Welcome to ISAserver.org

VPN out

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> VPN >> VPN out

Page: [1]

Message

<< Older Topic Newer Topic >>

VPN out - 25.Jul.2007 10:31:55 AM

wilde

Posts: 50
Joined: 25.Jul.2007
Status: offline

hello all,

I need to allow cisco and windows vpn out, what protocal should I use?

I was under the impression windows vpn just used PPTP so I enabled that out to anywhere but it doesn't work.
I get the below
VPN OUT = my rule

25/07/2007 15:29:34 destination 1723 PPTP Closed Connection VPN OUT 10.10.10.183 Internal External - - TCP 0x80074e24 FWX_E_CONNECTION_KILLED

have I done something wrong?

Post #: 1

Featured Links*

RE: VPN out - 1.Aug.2007 10:04:42 AM

IanC

Posts: 233
Joined: 11.Jul.2007
From: UK
Status: offline

GRE (IP 47) also needs to be allowed through. However, if you have used the predefined protocol definition for PPTP, there is no need to create another rule as the PPTP filter handles this.

Make sure that PPTP filter is being applied.

Ian Currie

(in reply to wilde)

Post #: 2

RE: VPN out - 1.Aug.2007 10:13:03 AM

wilde

Posts: 50
Joined: 25.Jul.2007
Status: offline

but PPTP is allowed out?

(in reply to IanC)

Post #: 3

RE: VPN out - 8.Aug.2007 7:29:23 AM

wilde

Posts: 50
Joined: 25.Jul.2007
Status: offline

This is strange, I have created a rule from my pc to allow all traffic to external and it still dosn't work, I receive error 619 A connection to the remote computer could not be established so the port was closed.

I get this error just as it's veryfying username and password?

Is this something to do with NAT on my system?

(in reply to wilde)

Post #: 4

RE: VPN out - 8.Aug.2007 8:05:53 AM

wilde

Posts: 50
Joined: 25.Jul.2007
Status: offline

my machine is cad btw.
I allowed cad to external with all outbound protocals and still didn't work as per last post here.
below are the logging details xxx.xxx.xxx.xxx is the ip I am tryign to vpn to, this vpn connection works on an external adsl line with no firewall.

http://img338.imageshack.us/img338/905/logsoj6.jpg - log files picture

any help is muchly appreciated.

(in reply to wilde)

Post #: 5

RE: VPN out - 23.Oct.2007 5:14:39 AM

wilde

Posts: 50
Joined: 25.Jul.2007
Status: offline

Hello all

Does anyone have any Ideas on this, it has now become very urgent as it is causing my company a huge hindrance.

I welcome any suggestions.

Many Thanks

Tom.

(in reply to wilde)

Post #: 6

RE: VPN out - 23.Oct.2007 1:51:45 PM

elmajdal

Posts: 5074
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: online

Hi,

check my article here : http://www.elmajdal.net/ISAServer/How_To_Allow_Cisco_VPN_Client_To_Connect_Through_ISA_Server.aspx

HTH,
Tarek

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to wilde)

Post #: 7

RE: VPN out - 24.Oct.2007 6:00:01 AM

wilde

Posts: 50
Joined: 25.Jul.2007
Status: offline

Hello Elmajdal,

I have already done the below and Cisco VPN out works successfully, but I cannot get Windows VPN out to work.

Please advise

Thanks!

(in reply to elmajdal)

Post #: 8

RE: VPN out - 24.Oct.2007 7:11:43 AM

elmajdal

Posts: 5074
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: online

if u bypassed ISA Server and connected your laptop for example directly to the router, are you able to vpn out ?

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to wilde)

Post #: 9

RE: VPN out - 24.Oct.2007 7:54:24 AM

wilde

Posts: 50
Joined: 25.Jul.2007
Status: offline

Good idea, I have tried this and widows VPN works when plugging directly into the router, if ISA firewall is in the way windows VPN does not work.

Any ideas?

(in reply to elmajdal)

Post #: 10

RE: VPN out - 24.Oct.2007 4:25:10 PM

elmajdal

Posts: 5074
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: online

Ok.

as a test create a rule,

allow > all outbound protocols > from internal > to external > all users

and make sure to locate this rule at the top of other rules.

by the way whats ur clients type ? and how many NICs you have on ISA Server and whats their configurations ?

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to wilde)

Post #: 11

RE: VPN out - 25.Oct.2007 5:27:31 AM

wilde

Posts: 50
Joined: 25.Jul.2007
Status: offline

setting up allow > all outbound protocols > from internal > to external > all users
as the top rule did not help.

Clients are XP sp2 and Vista

ISA server has 2 NICs, one internal and one external.

NIC TCP/IP Properties:-

External - IP addresses- 4 similar IP's
               Subnet Mask - 255.255.255.248
               Gateway is our router
               DNS settings are correct
               Netbios setting - Default

Internal - Ip address - 10.10.10.254 (this is the default gateway for all client machines)
           - Subnet - 255.255.0.0
           - DNS - 10.10.10.1 and 10.10.10.10
           - Default gateway - NONE
           - Netbios setting - Enable

(in reply to elmajdal)

Post #: 12

RE: VPN out - 25.Oct.2007 8:47:24 AM

elmajdal

Posts: 5074
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: online

quote:

External - IP addresses- 4 similar IP's
              Subnet Mask - 255.255.255.248
              Gateway is our router
              DNS settings are correct
              Netbios setting - Default

Internal - Ip address - 10.10.10.254 (this is the default gateway for all client machines)
          - Subnet - 255.255.0.0
          - DNS - 10.10.10.1 and 10.10.10.10
          - Default gateway - NONE
          - Netbios setting - Enable

what do u mean with DNS settings are correct on the External NIC ?

You should never put any DNS Entry on the External NIC.

You should have an Internal DNS Server that forwards external requests to your ISP DNS Servers, check my article here : http://elmajdal.net/isaserver/Internal_DNS_Forwarding.aspx

also make sure to set your clients as SecureNet clients ( default gateway pointing to ISA Internal IP )

and if you have the Firewall Client installed, disable it before establishing the vpn connection.

HTH,
Tarek

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to wilde)

Post #: 13

RE: VPN out - 25.Oct.2007 9:32:41 AM

wilde

Posts: 50
Joined: 25.Jul.2007
Status: offline

I have taken the DNS settings out from the external network card, the rest we have already.
I still cannot user windows vpn!

Thanks for helping, any more ideas?

quote:

ORIGINAL: elmajdal
what do u mean with DNS settings are correct on the External NIC ?

You should never put any DNS Entry on the External NIC.

You should have an Internal DNS Server that forwards external requests to your ISP DNS Servers, check my article here : http://elmajdal.net/isaserver/Internal_DNS_Forwarding.aspx

also make sure to set your clients as SecureNet clients ( default gateway pointing to ISA Internal IP )

and if you have the Firewall Client installed, disable it before establishing the vpn connection.

HTH,
Tarek

(in reply to elmajdal)

Post #: 14

RE: VPN out - 6.Aug.2008 12:06:33 PM

wilde

Posts: 50
Joined: 25.Jul.2007
Status: offline

Hi all,

This is an old case, but even after completley rebuilding the ISA server I still cannot use windows VPN out to another firewall.

Any ideas are welcome.

(in reply to wilde)

Post #: 15