Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Site to Site Cisco VPN wont work
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Site to Site Cisco VPN wont work - 14.Mar.2008 12:40:31 AM
|
|
|
rolandl
Posts: 10
Joined: 23.Oct.2006
Status: offline
|
I have created a Cisco IPSEC based tunnel between two Cisco routers
The external vpn tunnel has ip address 192.168.1.x and terminates on a Cisco 501 Pix
Inside the Pix is our ISA 2004 FW.
I have added the following to the firewall server
allow rule for ping to /from all networks
192.168.1.x added to 'internal network' definition
route add 192.168.1.0 mask 255.255.255.0 xxx.xxx.xxx.xxx (public pix IP)
when I ping 192.168.1.1 from inside the LAN i get
Initiated Connection Allow Ping response 192.168.0.77 Internal Internal 0x0 0x0
then
192.168.0.77 8 0 Firewall 192.168.1.1 0 Ping Denied Connection 192.168.0.77 Internal Internal 0x0 0xc004002d FWX_E_UNREACHABLE_ADDRESS
I have worked with this for three days now and need to make it work
Any suggestions as to how to move forward?
|
|
|
|
|
RE: Site to Site Cisco VPN wont work - 14.Mar.2008 6:20:47 AM
|
|
|
davidmask
Posts: 11
Joined: 17.Sep.2007
From: JHB, South Africa
Status: offline
|
Hi,
Don't make the other side of the VPN part of the internal network. Create an address range for it. The Networks on ISA are networks which are behind a specific NIC, if the S2S vpn is on the internal LAN this woulld be different, but from what I understand it is on another NIC?
I suggest, use address ranges to define the other side of the VPN and create rules as required, ie: Internal -> remote Network Range, All protocols(or whatever you need) and create a network rule which routes traffic from each network, not NAT otherwise your IPSEC will fail on the cisco vpn.
HTH
_____________________________
David Maskell
CISSP, MCSSA, MBCS, CITP, WCE-WS, nCSE
MCSE: NT4, 2000,2003,Messaging,Security
MCTS:SQL 2005,Vista, Windows 2008, Forefront
|
|
|
|
|
RE: Site to Site Cisco VPN wont work - 17.Mar.2008 3:09:39 AM
|
|
|
rolandl
Posts: 10
Joined: 23.Oct.2006
Status: offline
|
Hi
Thanks so much for your help.
It would seem that you are correct. I am nearly there.
I created the tunnel subnet as an address range.
Then I created the network rule route and a firewall rule to allow pings to and from it
Then I created a static route on the ISA server (which upon reflection may not be needed).
The ISA server now successfully pings the vpn tunnel subnet, and gets a reply.
My client machine can now successfully ping it, (in the isa logs, and in netmon) but doesnt get a response. I suspect the route table on the far Cisco device doesn't know where to return the pings to yet.
Stay tuned, when I crack it, I'll post the whole thing.
|
|
|
|
|
RE: Site to Site Cisco VPN wont work - 24.Mar.2008 8:33:49 PM
|
|
|
rolandl
Posts: 10
Joined: 23.Oct.2006
Status: offline
|
Hello
The issue for pinging is resolved. the router at the far end did not have the correct route back to our network segment.
I can now ping and get a reply from the remote network via the tunnel.
I have a slightly bigger issue now
I actually want to connect to this network with all the smb (MS) protocols for file sharing.
Curently, from the ISA proxy I can see all the file shares on the remote network
But, From my laptop (internal) I cant connect. The ISA error code is
FWX_E_ABORTIVE_SHUTDOWN
0x80074E21
A connection was abortively closed after one of the peers sent a RST segment.
I also get this when I use RDP from the internal to the remote network.
This is the last hurdle for our Cisco tunnel. Any assistance would be greatly appreciated, and I'll post the whole metho.
Thanks
< Message edited by rolandl -- 24.Mar.2008 8:35:36 PM >
|
|
|
|
|
RE: Site to Site Cisco VPN wont work - 13.Jul.2008 9:45:56 PM
|
|
|
rolandl
Posts: 10
Joined: 23.Oct.2006
Status: offline
|
For those people curious, this config does not work
The ipsec cisco tunnel we built terminated on a Cisco pix, connected to our ISA server at its internet interface.
After much research I determined that this was never a good scenario. Even when all the rules are in place, the network topology gets you!
Tests showed me that the network rules determine wether this will work and in which direction.
YOU CANNOT SUCCESSFULY DEFINE THE NETWORK RULES TO ALLOW A ROUTE FROM YOUR INTERNAL NETWORK TO A NETWORK THAT RESIDES IN THE INTERFACE THAT CONNECTS TO THE INTERNET.
ISA will insist that all traffic from Internal that gets thrown down the internet connected interface (to your tunnel) will be NAT'd. If you have a low numbered network rule that says route internal to tunnel, ISA will clobber any traffic to that tunnel other than a ping. So you say, lets change the network rule order. If the first network rule it encounters is NAT, then all traffic will be allowed out and down the tunnel, but traffic up from the tunnel hits the NAT rule, and is blocked. Catch 22.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
