Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
VPN Configuration Behind ADSL NAT to ISA Server <Resolved>
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
VPN Configuration Behind ADSL NAT to ISA Server <Res... - 9.Nov.2006 1:07:52 AM
|
|
|
habibalby
Posts: 126
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
|
Hi Guys,
I have setup an ISA Server with three Nics, LAN, WAN and DMZ. Network Interface Binding is as follows:
LAN
WAN
DMZ
The network Template I have is 3-Leg Network. The Network Relationship I have is:
NAT from Internal to External
NAT from DMZ to External
Route between DMZ and Internal.
All the settings are working perfectly without any problem in internet browsing, sending mail and accessing FTP from External to my FTP Server.
However, after configuring the ISA Server to act as a VPN Server, I'm unable to connect from External to the ISA VPN Server. Whenever I try to connect I got an error 721.
The VPN Protocols configured as PPTP and 1723 TCP port is mapped from the ADSL Router to the External Interface of ISA Server.
VPN Server already published on ISA Server to accept incoming PPTP connection from External to ISA Server on 10.90.8.2 Internal
The DHCP Server is configured on the ISA Server and the rules as follows:
DHCP Request from Internal/VPN Clients to LocalHost All Users
DHCP Reply from LocalHost to Internal/VPN Clients All Users
When I connect a P.C in the External Subnet 10.90.8.x and try to establish a VPN connection to ISA Server, it connects and I'm getting an IP Address from the DHCP Server.
But whenever, I try to connect from the External to Internal Network, I'm getting the Error:721
Any idea how to solve this problem?
Thanks for your corporation.
Habibalby
< Message edited by habibalby -- 22.Nov.2006 12:14:19 AM >
|
|
|
|
|
RE: VPN Configuration Behind ADSL NAT to ISA Server - 9.Nov.2006 2:49:08 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Habibalby,
quote:
When I connect a P.C in the External Subnet 10.90.8.x and try to establish a VPN connection to ISA Server, it connects and I'm getting an IP Address from the DHCP Server.
Because that works, it sounds that ISA Server is correctly setted up. I suggest you take a NetMon trace at the ISA external interface to find out if you see incoming packets for TCP port 1723 (PPTP Control channel) and IP protocol #47 (GRE or PPTP Data channel).
HTH,
Stefaan
|
|
|
|
|
RE: VPN Configuration Behind ADSL NAT to ISA Server - 10.Nov.2006 7:46:46 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Habibalby,
quote:
I have configured a Logging for the External Infterface of ISA Server, I can See the Connection is PPTP 1723 connection is initiated, but also it doesn't connect and it gives me this error.
I only fully trust a network capture trace (use NetMon or Ethereal/Wireshark). This can prove if GRE is passed through to the ISA external interface yes or no.
quote:
P.S: With Egde Firewall Network, two intferfaces I have configured it without any problem, but this is new Setup with three NICs, does the 3-Leg Templates Network effect the VPN?
I never used the 3-Leg Templates Network regardless how many interfaces I have on the box. I like to define the interfaces and networks myself! So, I haven't real life experience with that template but I would be surpised if that would change the VPN behavior.
HTH,
Stefaan
|
|
|
|
|
RE: VPN Configuration Behind ADSL NAT to ISA Server - 10.Nov.2006 11:50:24 AM
|
|
|
habibalby
Posts: 126
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
|
quote:
ORIGINAL: spouseele
Hi Habibalby,
quote:
P.S: With Egde Firewall Network, two intferfaces I have configured it without any problem, but this is new Setup with three NICs, does the 3-Leg Templates Network effect the VPN?
I never used the 3-Leg Templates Network regardless how many interfaces I have on the box. I like to define the interfaces and networks myself! So, I haven't real life experience with that template but I would be surpised if that would change the VPN behavior.
HTH,
Stefaan
Hi Stefaan,
O.K, I will use NetMon to see what result it does give. But what I have understood from the quoted thread is to use the Default Installation Template wich is the Edge-Firewall and define the Networks by myself?
I will try that, becuse this configuration I have done in in SBS 2003 with 2 Nics and it workded fine.
I'll try your suggestion tonight and I'll let you know, any other suggestion you've got?
Thanks
|
|
|
|
|
RE: VPN Configuration Behind ADSL NAT to ISA Server - 10.Nov.2006 12:21:05 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Habibalby,
OK, keep us informed!
Thanks,
Stefaan
|
|
|
|
|
RE: VPN Configuration Behind ADSL NAT to ISA Server - 11.Nov.2006 5:05:27 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Habibalby,
again, did you take a NetMon trace and what have you learned from it?
The point is that PPTP uses a control channel (TCP port 1723) and a data channel (IP protocol #47 or GRE). The control channel seems to work but you *have* to check out if you see GRE packets. If those packets don't hit the ISA Server than the PPTP VPN connection will *not* succeed at all.
HTH,
Stefaan
|
|
|
|
|
RE: VPN Configuration Behind ADSL NAT to ISA Server - 11.Nov.2006 7:49:55 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Habibalby,
I have no PPTP trace at hand to compare with, but it looks very much that the GRE packets aren't making it to the ISA external interface. To be 100% sure, take a trace on the P.C connected into the External Subnet of ISA to know what to look for.
quote:
How can I keep the GRE traffic Pass-Through the ADSL Billion to ISA External INterface?
That I don't know because I have no knowledge about that ADSL device. So you'll have to check out with the vendor how to accomplish that. Also, check out with your ISP if they don't block GRE.
HTH,
Stefaan
|
|
|
|
|
RE: VPN Configuration Behind ADSL NAT to ISA Server - 11.Nov.2006 10:57:25 AM
|
|
|
habibalby
Posts: 126
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
|
Hi Stefaan,
I really appreciated your great help. What's surprising me is when I configured on the SBS 2003 with ISA 2004 that's on one box, it worked fine! Does the Configure Internet and Email Wizard in SBS tweak the ADSL to accept GRE 47?
Also, this ISA is a Virtual Server hosted by VMWare, what i know that the VMWare provide some DHCP or IP Configuration, may that blocking these packets!
But when I hosted RRAS Server to accept the VPN connection by Servert Publishing Rule PPTP in ISA, it works fine and I can connect.
Do u recommend me to put another VPN Server running ISA server only to accept the VPN connection on the subnet 10.90.8.x ?
Thanks once again for your help
Habibalby
|
|
|
|
|
RE: VPN Configuration Behind ADSL NAT to ISA Server - 12.Nov.2006 6:18:58 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Habibalby,
quote:
Also, this ISA is a Virtual Server hosted by VMWare, what i know that the VMWare provide some DHCP or IP Configuration, may that blocking these packets!
Oops... that's something I would never do in a production environment. In my opinion a firewall should never be part of any server consolidation plan.
Nevertheless there is technically no reason why it shouldn't work, at least if the networks are properly defined and configured in ISA *and* VMWare. The important point is that there is no leakage between the different networks.
If you tested it from a pc connected to the ISA external network, was this pc running within the same VMWare networking environment or external to it?
quote:
Do u recommend me to put another VPN Server running ISA server only to accept the VPN connection on the subnet 10.90.8.x ?
What do you mean exactly with that? Are we talking here about an SBS type of installation?
HTH,
Stefaan
|
|
|
|
|
RE: VPN Configuration Behind ADSL NAT to ISA Server - 13.Nov.2006 12:32:52 AM
|
|
|
habibalby
Posts: 126
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
|
HI Stefaan,
quote:
If you tested it from a pc connected to the ISA external network, was this pc running within the same VMWare networking environment or external to it?
Yes, this is Notebook connected into the External Subnet of ISA Server.
quote:
Do u recommend me to put another VPN Server running ISA server only to accept the VPN connection on the subnet 10.90.8.x ?
What do you mean exactly with that? Are we talking here about an SBS type of installation?
Nope, I'm not talking about an SBS 2003 Installation, but what I'm thinking is since it works on the SBS 2003 why it souldn't on a separate ISA Box?
What I mean but hosting a ISA VPN server is another ISA dedicated only for VPN Traffic and once it's accepted the then VPN Clients will be routed to the Internal Network.
Does this logic works on ISA?
GRE is eating my Brain Stefaan, in the ADSL Router I have Disable the Firewall Packets does that make sense? Or do I have to Enable the Firewall Packets Filttering and
Allow From any Host 520 to 520 and the Desitination 10.90.8.2 From 0 ~ 65535?
Thanks,
< Message edited by habibalby -- 13.Nov.2006 12:37:08 AM >
_____________________________
For online help with ISA Server 2004 & 2006 SE or EE. Please call on +973-39228431
|
|
|
|
|
RE: VPN Configuration Behind ADSL NAT to ISA Server - 13.Nov.2006 2:40:33 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Habibalby,
OK, adding another ISA server for VPN traffic only will not solve any problem!
Were you able to compare the bad trace with a good one from your test pc? We should be 100% sure if GRE is passed yes or no.
As far as the ADSL router is concerned, that box should forward *all* inbound IP traffic to the ISA external interface.
HTH,
Stefaan
|
|
|
|
|
RE: VPN Configuration Behind ADSL NAT to ISA Server - 13.Nov.2006 10:42:05 PM
|
|
|
habibalby
Posts: 126
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
|
hello Stefaan,
Yes, here's the netstat -a Trace of the client machine which is trying to establish PPTP COnnecttion to ISA.
quote:
C:\Documents and Settings\hussain>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP Client01:ftp Client01.habibalby.local:0 LISTENING
TCP Client01:smtp Client01.habibalby.local:0 LISTENING
TCP Client01:http Client01.habibalby.local:0 LISTENING
TCP Client01:epmap Client01.habibalby.local:0 LISTENING
TCP Client01:https Client01.habibalby.local:0 LISTENING
TCP Client01:microsoft-ds Client01.habibalby.local:0 LISTENING
TCP Client01:1058 Client01.habibalby.local:0 LISTENING
TCP Client01:pptp Client01.habibalby.local:0 LISTENING
TCP Client01:3389 Client01.habibalby.local:0 LISTENING
TCP Client01:55430 Client01.habibalby.local:0 LISTENING
TCP Client01:netbios-ssn Client01.habibalby.local:0 LISTENING
TCP Client01:4333 64.233.167.83:http ESTABLISHED
TCP Client01:4334 64.233.167.83:http ESTABLISHED
TCP Client01:4351 baym-tw4.msgr.hotmail.com:http ESTABL
TCP Client01:4355 89.148.26.96:pptp TIME_WAIT
TCP Client01:4362 89.148.26.96:pptp ESTABLISHED
TCP Client01:1071 Client01.habibalby.local:0 LISTENING
TCP Client01:4001 localhost:4002 ESTABLISHED
TCP Client01:4002 localhost:4001 ESTABLISHED
TCP Client01:4003 localhost:4004 ESTABLISHED
TCP Client01:4004 localhost:4003 ESTABLISHED
TCP Client01:14147 Client01.habibalby.local:0 LISTENING
TCP Client01:4316 192.168.1.1:domain TIME_WAIT
UDP Client01:microsoft-ds *:*
UDP Client01:isakmp *:*
UDP Client01:1033 *:*
UDP Client01:1034 *:*
UDP Client01:1343 *:*
UDP Client01:1344 *:*
UDP Client01:2298 *:*
UDP Client01:3075 *:*
UDP Client01:3076 *:*
UDP Client01:3456 *:*
UDP Client01:4268 *:*
UDP Client01:4269 *:*
UDP Client01:4500 *:*
UDP Client01:ntp *:*
UDP Client01:netbios-ns *:*
UDP Client01:netbios-dgm *:*
UDP Client01:1900 *:*
UDP Client01:ntp *:*
UDP Client01:1026 *:*
UDP Client01:1028 *:*
UDP Client01:1030 *:*
UDP Client01:1032 *:*
UDP Client01:1035 *:*
UDP Client01:1044 *:*
UDP Client01:1049 *:*
UDP Client01:1055 *:*
UDP Client01:1057 *:*
UDP Client01:1064 *:*
UDP Client01:1070 *:*
UDP Client01:1075 *:*
UDP Client01:1076 *:*
UDP Client01:1900 *:*
UDP Client01:3855 *:*
UDP Client01:3973 *:*
UDP Client01:3978 *:*
UDP Client01:4000 *:*
UDP Client01:4281 *:*
UDP Client01:4284 *:*
UDP Client01:4366 *:*
UDP Client01:41969 *:*
C:\Documents and Settings\hussain>
< Message edited by habibalby -- 13.Nov.2006 10:46:11 PM >
|
|
|
|
|
RE: VPN Configuration Behind ADSL NAT to ISA Server - 15.Nov.2006 2:36:55 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Habibalby,
please post the URL where we can download the actual Netmon or Ethereal trace (not a screen dump) of a good (test pc on external subnet) *and* bad (from Internet) PPTP session. I can than check out if GRE could be the problem or not.
HTH,
Stefaan
|
|
|
|
|
RE: VPN Configuration Behind ADSL NAT to ISA Server - 16.Nov.2006 12:43:38 AM
|
|
|
habibalby
Posts: 126
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
|
Morning Stefaan,
I have download the Ethereal from here
http://www.ethereal.com/download.html
BR,
Habibalby
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
