Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Point to Point WAN remote access issue

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Branch Office >> Point to Point WAN remote access issue Page: [1]
Login
Message << Older Topic   Newer Topic >>
Point to Point WAN remote access issue - 10.Jun.2008 1:25:38 AM   
noredlac

 

Posts: 6
Joined: 10.Jun.2008
Status: offline 		Please see diagram below to better understand.

Internet publishing to internal network, including a server being published at remote warehouse, works fine. Internet access works fine. Access from 172.16.1.x network to warehouse network (172.16.2.x) works fine.


The problem is with access from remote warehouse (172.16.2.x) to corporate database servers. File/Print services work fine from warehouse to 172.16.1.242 server along with RDP.   Exchange services works fine along with RDP.    Warehouse computers use ISA server as its proxy server for internet access and it works fine.


Cannot establish SQL database access or Oracle access to database servers, not even RDP access to these boxes. The 3 database servers are running on VMWare vm’s. Weird thing is that I can ping the 3 servers from the warehouse and get responses, so I’m pretty sure its not a routing issue. The SQL database server that is running IIS also allows me to establish a web connection to it. Clients at the warehouse are running DHCP (172.16.2.x / 255.255.254.0 / GW 172.16.2.1).


Routers on Point to Point are setup with a default route to route between each other. No other routes are defined on these routers and they are not doing any type of filtering.


By the way, the ISA2006 server is running on a VMWare vm (for testing purposes). This is for our new configuration, our old one is running on ISA2000 without any problems whatsoever. I have duplicated the routes from the ISA2000 server to the ISA2006 server and no luck. I still don’t think its routing since I am able to ping the problem servers from the remote warehouse.

All comments welcomed.
Thank you for your consideration and comments.
-Hector

Network diagram below:


Post #: 1
RE: Point to Point WAN remote access issue - 10.Jun.2008 3:16:08 PM   
noredlac

 

Posts: 6
Joined: 10.Jun.2008
Status: offline 		I have made an error in the drawing.  The router (172.16.1.70) at corporate that goes to the remote warehouse router is actually connected directly to the switch.  It is not connected to the ISA server as depicted in picture.

Sorry...

(in reply to noredlac)
Post #: 2
RE: Point to Point WAN remote access issue - 16.Jun.2008 1:31:31 PM   
paulo.oliveira

 

Posts: 609
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline 		Hi,

I believe this is not a routing problem either, since you can acces others servers. I´ll give a shot . Is there any king of acl on the switch levels or on your ISP?

Regards,
Paulo Oliveira.

(in reply to noredlac)
Post #: 3
RE: Point to Point WAN remote access issue - 16.Jun.2008 2:02:42 PM   
noredlac

 

Posts: 6
Joined: 10.Jun.2008
Status: offline 		Hi Paulo, thanks for your ACL comment .

We did contact ISP (AT&T) and they confirmed for us that the routers were not blocking anything, all traffic is setup to go between both.

We have an ISA2000 box that is configured the same in regards to the routes and we have no problems when using it.  We are  using the same IP# as the ISA2000 box too (we do shutdown the ISA2000 box when we bring in the ISA2006-VM).

Let me ask you, when traffic is coming from the warehouse to corporate, does it bypass ISA firewall and uses the routes instead?  or does the ISA firewall process everything eventhough the routes are set.  What do you think?

Hey thanks agains
-Hector

(in reply to paulo.oliveira)
Post #: 4
RE: Point to Point WAN remote access issue - 16.Jun.2008 3:01:00 PM   
paulo.oliveira

 

Posts: 609
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline 		Hi,

from what I saw in the above diagram, the traffic does even not pass thru ISA (except users who are accessing internet). Is you ISA log showing something related to it?

Maybe you have to add the warehouse network (172.16.2.x/255.255.254.0) to ISA ´s LAT as internal network.

Regards,
Paulo Oliveira.

(in reply to noredlac)
Post #: 5
RE: Point to Point WAN remote access issue - 16.Jun.2008 3:13:33 PM   
noredlac

 

Posts: 6
Joined: 10.Jun.2008
Status: offline 		I thought of that too.  When I researched it, I found out that LAT is no longer part of ISA2006, so I added the 172.16.2.x network as part of the internal network and this allowed communications to the corporate network (file/print & exchange, internet services). 

Prior to me adding 172.16.2.x to the internal network, I could not communicate to corporate from the warehouse.

The weird thing is that I can connect to the main file server (all services) and the exchange server from the warehouse (172.16.2.x network) - but when I try to connect to the SQL servers, no luck, not even terminal services...  The other weird thing is that the servers that I cannot connect to from the warehouse, I can ping them from the warehouse and I get replies back....  Then their is the SQL server that is also hosting IIS, I can also hit the IIS website from the warehouse, but no terminal services or access to the SQL database...

Maybe something in ISA2006 that I am overseeing, because when we put ISA2000 back online, everything works fine.

Do you think it may be VM?  I am getting ready to install ISA2006 on a new box by itself (no VM) to see if this makes a difference.

What do you think I may be overlooking?
Thanks again.

(in reply to paulo.oliveira)
Post #: 6
RE: Point to Point WAN remote access issue - 16.Jun.2008 3:38:04 PM   
paulo.oliveira

 

Posts: 609
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline 		Hi,

maybe the problem is in those servers (databases). Maybe there is any misconfiguration in their network adapters, like TCP/IP Filter, IP setttings, FW enabled. Try to debug the host you´re trying to reach. Like you said other server are accessible.

Regards,
Paulo Oliveira.

(in reply to noredlac)
Post #: 7
RE: Point to Point WAN remote access issue - 17.Jun.2008 12:16:42 PM   
noredlac

 

Posts: 6
Joined: 10.Jun.2008
Status: offline 		Hey Paulo, thanks for your comments and recommendations. 

If anybody else has any recommendations or comments, they will be appreciated.  Thanks

(in reply to paulo.oliveira)
Post #: 8
RE: Point to Point WAN remote access issue - 1.Jul.2008 12:43:37 PM   
noredlac

 

Posts: 6
Joined: 10.Jun.2008
Status: offline 		Hey guys, got it working with Microsoft's help.  After paying a premium for support, the problem was very simple.  The good is that the ISA server was configured properly.

The fix was to add a static route to the servers that were having connectivity issues to the warehouse and that fixed it.  A static route was added so that all traffic destined to the warehouse to go directly to the warehouse router (172.16.1.70)  instead of ISA.

Hope this helps out if somebody with similar or same issue.

(in reply to noredlac)
Post #: 9
RE: Point to Point WAN remote access issue - 1.Jul.2008 5:52:58 PM   
paulo.oliveira

 

Posts: 609
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline 		Hi,

good you could solve this problem. Thanks for share it with us!


Regards,
Paulo Olveira.

(in reply to noredlac)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Branch Office >> Point to Point WAN remote access issue Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts