Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Site to Site VPN - only ISA can ping gateway
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Site to Site VPN - only ISA can ping gateway - 16.Mar.2008 8:12:51 AM
|
|
|
dgunner
Posts: 29
Joined: 1.Dec.2005
Status: offline
|
I have a site to site VPN which connect and the ISA server can ftp to a server at the remote site.
Internal clients can ping as far as the IP address given to ISA by the remote site but not the FTP server.
The VPN is PPTP and I have set the address assignment to DHCP which is part of the Internal network range.
The very first rule on my ISA server is to allow all traffic from Internal and localhost to the remote VPN network.
I have a network rule saying route between Internal and my remote network
I am totally stumped and can't see what the problem is. I would add that the VPN was working perfectly before I had to replace the network card for the External network. Everything else works fine since then apart from the VPN.
I have even deleted the VPN setup and created it again in case it got corrupt in some way.
Any help very gratfully received!
Edit: I've setup the same STS link on my home ISA 2006 server and I have eactly the same problem. The ISA server iteself and ping and FTP but not the clients on the internal network.
I used the STS wizard and have done NOTHING else. This is very odd!
< Message edited by dgunner -- 16.Mar.2008 9:39:13 AM >
|
|
|
|
RE: Site to Site VPN - only ISA can ping gateway - 17.Mar.2008 2:33:43 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
If you are doing this with a pair of ISA Servers,...you have to create Access Rules at both ISAs. Each ISA will independently allow/deny based on the Access Rules configured on it.
Ping doesn't mean anything. Ping has to be specifcally allowed,...FTP must be specifically allowed,...just because one works or doesn't work has nothing to with the other working or not working.
Your post lacks too much information to comment more.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Site to Site VPN - only ISA can ping gateway - 18.Mar.2008 7:14:08 AM
|
|
|
dgunner
Posts: 29
Joined: 1.Dec.2005
Status: offline
|
Thanks for your reply.
This is a VPN connection to a 3rd party system - in much the same way you might VPN from your laptop to a 3rd party network.
Ping is enabled - as I say the access rule is to allow ALL traffic between Internal/Local host and the remote network. I have also allowed ping in the system policy.
The connection worked fine before I replaced the network card, I changed NOTHING on the ISA configuration after replacing the card.
Again, as I said in my post, I setup the same connection with the same rules on another ISA server and it doesn't work.
You say that ping and ftp have to be specifically allowed - how would you do this - you don't say how so that doesn't help me - I'm assumming that using an access rule is not the way to do it otherwise my rule allowing all traffic would work?
|
|
|
|
|
RE: Site to Site VPN - only ISA can ping gateway - 18.Mar.2008 10:58:34 AM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
This is a VPN connection to a 3rd party system - in much the same way you might VPN from your laptop to a 3rd party network.
Ping is enabled - as I say the access rule is to allow ALL traffic between Internal/Local host and the remote network. I have also allowed ping in the system policy.
The connection worked fine before I replaced the network card, I changed NOTHING on the ISA configuration after replacing the card.
Again, as I said in my post, I setup the same connection with the same rules on another ISA server and it doesn't work.
(Note: I have no idea what you mean by an "STS Wizard" in the first post)
Ok, then you need to use the Monitoring Log to look for what is happening to the traffic. That is ISA's primary troublshooting tool. You may have to experiment with the Columns in the Log View to make them more meaningful. You will want to monitor it once with the Source set to the "remote network" in the Log Filter,...then repeat it again with the Destination Network set to the "remote network" (just don't do both at the same time).
You say that ping and ftp have to be specifically allowed - how would you do this - you don't say how so that doesn't help me - I'm assumming that using an access rule is not the way to do it otherwise my rule allowing all traffic would work?
I said that with the assumption that you were not using an "allow everything everywhere" Rule. Yes it should work with your Rule. This leads me to believe that the "3rd party" system has ACLs or something itself and that it is getting in the way. You have two VPN Devices, one at each end,..don't immediately assume that anything that goes wrong is always ISA's fault.
The reason I said FTP and Ping are done separately is because they are two differenet protocols and allowing FTP won't allow Ping to work and allowing Ping won't allow FTP to work,..so using Ping is not a valid way to test for an FTP problem. The best way to test an FTP problem is by using FTP,...and I recommend the command line FTP in Windows (or whatever OS) always be used as the test tool because of its simplicity.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Site to Site VPN - only ISA can ping gateway - 18.Mar.2008 12:21:50 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
I've noticed that I can ping the remote VPN gateway from a machine on the Internal network but nothing beyond it.
If you pinged the public IP# that would mean absolutely nothing. You have "two worlds",...the world outside the VPN Tunnel and the world within the VPN Tunnel,...never the two shall meet. For the ping to mean anything you would have to ping the internal facing Private IP# interface of the VPN device.
You also have to test using a workstation and not the ISA. The ISA is not part of the Internal Network,...ISA lives in its own little world called LocalHost Network. In a properly function VPN you can include the Internal Network and the Remote Network and everything works perfectly fine while the ISA in LocalHost is totally cut off from the Remote Network,...in fact it should be that way,...there is no reason for the ISA to contact the Remote Network in most cases and the Remote Network should not have any reason to conatct the ISA.
So, use workstations on the LAN to do you testing from.
All that said, Ive compared a route print with this machine and my old ISA 2004 box and they are identical. I might have to stick with my theory of a corrupt configuration and rebuild the machine?
I don't know at this point.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Site to Site VPN - only ISA can ping gateway - 19.Mar.2008 4:41:37 AM
|
|
|
dgunner
Posts: 29
Joined: 1.Dec.2005
Status: offline
|
quote:
ORIGINAL: pwindell
If you pinged the public IP# that would mean absolutely nothing. You have "two worlds",...the world outside the VPN Tunnel and the world within the VPN Tunnel,...never the two shall meet. For the ping to mean anything you would have to ping the internal facing Private IP# interface of the VPN device.
That's what I meant - the internal private IP of the VPN gateway - see the route print below - my internal machines can ping 172.34.3.19 but not 172.24.1.4 when I use the ISA 2006 server.
The routing table on each ISA server is identical when the VPN is established - internal clients can ping 172.24.1.4 on one ISA server (2004) but not on the other (2006)
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 212.49.222.177 212.49.222.179 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.24.1.0 255.255.255.128 172.24.3.1 172.24.3.19 1
172.24.1.128 255.255.255.192 172.24.3.1 172.24.3.19 1
172.24.1.192 255.255.255.224 172.24.3.1 172.24.3.19 1
172.24.1.224 255.255.255.240 172.24.3.1 172.24.3.19 1
172.24.1.240 255.255.255.248 172.24.3.1 172.24.3.19 1
172.24.1.248 255.255.255.252 172.24.3.1 172.24.3.19 1
172.24.1.252 255.255.255.254 172.24.3.1 172.24.3.19 1
172.24.1.254 255.255.255.255 172.24.3.1 172.24.3.19 1
172.24.3.1 255.255.255.255 172.24.3.19 172.24.3.19 1
172.24.3.19 255.255.255.255 127.0.0.1 127.0.0.1 50
172.24.255.255 255.255.255.255 172.24.3.19 172.24.3.19 50
|
|
|
|
|
RE: Site to Site VPN - only ISA can ping gateway - 19.Mar.2008 9:18:23 AM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
OK, Well,..I don't think there is anymore I can do with this. I would just have to physically be there and see all of it for myself,...and there isn't any way I can do that.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
