Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
cannot accesss www over vpn site to site
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
cannot accesss www over vpn site to site - 13.Oct.2006 5:30:05 PM
|
|
|
jimmyk
Posts: 37
Joined: 22.Sep.2006
Status: offline
|
ISA 2006
- Hello
I cannot access a remote web server, from an internal Internet Explorer client, over an ISA 2006 site-to-site vpn.
- I get a 500 error on the internal web client.
- I CAN ping across the vpn tunnel between the same internal client and the destination web server.
1 .Does an internal web client (client trying to access a www server through the ISA) have its source ip address replaced by the ISA's external ip by default?
2. If so, and how do I disable it?
3. If I disable it, does it remove the www filtering capability of the ISA? I would think so.
4. If the answer to #1 is YES, is this to allow the ISA to use its web filter on any incoming responses?
If the ISA does replace the client's source ip address with its external ip address, I think that this situation may be preventing the web client from accessing the remote www server across the vpn tunnel.
I think this is because the remote end of the vpn tunnel has a firewall that is filtering on the source ip address of the packet. If the firewall sees a packet being sourced from the ISA's external ip address instead of the web client's ip address, it is dropping the packet.
Thanks for any help on any of this comment / question.\
Cliff
|
|
|
|
|
RE: cannot accesss www over vpn site to site - 13.Oct.2006 6:06:44 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Cliff,
the HTTP traffic will be intercepted by the Web Proxy filter and therefore be sourced from the primary IP address assigned to the ISA outgoing interface. As a result you'll have to include that IP address in the IPSec policy of the remote box.
For more info, check out http://www.isaserver.org/tutorials/Troubleshooting-IPSec-Tunnel-Mode-Scenarios.html.
HTH,
Stefaan
|
|
|
|
|
RE: cannot accesss www over vpn site to site - 13.Oct.2006 6:31:28 PM
|
|
|
jimmyk
Posts: 37
Joined: 22.Sep.2006
Status: offline
|
Thanks Stefaan!
I will configure the remote 3rd party to add the ISA's external interface ip to the IPSec policy.
The weird thing is, I can ping across the vpn tunnel.
Also, if I issue the TELNET 1.1.1.1 80 command from the client to the web server, I get an indication that the remote web server is listening on TCP port 80.
|
|
|
|
|
RE: cannot accesss www over vpn site to site - 24.Oct.2006 9:52:52 AM
|
|
|
itadmin
Posts: 30
Joined: 21.Jul.2006
Status: offline
|
I have a similar issue. I have an ISA 2006 on one end and a Pix 501 on the other. I can telnet on port 80 to a printer or internal web server on the Pix end of my tunnel, but I can't open it in Internet Explorer. I was told to add the the external IP of the ISA to the IPSec Filter List on the Pix. I am new to dealing with these Pix units and usually use the PDM to make changes. I would appreciate someone telling me what to do to that Pix to make this work.
|
|
|
|
|
RE: cannot accesss www over vpn site to site - 25.Oct.2006 6:21:03 PM
|
|
|
itadmin
Posts: 30
Joined: 21.Jul.2006
Status: offline
|
OK, I added the ISA box to the config on the PIX. Still kind of dead in the water.
I get this when I connect to that machine using Internet Explorer.
Error Code 10061: Connection refused
Background: When the gateway or proxy server contacted the upstream (Web) server, the connection was refused. This usually results from trying to connect to a service that is inactive on the upstream server.
When I telnet 192.168.x.x using port 80, it blanks out like it connected.
What am I doing wrong?
|
|
|
|
|
RE: cannot accesss www over vpn site to site - 1.Nov.2006 1:38:03 PM
|
|
|
itadmin
Posts: 30
Joined: 21.Jul.2006
Status: offline
|
When I try to connect to a machine at the remote location through Internet Explorer from my workstation in the main location, that is when I have the problems.
ME ---> ISA 2006 ---->Pix501 ---->remote box running web service.
I'll get back to you on the other answers once I check.
|
|
|
|
|
RE: cannot accesss www over vpn site to site - 14.Nov.2006 9:57:42 AM
|
|
|
Mr_Logic
Posts: 32
Joined: 15.Jun.2004
Status: offline
|
itadmin,
Not done exactly your scenario, but I have worked with PIX boxes quite a bit. You need to configure an IPSec rule from the PIX's External IP to the ISA's network range. You should then find all is well.
|
|
|
|
|
RE: cannot accesss www over vpn site to site - 22.Nov.2006 9:38:48 AM
|
|
|
JBakels
Posts: 78
Joined: 4.Jan.2002
From: Bradenton, FL USA
Status: offline
|
Are you using multiple external IP address on the ISA box? If so, you may be using an IP other than the first IP for the tunnel. I can't get my site-to-site working with HTTP when using any IP address other than the first external IP.
I believe this is a limitation of ISA. I do know it does not support using one external IP for say HTTP and another for SMTP.
|
|
|
|
|
RE: cannot accesss www over vpn site to site - 22.Nov.2006 9:53:04 AM
|
|
|
Mr_Logic
Posts: 32
Joined: 15.Jun.2004
Status: offline
|
ISA does support having HTTP and SMTP on different IPs - I am doing this and it works fine. The VPN tunnel is on the primary IP (or it was, I have given up and now put VPN through a separate device, which works very nicely).
|
|
|
|
|
RE: cannot accesss www over vpn site to site - 22.Nov.2006 10:07:18 AM
|
|
|
JBakels
Posts: 78
Joined: 4.Jan.2002
From: Bradenton, FL USA
Status: offline
|
Sorry. I read the article wrong. ISA does not support multiple external interfaces.
http://www.microsoft.com/technet/isa/2004/plan/ts_networks.mspx
I'm having trouble getting HTTP over a site to site. I've had the PIX admin add the external IP to the policy but it still does not work.
The traffic goes through the first external IP. The site to site is not on the first IP so HTTP traffic fails.
|
|
|
|
|
RE: cannot accesss www over vpn site to site - 22.Nov.2006 10:20:20 AM
|
|
|
Mr_Logic
Posts: 32
Joined: 15.Jun.2004
Status: offline
|
I had the same problem with HTTP - hence the reason I used the separate VPN box. Couldn't find a way to fix it. I have reached the conclusion that ISA is rubbish for site to site VPN :-)
|
|
|
|
|
RE: cannot accesss www over vpn site to site - 27.Nov.2006 12:59:48 PM
|
|
|
JBakels
Posts: 78
Joined: 4.Jan.2002
From: Bradenton, FL USA
Status: offline
|
Someone must know how to get this working.
2 network cards
One internal, one external
Internal has one IP address
External has 2 or more IP addresses
Site-to-Site VPN created on address other than first IP on external.
WebProxy traffic destined for Site-to-Site attempts connection through first IP of external.
Connection fails.
Help please!
|
|
|
|
|
RE: cannot accesss www over vpn site to site - 29.Nov.2006 9:58:47 AM
|
|
|
itadmin
Posts: 30
Joined: 21.Jul.2006
Status: offline
|
Sorry I have been off here for a month or so. My problem is still not solved. Everything else works fine on this VPN. I can use remote desktop both ways, etc... I just can't view that internal web server. I even tried to connect to an HP print server that is at the other site. When I do that, I can see some of the page, but not much. I am going to dedicate my day to solving this problem... If I do, I will post my results. I may have to go to the master.
|
|
|
|
|
RE: cannot accesss www over vpn site to site - 4.Dec.2006 9:21:28 AM
|
|
|
JBakels
Posts: 78
Joined: 4.Jan.2002
From: Bradenton, FL USA
Status: offline
|
Can anyone confirm or deny ISA has a limitation when creating Site-to-Site VPN using an IP other than the first on the external NIC?
|
|
|
|
|
RE: cannot accesss www over vpn site to site - 5.Dec.2006 10:08:04 AM
|
|
|
JBakels
Posts: 78
Joined: 4.Jan.2002
From: Bradenton, FL USA
Status: offline
|
Here is a detail of the problem
ISA External NIC
*.*.*.35 Used for incoming/outgoing e-mail and OWA.
*.*.*.36 Used for Published Site
*.*.*.37 Used for Site-to-Site
*.*.*.38 Used for Site-to-Site
ISA Internal NIC
192.168.1.1
Remote Desktop works over site-to-site
HTTP traffic fails over site-to-site
Logging indicates http traffic from internal clients trying to access remote web server is using *.*.*.35 instead of *.*.*.38 on the ISA server.
How do we force http destined from remote site to use *.*.*.38?
|
|
|
|
RE: cannot accesss www over vpn site to site - 7.Dec.2006 8:42:20 AM
|
|
|
JBakels
Posts: 78
Joined: 4.Jan.2002
From: Bradenton, FL USA
Status: offline
|
Well, I spent the afternoon on the phone with Microsoft. We still have not resolved the issue.
I can setup a Site-to-Site ISA to ISA and send HTTP over with no problems.
When a Site-to-Site is created using IPSec to a PIX, HTTP fails (times out).
I noticed that HTTP and FTP traffic using IE attempts to connect to the remote site using ISA's external IP. If I FTP using explorer is passes from my IP to the Remote site. I can telnet 80 to the remote site.
Does anyone out there have a Site-to-Site working from ISA to PIX and access a web server on the remote site?
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
