I have setup pptp vpn to an ISA server with a one NIC setup , behind a firewal. Ultimatley I want the clients to have access to a specif IP address ONLY (MS Exchange server).
The clients are able to succesfully conect via pptp onto the ISA server but they are not able to ping anything on the internal network
My question is this:
because the IP address pool I have allocated is on a different Private network address where would I need to set-up the routing so that the The pptp private address pool can talk to this specific server...
1)is it via ISA itself or 2)Via another rule on the Firewall to allow traffic to the exchange server via the PPTP public address
Im assuming ISA because there is already a static NAT and an ACL rule to allow GRE 1723 to on our firewall, to speak to our ISA servers private address.
Basically I want the pptp VPN pool of 10.10.10.0 255.255.255.0 to be able to talk my internal LAN 192.168.249.0 255.255.255.0
If the above is possible then:
I want it to be really granular so that pptp users can only communicate with a single IP address on the 192.168.249.0 network which will be my mail server
TIA T4k
< Message edited by Thirst4Knowledge -- 24.Sep.2009 9:18:00 AM >
Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Ping is irrelevant. Ping only tests ping,..it does not test anything else. Allowing ping does not automatically allow anything else,....allowing anything else does not automatically allow Ping. When Ping works it doesn't mean anything else will,...when the desired traffic does works, ping still will not work,...unless it is allowed separately or in addition to.
Did you create the proper access Rule? The VPN Clients Network is automatic and you cannot add or remove addresses from it. When a VPN Client connects they become part of that network regaurdless of what IP# they received. So the Access Rule would be:
From: VPN Clients Network To: <whatever> Protocol:<whatever> Users:<whatever>
Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:
You would think it would be a matter of:
"ISA let Network A talk to network C"
No, I wouldn't think that.
The VPN Users Network in ISA is a Dynamic Network that changes and adjusts on the fly when VPN User "dial in".
Then the Access Rules that control the traffic consider the Protocol being used, the content of the payload of the protocol (in some protocols), the Application Filter required (with protocols that use them), what the user account is, and even the time of day.
Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
You have some kind of mess going on with your Access Rules. I'm tired of blindly shooting in the dark. There is nothing I can do with that. You are the only one who knows (and can see) what you have sitting in front of you.
These articles will explain everything you need to know about access rules. ISA2004 and 2006 work the same way.
Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
The VPN Client must also receive the proper DNS (and maybe WINS) IP# for the LAN or they will not resolve names on the LAN properly to be able to communicate, nor will they autheticate to resources if they don't know what and where the DC is. They need all the same things that the other workstations on the LAN need.
This of course means the the Access Rule(s) they use must allow the DNS protocol in addition to whatever other protocols they need.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> PPTP IP pool cant talk to Internal Network 
PPTP IP pool cant talk to Internal Network - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread