Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VPN from Internal to Internet

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN from Internal to Internet Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
VPN from Internal to Internet - 17.Feb.2004 11:39:00 PM   
Raul E Jimenez

 

Posts: 78
Joined: 21.Oct.2002
From: USA
Status: offline 		Hi all,

I am trying to connect from the internal network (Private IP addresses)to another site that is VPN capable (Public IP addresses) passing throught the ISA 2004 server, but can't do it.

Default Gateway on the internal network of the client computer is pointing to the ISA 2004 Internal IP address and I already installed the Firewall Client too.

This is what I get using the monitoring tool from ISA 2004:

Original Client IPAuthenticated Client
172.21.24.62 OUTGOING TCP
172.21.24.62 OUTGOING GRE

The first one says that connection stablished but the second is deny?

The Firewall rule says All Outbound protocols for all internal users

What can be wrong?

Thanks for the help

RJ
Post #: 1
RE: VPN from Internal to Internet - 18.Feb.2004 4:36:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Raul,

Disable the firewall client applicaton and try again.

HTH,
Tom

(in reply to Raul E Jimenez)
Post #: 2
RE: VPN from Internal to Internet - 18.Feb.2004 11:41:00 AM   
Raul E Jimenez

 

Posts: 78
Joined: 21.Oct.2002
From: USA
Status: offline 		Hi Tom,

No lucky, I am still getting the same answer.

TCP 1723 connected and then the GRE fail.

With the Network Minitoring tool I am able to see the communication using port 1723 on the External NIC card, but not for port 47 for the handcheck.

With another computer I bypass the ISA and is able to connetc to the server. The remote VPN server is an ISA 2000.

Telnet from the client to the external IP on port 1723 works fine.

Ifter have the correct rule for PPTP, I will jump to IPsec with a CA and Radius, but I want to have better knowledge about ISA 2004, policies and firewall rules.

Thanks

Raul

PS.- When do you think we can have your book of ISA 2004?... [Big Grin]

(in reply to Raul E Jimenez)
Post #: 3
RE: VPN from Internal to Internet - 18.Feb.2004 2:21:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Raul,

I just checked it and outbound PPTP works fine. I've backed up the configuraton which you can import into your test machine:

http://www.msfirewall.org/isa2004/pptpoutbound.xml

HTH,
Tom

(in reply to Raul E Jimenez)
Post #: 4
RE: VPN from Internal to Internet - 18.Feb.2004 7:48:00 PM   
Raul E Jimenez

 

Posts: 78
Joined: 21.Oct.2002
From: USA
Status: offline 		Hey Tom,

I imported the XML on my test machine and still no connection even from the local ISA server. (very strong phraseword the password you selected.. [Razz] )

I turned on Network Monitor on the External NIC card and there is still PPTP talking, but not seeing GRE or port 47 at all also the PPPCHAP or PPPCHAPV2 is not on the list.

From the desktop on the Internal network, exactly the same. You can see "Verifying user name and password" and then error 619 port closed. [Confused]

With another computer connected to the Linksys router directly, I am able to stablish a connection to any place using PPTP, and you can see all the protocol and ports on the Network Monitor, as PPTP, PPPChaps and GRE.

What can be wrong? I enable PPTP from the Internal to External for all users, that shouldn't be necessary when you bind all protocols to all users from Internal to External.

Thanks

Ra·l

(in reply to Raul E Jimenez)
Post #: 5
RE: VPN from Internal to Internet - 18.Feb.2004 8:17:00 PM   
Raul E Jimenez

 

Posts: 78
Joined: 21.Oct.2002
From: USA
Status: offline 		Hey Tom,

I am trying to do exactly the same that Kman70.

With ISA 2000,not a problem as soon you allow PPTP, yo can see all the protocols and ports with Netmon tool.

Maybe is a bug?? [Eek!]

Thanks

RJ

(in reply to Raul E Jimenez)
Post #: 6
RE: VPN from Internal to Internet - 18.Feb.2004 9:48:00 PM   
Raul E Jimenez

 

Posts: 78
Joined: 21.Oct.2002
From: USA
Status: offline 		More info from the client.

These are the log entries for the WAN mniport in use for VPN. As soon try to use PPP for authnetication the connection is dropped error 619:

[2520] 15:50:51: RasGetConnectStatus: read device (vpn,WAN Miniport (PPTP)) from port user data
[2520] 15:50:51: RasGetConnectStatus: read phonenumber 169.153.144.80 from port user data
[3692] 15:50:51: NotifyCaller done (dwNotifyResult=1)
[3692] 15:50:51: RASCS_ConnectDevice
[3692] 15:50:51: SetDefaultParams: Using address 0=169.153.144.80
[3692] 15:50:51: RasDeviceSetInfo done(0)
[3692] 15:50:51: SetDeviceParams(rastapi, WAN Miniport (PPTP), 0)
[3692] 15:50:51: RasDeviceConnect(rastapi,WAN Miniport (PPTP))...
[3692] 15:50:51: RasDeviceConnect done(600)
[3692] 15:50:51: RDM errors=600,0
[3692] 15:50:51: WaitForEvent
[3692] 15:50:52: WorkerThread: pOverlapped=0x14142c
[3692] 15:50:52: WorkerThread: type=2
[3692] 15:50:52: Unblock i=1, h=0x1413d4
[3692] 15:50:52: RasGetInfo...
[3692] 15:50:52: RasGetInfo done(0)
[3692] 15:50:52: setting rasman state to 3
[3692] 15:50:52: NotifyCaller(nt=0x2,su=1,s=3,e=0,xe=0)...
[3692] 15:50:52: NotifyCaller done (dwNotifyResult=1)
[3692] 15:50:52: RASCS_DeviceConnected
[3692] 15:50:52: SaveVpnStrategyInformation...
[3692] 15:50:52: Saving 2 as the vpn strategy
[3692] 15:50:52: SaveVpnStrategyInformation done
[3692] 15:50:52: RDM errors=0,0
[3692] 15:50:52: RasDialMachine: SignalDone: prasconncb=0x1413c8
[3692] 15:50:52: SignalDone: pOverlapped=0x14142c
[3692] 15:50:52: WaitForEvent
[3692] 15:50:52: WorkerThread: pOverlapped=0x14142c
[3692] 15:50:52: WorkerThread: type=2
[3692] 15:50:52: Unblock i=1, h=0x1413d4
[3692] 15:50:52: setting rasman state to 4
[3692] 15:50:52: NotifyCaller(nt=0x2,su=1,s=4,e=0,xe=0)...
[3692] 15:50:52: NotifyCaller done (dwNotifyResult=1)
[3692] 15:50:52: RASCS_AllDevicesConnected
[3692] 15:50:52: RasPortConnectComplete...
[3692] 15:50:52: RasPortConnectComplete done(0)
[3692] 15:50:52: RDM errors=0,0
[3692] 15:50:52: RasDialMachine: SignalDone: prasconncb=0x1413c8
[3692] 15:50:52: SignalDone: pOverlapped=0x14142c
[3692] 15:50:52: WaitForEvent
[3692] 15:50:52: WorkerThread: pOverlapped=0x14142c
[3692] 15:50:52: WorkerThread: type=2
[3692] 15:50:52: Unblock i=1, h=0x1413d4
[3692] 15:50:52: setting rasman state to 5
[3692] 15:50:52: NotifyCaller(nt=0x2,su=1,s=5,e=0,xe=0)...
[3692] 15:50:52: NotifyCaller done (dwNotifyResult=1)
[3692] 15:50:52: RASCS_Authenticate [Razz]
[3692] 15:50:52: RasPortSetFramingEx(PPP)...
[3692] 15:50:52: RasPortSetFramingEx done(0)
[3692] 15:50:52: subentry 1 has suspend state 0
[3692] 15:50:52: subentry 1 suspending all other subentries
[3692] 15:50:52: RasPppStart(cfg=8393608)...
[3692] 15:50:52: RasSetRasdialInfo 6...
[3692] 15:50:52: RasSetRasdialInfo 6 done. e = 0
[3692] 15:50:52: RasPppStart done(0)
[3692] 15:50:52: RDM errors=0,0
[3692] 15:50:52: WaitForEvent
[3692] 15:50:52: WorkerThread: pOverlapped=0x14140c
[3692] 15:50:52: WorkerThread: type=1
[3692] 15:50:52: Unblock i=0, h=0x1413d4
[3692] 15:50:52: Link dropped! [Mad]
[3692] 15:50:52: RasGetInfo...
[3692] 15:50:52: RasGetInfo done(618)
[3692] 15:50:52: Port was close because of 619
[3692] 15:50:52: setting rasman state to 8193
[3692] 15:50:52: NotifyCaller(nt=0x2,su=1,s=8193,e=619,xe=0)...

Thanks

RJ

(in reply to Raul E Jimenez)
Post #: 7
RE: VPN from Internal to Internet - 18.Feb.2004 10:20:00 PM   
jazzer

 

Posts: 24
Joined: 15.Feb.2004
From: Switzerland
Status: offline 		Hello All,

I am have seen that I not alone with my next problem. I have the same configuration like LAISA. Is GRE port 47? I think GRE is Protokoll 47 not port?

PPTP -> Protokoll 6 Port 1723
GRE -> Protokoll 47

[ February 18, 2004, 10:24 PM: Message edited by: jazzer ]

(in reply to Raul E Jimenez)
Post #: 8
RE: VPN from Internal to Internet - 19.Feb.2004 1:06:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by LAISA:
Hey Tom,

I am trying to do exactly the same that Kman70.

With ISA 2000,not a problem as soon you allow PPTP, yo can see all the protocols and ports with Netmon tool.

Maybe is a bug?? [Eek!]

Thanks

RJ
Hi Raul,

Are you using a DSL connection? If so, it could be an MTU issue.

HTH,
Tom

(in reply to Raul E Jimenez)
Post #: 9
RE: VPN from Internal to Internet - 19.Feb.2004 1:07:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Jazzer,

Are you using a DSL connection?

Thanks!
Tom

(in reply to Raul E Jimenez)
Post #: 10
RE: VPN from Internal to Internet - 19.Feb.2004 1:15:00 AM   
Raul E Jimenez

 

Posts: 78
Joined: 21.Oct.2002
From: USA
Status: offline 		Hey Tom,

I am using cable modem and you might be right but;

I am able to connect using my laptop by passing the ISA.

I installed your configuration on a server using Virtual PC and you are right PPTP works fine, but the handcheck using MSChaps or MSChapsv2 does not showed up on the Network Monitor as when I connect directly with the Laptop by passing the ISA 2004.

With ISA 2000, not a problen using exactly the same config. [Frown]

I added GRE to the Firewall Rules and still no worky.

I will post a drawing representing what I am doing. It will be helpfull.

Thanks

RJ

(in reply to Raul E Jimenez)
Post #: 11
RE: VPN from Internal to Internet - 19.Feb.2004 8:32:00 AM   
jazzer

 

Posts: 24
Joined: 15.Feb.2004
From: Switzerland
Status: offline 		Hello Tom,

I am use a Cable Modem for Connection to the Internet (with DHCP [Wink] ). I've got a notion that it's not a MTU Issue. I can establish the VPN Connection, but i can not send data trough the vpn Tunnel. Data trough the vpn tunnel gose with GRE. I Think so? But i am not shore ,thats GRE is the Problem.

VPN Connection:
SMART Card Key with Certificat
Client behind a Isa 2004
Remote vpn Terminator is an isa 2000

(in reply to Raul E Jimenez)
Post #: 12
RE: VPN from Internal to Internet - 19.Feb.2004 11:06:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by LAISA:
Hey Tom,

I am using cable modem and you might be right but;

I am able to connect using my laptop by passing the ISA.

I installed your configuration on a server using Virtual PC and you are right PPTP works fine, but the handcheck using MSChaps or MSChapsv2 does not showed up on the Network Monitor as when I connect directly with the Laptop by passing the ISA 2004.

With ISA 2000, not a problen using exactly the same config. [Frown]

I added GRE to the Firewall Rules and still no worky.

I will post a drawing representing what I am doing. It will be helpfull.

Thanks

RJ
Hi Raul,

Thanks! That will help.

Tom

(in reply to Raul E Jimenez)
Post #: 13
RE: VPN from Internal to Internet - 19.Feb.2004 11:17:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hey guys,

Do you have a rule on the ISA/VPN Server that allows the VPN clients network access to the Internal network at the VPN server's site?

Thanks!
Tom

(in reply to Raul E Jimenez)
Post #: 14
RE: VPN from Internal to Internet - 19.Feb.2004 11:51:00 AM   
jazzer

 

Posts: 24
Joined: 15.Feb.2004
From: Switzerland
Status: offline 		Hello Tom

Do you mean a access roule for PPTP from Internal to Localhost? Why i need a connection to the localhost from ISA when the Tunnel goes trought the ISA? The ISA doesn't terminate the tunnel!

(in reply to Raul E Jimenez)
Post #: 15
RE: VPN from Internal to Internet - 19.Feb.2004 11:55:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Jazzer,

On the remote network ISA VPN Server, you need to create a Access Rule that allows the VPN clients network outbound access to the Internal network.

HTH,
Tom

(in reply to Raul E Jimenez)
Post #: 16
RE: VPN from Internal to Internet - 19.Feb.2004 1:34:00 PM   
jazzer

 

Posts: 24
Joined: 15.Feb.2004
From: Switzerland
Status: offline 		Hello Tom,

We have the VPN Connect with a remote DHCP Server. When i connect my VPN Gateway i recive an IP, Default Gateway, DNS and WINS Server. We have a role defined for the DHCP IP Range in the Remote VPN ISA. Is it necessary to enter my own IP Address of the Office PC in this Role?

My config:

LAN ( 10.236.xxx )
|
|
ISA 2000 in HeadQ (vpn Terminator)
^
|
| WAN
|
|
ISA 2004 B in Remote Site
| - allow PPTP from Inside to External
| - allow GRE from Inside to External
|
LAN ( 192.168.10.x)
|
XP Client (VPN START)

[ February 19, 2004, 03:56 PM: Message edited by: jazzer ]

(in reply to Raul E Jimenez)
Post #: 17
RE: VPN from Internal to Internet - 19.Feb.2004 10:44:00 PM   
Raul E Jimenez

 

Posts: 78
Joined: 21.Oct.2002
From: USA
Status: offline 		Hey guys,

Been very busy the whole day.

I found this solutions.doc from Microsoft.

I believe some Tom's documents are in this set [Eek!] , anyway I will use it and review my config.

Also, I am creating a WEB site where to host the drawings.

Here is the URL for the document:
http://go.microsoft.com/fwlink?linkid=20745

Have fun "always" [Big Grin]

RJ

(in reply to Raul E Jimenez)
Post #: 18
RE: VPN from Internal to Internet - 20.Feb.2004 12:52:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by jazzer:
Hello Tom,

We have the VPN Connect with a remote DHCP Server. When i connect my VPN Gateway i recive an IP, Default Gateway, DNS and WINS Server. We have a role defined for the DHCP IP Range in the Remote VPN ISA. Is it necessary to enter my own IP Address of the Office PC in this Role?

My config:

LAN ( 10.236.xxx )
|
|
ISA 2000 in HeadQ (vpn Terminator)
^
|
| WAN
|
|
ISA 2004 B in Remote Site
| - allow PPTP from Inside to External
| - allow GRE from Inside to External
|
LAN ( 192.168.10.x)
|
XP Client (VPN START)
Hi Jazzer,

The only rule you need is to allow PPTP (NOT GRE!) from Internal to External.

HTH,
Tom

(in reply to Raul E Jimenez)
Post #: 19
RE: VPN from Internal to Internet - 20.Feb.2004 12:56:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by LAISA:
Hey guys,

Been very busy the whole day.

I found this solutions.doc from Microsoft.

I believe some Tom's documents are in this set [Eek!] , anyway I will use it and review my config.

Also, I am creating a WEB site where to host the drawings.

Here is the URL for the document:
http://go.microsoft.com/fwlink?linkid=20745

Have fun "always" [Big Grin]

RJ
Hi Raul,

I didn't write any of those docs. There are no pictures! [Smile]

Let us know if you figure out the problem.

Thanks!
Tom

(in reply to Raul E Jimenez)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN from Internal to Internet Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts