Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Site-to-Site VPN not working
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Site-to-Site VPN not working - 30.Oct.2004 6:34:00 PM
|
|
|
wwolfeii
Posts: 9
Joined: 9.Sep.2004
Status: offline
|
We have a Site-to-Site VPN from ISA 2004 to CP NG configured as follows:
ISA 2004 - based upon the Configuring IPSec Site-to-Site Connections Between ISA Server 2004 and Third-Party Gateways Documentation
Remote Site VPN using IPSec Tunnel
Remote Site GW: 63.173.0.254
ISA Local External: 66.239.123.100
Remote Address Range: 170.217.0.0 - 170.217.255.255
DMZ Network: 172.16.0.0 - 172.16.255.255
Rule to allow traffic in both directions
DMZ -> Remote / All Traffic / All Users
Remote -> DMZ / All Traffic / All users
Our problem is that when we try to ftp from a host at (172.16.0.188)-DMZ to (170.217.31.27)-Remote we get notification in the event viewer that the tunnel has been established, but we get no response from the 170.217.31.27 FTP Server.
The partner needs to see that the request is coming from 170.217.135.89 and not 172.16.0.188 as it shows in the logs.
How does one create a NAT in ISA 2004 so that the traffic from 172.16.0.188 appears to be coming from 170.217.135.89?
|
|
|
|
|
RE: Site-to-Site VPN not working - 31.Oct.2004 2:54:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
ISA doesn't have this IP address (170.217.135.89) assigned from the description you provided - it is an IP in the remote subnet. ISA can't NAT from this IP address if it's not assigned - that would be a spoofed packet.
[ October 31, 2004, 02:55 AM: Message edited by: ClintD ]
|
|
|
|
|
RE: Site-to-Site VPN not working - 31.Oct.2004 1:45:00 PM
|
|
|
wwolfeii
Posts: 9
Joined: 9.Sep.2004
Status: offline
|
Thank you for that information. My next question would be that since the "Business Partner" has told us that our assigned IP range for devices that they will accept connections from is 170.217.135.88/30. Therefore we chose the first address 170.217.135.89 and need to NAT that to our DMZ address 172.16.0.188 for the FTP Server.
The Site-to-Site VPN configuration has this network block assigned to it 170.217.0.0/16 "Partners internal range including our block they gave us" as well as their gateway 63.173.0.254.
They inform us that they have hundereds of partners doing it this way, so it should be simple, however we just can't seem to get it to work.
I guess ultimately we need to know how we make an FTP server behind ISA 2004 in a DMZ allow connections from their address block. Also, we need to be able to FTP back to them to an address of an FTP server (170.217.31.27).
Thanks. If you need a drawing of this configuration, please give me your email address and I will send one.
|
|
|
|
|
RE: Site-to-Site VPN not working - 31.Oct.2004 2:29:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Are they allowing you to assign the IP address 170.217.135.89 to a system on your network (ISA hopefully)?
This is what is unclear in the description you've provided.
|
|
|
|
|
RE: Site-to-Site VPN not working - 31.Oct.2004 5:53:00 PM
|
|
|
wwolfeii
Posts: 9
Joined: 9.Sep.2004
Status: offline
|
Actually the 170.217.135.89 address is for the FTP server protected by ISA 2004.
I believe that I have this working now, however, I had to create a completely seperate network in ISA 2004 and had to bind 170.217.135.89 to the DMZ card on FTP and 170.217.135.90 on ISA 2004 DMZ and setup multiple persistent routes in the FTP server for the hosts at the partner end using ISA as the Gateway.
In fact, other than the Site-to-Site VPN IPSec Tunnel in ISA 2004, this turned out to be totally a "Routing" configuration within ISA and on the FTP Server itself.
Thanks again for your questions as they had me re-think the problem.
|
|
|
|
|
RE: Site-to-Site VPN not working - 31.Oct.2004 5:57:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Ahh - good deal.
|
|
|
|
RE: Site-to-Site VPN not working - 11.Nov.2004 2:27:00 AM
|
|
|
phillipm
Posts: 23
Joined: 7.Jun.2004
From: Wellington, New Zealand
Status: offline
|
Hi bud
having to config the same as yourself for our site to site vpn to a third party!
my question is ? the ftp server is it multi homed or did you just bind that to the one NIC?
my current config is isa server 2004
with three nics
trihomed DMZ
WITH private address instead of public
1 x nic = LAT 172.16.0.0
1 X nic = DMZLAT 192.168.0.0
1 x nic = PUBLIC
web servers are sitting on the DMZLAT
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
