Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
VPN clients can talk to internal, internal can't talk out?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
VPN clients can talk to internal, internal can't talk out? - 26.Jun.2008 1:11:33 PM
|
|
|
jdostal
Posts: 25
Joined: 20.Sep.2007
Status: offline
|
I think I might have a routing table issue but I'm not sure where to look anymore. I've got my VPN setup almost perfectly. My VPN clients can ping via hostname/IP any host on my internal network, they can access fileshares, they can RDP, etc - but I can't do the reverse. I can't do name lookups, can't ping, can't RDP any of my VPN clients from the internal network.
When monitoring the logs, ISA server is allowing the traffic - I can see the ICMP ping requests and I can see that the rule "Allow Internal to VPN Clients" is being applied to the traffic...but I just get a request timed out on my pings.
My clients are assigned IP's from a small pool - 172.16.25.70 to 172.16.25.80. Here is what my routing table looks like -
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 50 56 b4 7c 79 ...... VMware Accelerated AMD PCNet Adapter
0x10004 ...00 50 56 b4 20 ed ...... VMware Accelerated AMD PCNet Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.16.1 192.168.16.27 10
75.8.37.28 255.255.255.255 192.168.16.1 192.168.16.27 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.0.0.0 255.0.0.0 172.16.25.254 172.16.25.121 1
172.16.0.0 255.255.0.0 172.16.25.254 172.16.25.121 1
172.16.25.0 255.255.255.0 172.16.25.121 172.16.25.121 10
172.16.25.70 255.255.255.255 127.0.0.1 127.0.0.1 50
172.16.25.75 255.255.255.255 172.16.25.70 172.16.25.70 1
172.16.25.121 255.255.255.255 127.0.0.1 127.0.0.1 10
172.16.255.255 255.255.255.255 172.16.25.121 172.16.25.121 10
192.168.16.0 255.255.255.0 192.168.16.27 192.168.16.27 10
192.168.16.27 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.16.255 255.255.255.255 192.168.16.27 192.168.16.27 10
224.0.0.0 240.0.0.0 172.16.25.121 172.16.25.121 10
224.0.0.0 240.0.0.0 192.168.16.27 192.168.16.27 10
255.255.255.255 255.255.255.255 172.16.25.121 172.16.25.121 1
255.255.255.255 255.255.255.255 192.168.16.27 192.168.16.27 1
Default Gateway: 192.168.16.1
===========================================================================
Any ideas?
|
|
|
|
|
RE: VPN clients can talk to internal, internal can't ta... - 26.Jun.2008 2:31:40 PM
|
|
|
paulo.oliveira
Posts: 765
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: online
|
Hi,
how´s your access rules configured?
Is this your´s VPNs client routing table? Is this range part of your internal range?
Why you have different gateways here?
quote:
172.16.0.0 255.255.0.0 172.16.25.254 172.16.25.121 1
172.16.25.0 255.255.255.0 172.16.25.121 172.16.25.121 10
How´s your ISA NIC configured?
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: VPN clients can talk to internal, internal can't ta... - 26.Jun.2008 2:39:57 PM
|
|
|
jdostal
Posts: 25
Joined: 20.Sep.2007
Status: offline
|
I have access rules setup to allow all traffic from VPN to Internal and vice versa - use the repro data capture tools I'm not seeing any traffic denied at all.
The 172.16.0.0 route is a manual entry by me to the routing table and the 172.16.25.254 is the correct default gateway for the ISA servers internal NIC.
The 172.16.25.0 route was there by default basically.
The ISA NIC's are configured as such:
Internal NIC
IP - 172.16.25.121
Subnet - 255.255.255.0
No default gateway
2 DNS Servers
External NIC
IP - 192.168.16.27
Subnet - 255.255.255.0
Gateway - 192.168.1.1
My range for my VPN clients is a little weird, as my networking guys don't have the time to help me on this for awhile. I've basically had to steal 10 IP's from the same subnet that the internal ISA nic is in so that traffic can come back to it. Not sure if this is a good idea or not?
|
|
|
|
|
RE: VPN clients can talk to internal, internal can't ta... - 26.Jun.2008 3:41:37 PM
|
|
|
paulo.oliveira
Posts: 765
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: online
|
Hi,
quote:
The 172.16.0.0 route is a manual entry by me to the routing table and the 172.16.25.254 is the correct default gateway for the ISA servers internal NIC.
This way you are setting a default gateway to ISA´s internal NIC. The ISA machine only have to have one DG configured, and it´s on ISA´s external NIC.
how´s your internal network object IP range defined in ISA?
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: VPN clients can talk to internal, internal can't ta... - 26.Jun.2008 5:17:26 PM
|
|
|
jdostal
Posts: 25
Joined: 20.Sep.2007
Status: offline
|
It's defined as
172.0.0.0 to 172.16.25.67
172.16.25.255 to 172.16.25.255
172.16.25.81 to 172.255.255.255
|
|
|
|
|
RE: VPN clients can talk to internal, internal can't ta... - 30.Jun.2008 9:59:37 AM
|
|
|
paulo.oliveira
Posts: 765
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: online
|
Hi,
have you removed the wrong static route as mentioned in my last post?
quote:
It's defined as
172.0.0.0 to 172.16.25.67
172.16.25.255 to 172.16.25.255
172.16.25.81 to 172.255.255.255
What´s the mask of the above networks??
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: VPN clients can talk to internal, internal can't ta... - 30.Jun.2008 10:33:23 AM
|
|
|
jdostal
Posts: 25
Joined: 20.Sep.2007
Status: offline
|
Did you mean the 172.16.25.0 route?
|
|
|
|
|
RE: VPN clients can talk to internal, internal can't ta... - 30.Jun.2008 10:37:56 AM
|
|
|
paulo.oliveira
Posts: 765
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: online
|
Hello,
check this:
quote:
Hi,
quote:
The 172.16.0.0 route is a manual entry by me to the routing table and the 172.16.25.254 is the correct default gateway for the ISA servers internal NIC.
This way you are setting a default gateway to ISA´s internal NIC. The ISA machine only have to have one DG configured, and it´s on ISA´s external NIC.
how´s your internal network object IP range defined in ISA?
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: VPN clients can talk to internal, internal can't ta... - 30.Jun.2008 11:12:27 AM
|
|
|
jdostal
Posts: 25
Joined: 20.Sep.2007
Status: offline
|
So you are saying my 172.16.0.0 route with DG 172.16.25.254 is incorrect?
That route is the route that allows my ISA box to talk to the rest of the network. If I take that route out, neither the ISA box nor the VPN clients can talk to the network...
|
|
|
|
|
RE: VPN clients can talk to internal, internal can't ta... - 30.Jun.2008 12:06:56 PM
|
|
|
paulo.oliveira
Posts: 765
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: online
|
Hi,
Yes! With this setting you´re defining a default gateway to the internal NIC of ISA and the only NIC that MUST have a default gateway is the External NIC.
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: VPN clients can talk to internal, internal can't ta... - 30.Jun.2008 12:20:25 PM
|
|
|
jdostal
Posts: 25
Joined: 20.Sep.2007
Status: offline
|
Huh...well thats...odd. How on earth should my ISA server talk to the internal network then if it has no route to it? If I delete that route I lose all communication w/ the internal network.
|
|
|
|
|
RE: VPN clients can talk to internal, internal can't ta... - 30.Jun.2008 1:20:32 PM
|
|
|
paulo.oliveira
Posts: 765
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: online
|
Hi,
your answer made me think that you have a network behind network scenario. Please read this articles to a better understanding:
Network Behind a Network
Network Behind Network Scenarios
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: VPN clients can talk to internal, internal can't ta... - 9.Jul.2008 6:31:37 PM
|
|
|
jdostal
Posts: 25
Joined: 20.Sep.2007
Status: offline
|
So I spent a day on the phone with MS Premier support, and they ended the case by saying that this behavior is "working as intended".
The techs claim is that when the MS VPN client creates a VPN connection, the various services do not rebind to the new IP address - so, when I try to RDP or PING the new IP address the ISA server is allowing the traffic through but the client is not responding to the traffic.
Does this sound right to anyone? Has anyone been able to talk to their VPN client network from their internal network? I'm not doing a site to site, I'm just having laptops basically dial in to the network.
|
|
|
|
|
RE: VPN clients can talk to internal, internal can't ta... - 10.Jul.2008 7:42:23 AM
|
|
|
paulo.oliveira
Posts: 765
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: online
|
Hi,
yes, I have. I tried to ping, rdp and it was successfully. My VPN configuration is DHCP from internal network and my VPN clients are receiving IP from internal network range.
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: VPN clients can talk to internal, internal can't ta... - 10.Jul.2008 10:26:13 AM
|
|
|
jdostal
Posts: 25
Joined: 20.Sep.2007
Status: offline
|
After some final tweaking on my route tables, I'm able to communicate with my VPN clients as well.
Can't believe MS support said it wasn't possible/supported by ISA...they basically said I needed to scrap everything and move over to IAG (which is not a terrible idea, but I don't really want to buy another appliance).
*whew*
All that is over with, now I need to move on to why my VPN clients can't communicate onto the internet!
|
|
|
|
|
RE: VPN clients can talk to internal, internal can't ta... - 10.Jul.2008 10:35:36 AM
|
|
|
paulo.oliveira
Posts: 765
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: online
|
Hi,
that´s really sad. Please share with us what you did. Thanks!
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: VPN clients can talk to internal, internal can't ta... - 10.Jul.2008 10:40:12 AM
|
|
|
jdostal
Posts: 25
Joined: 20.Sep.2007
Status: offline
|
It was a lot of different things combined -
I've adjusted some of the rules - nothing major, but instead of saying "All Outbound" to the VPN Network I specified particular protocols.
I blocked off a /24 subnet for my VPN clients on my network - and then I've placed a static route for that subnet with my VPN servers internal NIC as the hop for that subnet (this was key).
I adjusted the routing tables on the ISA server for some of the weird routes I needed for my particular network.
And finally, after all that, I had to tweak the local Windows Firewall on the VPN clients as it was blocking some of the VPN traffic (RDP, etc).
I'm almost all set - the only issue I have now is that the VPN clients have no internet access - if I try to browse the web I get a "10061" so I'm off to start googling that one. I more than likely have routing issues again...
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
