Welcome to ISAserver.org

VPN termination before ISA

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> VPN termination before ISA

Page: [1]

Message

<< Older Topic Newer Topic >>

VPN termination before ISA - 17.Aug.2005 9:46:00 AM

Guest

Hi all,

I have a quick question. We recently purchased ISA 2004 server to sit in front our internal network and mainly to serve as load balancer and RPC over HTTP frontend for Exchange 2003 server. In front of ISA we have CISCO 1712 router which is respocible for NATing outside fraffic, port forwarding to specifiv internal machines and most important to establish IPSec VPN tunnels with 2 of our branch offices. After we placed ISA we lost communication with other offices. I've created new networks with IP ranges used in other offices and told ISA to route that traffic trough it but I wasn't able to go trough VPN to other offices and other way arround.
Company which is in charge with our CISCO mainteneace told me that VPNs are up and that they can ping machines on other side from router.

Could I get some guides how to resolve situation like this?

Thanks in advance,

Dominik

Post #: 1

Featured Links*

RE: VPN termination before ISA - 17.Aug.2005 9:59:00 AM

ClintD

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

So you made a "Network" and a "Firewall Policy Access Rule" for this traffic right? Just wanted to mke sure...

Go into the Monitoring\Logging node and add an entry for Client IP Equals %RemoteClientIP% and see what ISA logs for the connection request.

Once you're in the Logging node, go to the View menu and select Add/Remove Columns. I like to add everything from the left to the right, but if you don't want to, at least add the Result Code field.

Post the results up here (not the entire line - it ends up looking like a blob of text) and we'll help sort it out. At the very least, post the Result Code, the Rule that is invoked, and some basic ASCII art of the topology.

[ August 17, 2005, 10:02 AM: Message edited by: ClintD ]

(in reply to Guest)

Post #: 2

RE: VPN termination before ISA - 17.Aug.2005 10:27:00 AM

Guest

Hi and thanks for quick reply,

The error code which i receive is 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED when remote address is in Client IP field and i receive 0xc004002d FWX_E_UNREACHABLE_ADDRESS error when remote address in id Destination IP.

And now the art:
Network looks like this

Remote office - CISCO - Internet - CISCO - ISA - local office

CISCO-s terminated VPN before ISA arrived and everything worked OK.

Thanks in advance,
Dominik

(in reply to Guest)

Post #: 3

RE: VPN termination before ISA - 17.Aug.2005 4:39:00 PM

ClintD

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

OK - when you created the Network for the remote location, did you specify it as a External Network or Internal?

Just to be sure, we need this to be an External network.

[ August 17, 2005, 04:39 PM: Message edited by: ClintD ]

(in reply to Guest)

Post #: 4

RE: VPN termination before ISA - 18.Aug.2005 4:08:00 AM

Guest

Hm....

I've just checked, but didn't find any place to specify if it is interneal or external network...

Where should I look?

(in reply to Guest)

Post #: 5

RE: VPN termination before ISA - 18.Aug.2005 4:25:00 AM

ClintD

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

After you create it, you don't have the option (this kinda sucks about the ISA 2004 Networks). Could you re-create it to make sure?

[ August 18, 2005, 04:26 AM: Message edited by: ClintD ]

(in reply to Guest)

Post #: 6

RE: VPN termination before ISA - 18.Aug.2005 4:52:00 AM

Guest

Just recreated it and remade all rules and policies and it still acts the same... [Frown]

(in reply to Guest)

Post #: 7

RE: VPN termination before ISA - 18.Sep.2005 11:28:00 AM

Guest

Did you get anywhere with this one? I'm about to try and configure a site in the exact same way tomorrow..

(in reply to Guest)

Post #: 8

RE: VPN termination before ISA - 30.Nov.2005 5:18:02 PM

sergeda

Posts: 17
Joined: 3.Nov.2004
Status: offline

Hi.
I have exectly same problem.
I have network:
Remote office - FreeBSD - Internet - FreeBSD - ISA - local office
At remote office I have 10.0.1.0/24 network.
At local office I have 192.168.0.0./24 network.
Between FreeBSD and ISA at local office there is 10.0.0.0/24 network.
I have setup additional network and mark it as External. Than I setup network rule to routing between local network and this additional network.
Also I have created firewall rule to allow traffic from 10.0.1.0/24 network.
But traffic always denied with result code 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED and in client IP column I've got 0.0.0.0 Ip.
Can somebody help me with this?

(in reply to Guest)

Post #: 9

RE: VPN termination before ISA - 15.Dec.2005 4:23:17 AM

Napat

Posts: 3
Joined: 14.Dec.2005
Status: offline

Hi all,

I falling in a problem look like you. My network diagram is

[Remote] --- [ISA]---[Router]---{Internet}---[Router]---[ISA]---[Internal]

And routers have VPN Tunnel for 2 private networks.

I want to
[Internal] <- Route -> [Remote]
[Internal] -> NAT -> [Internet]

So, I have to seprate network rule for them. I've tried to create new Network using Remote's IP Address and it doesn't work. I beleive this is a Network-behind-Network scenario, Remote network is behind External network.

You cannot create multiple Networks on the same interface card (Remote and External or internet is on the same card). ISA will determine one of them is disconnected network.

I tried to create subnet for Remote (to be subnet of External), It still doesn't work.

Is there any idea about this situation?

(in reply to sergeda)