Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
access across two vpn tunnels
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
access across two vpn tunnels - 3.Jan.2007 2:49:05 AM
|
|
|
jimmyk
Posts: 37
Joined: 22.Sep.2006
Status: offline
|
ISA 2004 SP2
Hello,
I am having an issue communicating from one internal site’s host to a remote host on the internal network of a remote isa server, through an intermediary isa server, using two vpn tunnels.
External IP addresses have been changed for anonymity.
definitions:
ISA1 = office1 ISA server (spoke)
ISA2 = office2 ISA server (spoke)
ISA3 = office3 (hub)
current situation:
ISA3 has a vpn tunnel with both ISA1 and ISA2. From ISA3, i can RDP, and connect to any machine on both networks.
All VPN connections are initiated by ISA3 only, (local machine can initiate vpn tunnels has been disabled from both spoke ISAs
once the connection is up, ISA3 can be fully accessed by any machine on either of the spoke networks. ie i setup an ftp server, and can connect fine.
objective:
i need the spoke networks to connect to each other THROUGH ISA3. i need to be able to connect to office2 (behind ISA2) from office1 (behind ISA1), via their internal IP scheme, and vice versa.
problem:
objective cannot be achieved. tunnels are obviously up since i can connect fully to both spokes from ISA3 (and vice versa), this is also verified by ISA3's monitoring. From ISA1, if i ping something behind ISA2, i do see outbound on ISA1 monitoring, but i do not see anything coming in on ISA2 or ISA3 monitoring.
relevant site to site configuration on each ISA server:
ISA1:
vpn connection name: vpn1
Addresses: 172.16.100.0-172.16.100.255 (office2 network)
60.60.60.60 (internal interface of ISA3)
"local site can initiate connections to remote site" disabled
MS-CHAP v2
network rule: internal to vpn1, route
ISA2:
vpn connection name: vpn2
Addresses: 192.168.100.0 - 192.168.101.255 (ip's of office1 internal network)
60.60.60.60 (internal interface of ISA3)
"local site can initiate connections to remote site" disabled
MS-CHAP v2
network rule: internal to vpn2, route
ISA3:
2 x site to site vpn's configured with the info above.
vpn1 to 33.33.33.33 routing 192.168.100.0-192.168.100.255
vpn2 to 22.22.22.22 routing 172.16.100.0 - 172.16.100.255
static address pool for vpn connections, 10.10.10.1 - 10.10.10.255
Local site CAN initiate connections using user accounts same as the site name for each vpn connection
network rule for route between vpn1 and vpn2
firewall policy allowing all "outbound" traffic between vpn1 and vpn2
office2 is a subdomain of office1, and office1 network is already configured to route Active directory requests, any requests for the 172.16.*.* through the ISA server, so you will see some of that in monitoring ISA1, but you will not see that on ISA3 per the problem i'm having.
questionable concern. all vpn accounts are using local server user accounts. they are NOT using domain accounts. I do not think this is an issue, but there may be something i don't know. other then that, i'm out of ideas
Thanks!
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
