.0 to 10.10.11.255.
From: 192.168.1.0 to 192.168.1.255.

And I added a route to the network 10.10.11.x on the ISA Server machine with the command route add.

Everything worked well. The machines on the network 10.10.11.x, are able to access the DMZ, The machines on the 192.168.1.x network, and the machines in the 10.10.10.x and they are able to access internet thru ISA Server.

But, the VPN stopped to work. When a client tries to use the VPN they got the errors: 781: There’s no valid certificate or 86: VPN Server unreachable or 800: VPN Server unreachable.

If I remove the address “From: 192.168.1.0 to 192.168.1.255” from the LAT, the VPN works, but the computers in the network 192.168.1.x and 10.10.11.x don’t talk.
What changes can I made on ISA Server to make both the VPN and the communication between the networks work?

I know that I can add a manual route on the machines on the network 192.168.1.x so they can see the network 10.10.11.x, but there are too many machines, so I prefer do this thru ISA Server.

Thank You.

L.C.R.

Post #: 1

Featured Links*

RE: LAT make VPN didn't work - 6.Nov.2007 6:39:20 PM

AHIT

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline

from your diagram the 192.168 network should NOT be in your LAT as it is "external" to ISA. Whilst it may be using an IP range reserved for private addresses, it's still located on the 'public' or 'external' interface for ISA so those IPs should NOT be in the LAT.

As such, presently, regardless of what your other 'firewall' is doing, any traffic that comes in to ISA with an IP of 192.168 is seen as 'local' meaning you may as well not have an ISA at all since it is seen as private/local traffic.

Whereabouts are you testing the VPN connections from? in the 192.168 network or fully external outside your other 'firewall'?

If removing 192.168 from your LAT covers everything off for you EXCEPT connections from the 'DMZ 192.168' connecting thru to 10.10.11 network (or vice versa), can you add a static route on your other 'firewall' for the 10.10.11.x network to go via the ISA servers 192.168.x.x IP? I'm assuming here that your other 'firewall' is the default router for all those DMZ/192.168 machines?

I'm not sure if any of my ramblings would help at all...

I guess the pic you provided helps by I dont really understand what 'services' exist in that DMZ network, what protocls they use, traffic flow direction etc.
I hope this has been of some help....

_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to lcr)

Post #: 2

RE: LAT make VPN didn't work - 7.Nov.2007 5:18:54 AM

lcr

Posts: 4
Joined: 6.Nov.2007
Status: offline

Hi, AHIT, thanks for your help.

At my first attempt, I didn't put the address of the network 192.168.1.x in the LAT. But, the communication didn’t work between the network 192.168.1.x and 10.10.11.x. Even before I configure the route in my firewall.

It seems like the ISA Server are dropping this packets. There is a way to allow the packets of my machines in the network 192.168.1.x to send packets for the ISA Server External Network without be dropped if the address of these network isn’t in the LAT?

Thank you.

L.C.R.

(in reply to AHIT)

Post #: 3

RE: LAT make VPN didn't work - 7.Nov.2007 7:08:54 PM

AHIT

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline

...so you want a firewall (ISA) to NOT be a firewall and instead be a router?
Wrong tool for the job.

I still dont understand WHAT type of traffic in your 192.168 needs to get to internal clients. Is it just in response to requests from the internal clients? web-based?
My poor little head just cant imagine the need. As far as those 192.168 machines are concerened, all teh traffic has come from the 192.168.x.x ISA 'externa' IP address and ISA then handles how to send it back to the internal client that requested it. There is no direct route/path... the ISA proxies or NAT's the request... so the DMZ boxes don't even know the actual IP address of those internal machines..

_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to lcr)

Post #: 4