Welcome to ISAserver.org

Site-to-Site VPN PPTP (Clients Behind ISA Don't Get Routed)

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> VPN >> Site-to-Site VPN PPTP (Clients Behind ISA Don't Get Routed)

Page: [1]

Message

<< Older Topic Newer Topic >>

Site-to-Site VPN PPTP (Clients Behind ISA Don't Get Rou... - 8.Nov.2006 12:19:09 AM

emilmike

Posts: 4
Joined: 3.Dec.2002
Status: offline

Correct Answer is Worth A Steak Dinner at Morton's Steak House:

Guys I need your help. Thought I was an ISA expert but this problem is making me feel like I don't know the first thing about ISA. I've spent tons of time reading doc's on this and Microsoft's site to troubleshoot and tried every last trick I know to resolve the problem and I'm still stumped!

First person to help me solve will receive a gift certificate to Morton's Steak House!

Problem Statement:

I have a Site-to-Site PPTP VPN established between two ISA2K4 Standard Ed servers. I can ping and RDP from either ISA to the other ISA and from either ISA to hosts behind the opposing ISA. So I know the Site-to-Site PPTP VPN is up bi-directionally and that the Access Rules at minimum are allowing "All Outbound Protocols" from each ISA to each ISA and from each ISA to the hosts behind the opposing ISA.

The problem is that hosts behind each ISA can't ping, RDP or communicate using any protocol to the interfaces on the other ISA or hosts behind the other ISA across the Site-to-Site PPTP VPN link.

General Configurations for Site to Site VPN and Observations:

This would lead one to believe it's a Routing Issue, but evidence on RRAS and ISA suggest otherwise.

The RRAS interfaces on each ISA seem to show correct Static Routes to the Remote Network.

The Logging tab under the Monitoring node on either ISA, from where a host behind it attempts communicate to hosts behind the opposing ISA, shows the connection being initiated when one host behind one ISA tries to ping or RDP to a host behind the other ISA, but the Ping and RDP either timeout or fail to connect, respectively. The same log entry also shows the correct Network Rule being applied (e.g. Internal -->Remote Network).

On each ISA, I have a Network created for the network behind the other ISA server and the IP addresses and Subnet masks for each respective Remote Network are correct in the RRAS static routes node on each ISA Server (for the opposing Remote Network). I also have two Network Rules each on both ISAs that allow routing from Internal --> Remote Network and routing from Remote Network --> to Internal (the Remote Network properties are different on each ISA to properly describe the Remote Network on the far side ISA servers Internal Network).

On each ISA I have an Access Rule under Firewall Policy that allows "All Outbound Protocols" from Internal to Remote Network (respectively) and the inverse of all "All Outbound Protocols" from Remote Network to Internal (respectively).

Configuration Specifics:

HQ Network and ISA Configuration

Inside Network: 172.16.0.1 - 172.16.3.254 : 255.240.0.0
ISA Inside Interface: 172.16.0.1
ISA External Interface: 66.186.36.101
Remote Network Defined as Branch: 10.0.0.0 - 10.0.0.255 (to describe a 10.0.0.0 - 10.0.0.254 : 255.255.255.0 Network)
Network Rules Defined: Route Branch to Internal & Route Internal to Branch
Access Rules Defined (for Site-to-Site VPN) at top of Firewall Policies (to avoid other rules that may block): Allow All Outbound Protocols from Internal to Branch for All Users & Allow All Outbound Protocols from Branch to Internal
VPN Clients Assigned IP Via DHCP on Inside Network (including Site-to-Site VPN Connections) with the IP Address Range of: 172.16.3.1 - 172.16.3.254 : 255.240.0.0 (this is in the same Network as the Inside Network Range of HQ)

Branch Network and ISA Configuration

Inside Network: 10.0.0.1 - 10.0.0.254 : 255.255.255.0
ISA Inside Interface: 10.0.0.2
ISA External Interface: 63.110.113.146
Remote Network Defined as Branch: 172.16.0.0 - 172.31.255.255 (to describe a 172.16.0.0 - 172.16.3.254 with a subnet of 255.240.0.0 Network)
Network Rules Defined: Route HQ to Internal & Route Internal to HQ
Access Rules Defined (for Site-to-Site VPN) at top of Firewall Policies (to avoid other rules that may block): Allow All Outbound Protocols from Internal to HQ for All Users & Allow All Outbound Protocols from HQ to Internal
VPN Clients Assigned IP Via DHCP on Inside Network (including Site-to-Site VPN Connections) with the IP Address Range of: 10.0.0.199 - 10.0.0.254 : 255.255.255.0 (this is in the same Network as the Inside Network Range of Branch)

Need Your Help - Remember the Steak Dinner:

Guys, what am I missing? Why can't hosts behind either ISA communicate via any protocol with any interface on or to any other host behind the other ISA at the other end of the PPTP VPN tunnel while both ISA's can?

Please help as my client is beginning to question my worth (and so am I - yikes!). Remember - its worth a great steak dinner to me for you (probably way more really). When the problem is solved, let me know your address and I'll mail you the gift certificate!

Thanks for the great site and help in advance!

Mike

Post #: 1

Featured Links*

RE: Site-to-Site VPN PPTP (Clients Behind ISA Don't Get... - 8.Nov.2006 3:19:50 AM

WyW

Posts: 15
Joined: 21.Aug.2006
From: Tampere, Finland
Status: offline

Can you see that the VPN is actually established in Monitoring -> Sessions? If you can't a VPN session established examine the oakley.log that's located in %systemroot%\debug.

For me it just seems that you're connecting RDP and ping straight thru internet to the other ISA server (or did you connect using the internal networks IP?). Or then it's just my bad English and lack of concentration :D

(in reply to emilmike)

Post #: 2

RE: Site-to-Site VPN PPTP (Clients Behind ISA Don't Get... - 8.Nov.2006 10:32:26 AM

emilmike

Posts: 4
Joined: 3.Dec.2002
Status: offline

Thank you for your response. The Site-to-Site VPN is up and running perfectly as my problem statement indicates:

"I can ping and RDP from either ISA to the other ISA and from either ISA to hosts behind the opposing ISA. So I know the Site-to-Site PPTP VPN is up bi-directionally and that the Access Rules at minimum are allowing "All Outbound Protocols" from each ISA to each ISA and from each ISA to the hosts behind the opposing ISA."

And, in ISA Monitoring it indicates that there is 1 Site-to-Site VPN Session established on each ISA Server. Its just that:

"The problem is that hosts behind each ISA can't ping, RDP or communicate using any protocol to the interfaces on the other ISA or hosts behind the other ISA across the Site-to-Site PPTP VPN link."

Appreciate the continued assistance.

Mike

(in reply to emilmike)

Post #: 3

RE: Site-to-Site VPN PPTP (Clients Behind ISA Don't Get... - 9.Nov.2006 3:49:21 PM

phippsinc

Posts: 19
Joined: 15.Sep.2006
Status: offline

Mike, I don't have a solution, but I have a similar problem. I have a site2site ipsec vpn between an isa2004 and a sonicwall. In my case, I can't http in to a printer at the remote location eventhough I can ping it. I can even RDP from my PC to a remote PC AND I can httPS to the remote router, but I can't access any device (like a printer or switch) using http. Maybe someone will get an idea from my situation that might help you out.

Lots of mysteries in this business.

...jeff

(in reply to emilmike)

Post #: 4

RE: Site-to-Site VPN PPTP (Clients Behind ISA Don't Get... - 16.Jan.2007 5:05:10 PM

MachineDrummer

Posts: 1
Joined: 21.Nov.2006
Status: offline

Add localhost to access rules for VPN
and don't forget about Remote Management Computers group

(in reply to phippsinc)

Post #: 5

RE: Site-to-Site VPN PPTP (Clients Behind ISA Don't Get... - 16.Jan.2007 5:43:12 PM

ClintD

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

<edit - oooops! just saw the original dates of the post - hope you have this resolved now>

I wasn't positive, but are the Remote Site networks named like this?

HQ ISA Server - Remote Site named 'Branch'
Branch ISA Server - Remote Site named 'HQ'

A few questions...
On the HQ ISA Server, (or the domain it is a member of) does it have a user account named 'Branch'?
On the Branch ISA Server, (or the domain it is a member of) does it have a user account named 'HQ'?

See my post at the bottom of this thread and ensure the settings are configured like it.

http://forums.isaserver.org/Internal_Network_cannot_access_remote_site/m_2002030613/tm.htm

The key indicator to the Remote Site connections not being setup correctly is if they show up in RRAS under 'VPN Clients' - if the connection is shown here, then the names of the interfaces and the names of the accounts don't mirror each other like they have to.

This section from the Windows Help File is pretty helpful... it mentions demand-dial interfaces but don't let this throw you - the logic is handled the same for permanent links and demand dial links.

For two-way initiated connections, either router can be the calling router or the answering router. The user names and demand-dial interface names must be properly matched. For example, two-way initiated connections would work under the following configuration:

Router 1 has a demand-dial interface called NEW-YORK which is configured to use SEATTLE as the user name when sending authentication credentials.
Router 2 has a demand-dial interface called SEATTLE which is configured to use NEW-YORK as the user name when sending authentication credentials.

This example assumes that the SEATTLE user name can be validated by Router 2 and the NEW-YORK user name can be validated by Router 1.

< Message edited by ClintD -- 16.Jan.2007 5:58:59 PM >

(in reply to MachineDrummer)

Post #: 6

RE: Site-to-Site VPN PPTP (Clients Behind ISA Don't Get... - 31.Jul.2007 2:55:17 PM

shahan

Posts: 11
Joined: 20.Dec.2002
From: Pakistan
Status: offline

This will work by configuring NETWORK RULE in ROUTING mode from internal to remote side.

Again NETWORK RULE not Firewall rule.

Regards,
Shahan Subzwari
shahan.subzwari@msn.com

(in reply to ClintD)

Post #: 7