Welcome to ISAserver.org

cannot create outbound PPTP vpn through ISA

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client >> cannot create outbound PPTP vpn through ISA

Page: [1]

Message

<< Older Topic Newer Topic >>

cannot create outbound PPTP vpn through ISA - 9.Mar.2004 10:17:00 PM

abqtech

Posts: 216
Joined: 9.Mar.2004
Status: offline

Hello,
ISA 2K is running on server 2003. The internal card is running on a 10.0.0.0/24 network, and the external card is running on a 192.168.0.0/24 network. From the ISA server I can create a outbound pptp session to a remote VPN server.
From a client on the 10.0.0.0 network I cannot create a outbound session to a PPTP VPN Server.
Rule outbound PPTP Call allows 10.0.0.0/24 to any destination. The Packet Rule allows outbound PPTP through ISA. I have been scratching my head on this for hours. Anybody seen this before?
What's missing?

Post #: 1

Featured Links*

RE: cannot create outbound PPTP vpn through ISA - 9.Mar.2004 10:34:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi abqtech,

is IP routing and PPTP passthrough enabled in the IP Packet Filter properties?

HTH,
Stefaan

(in reply to abqtech)

Post #: 2

RE: cannot create outbound PPTP vpn through ISA - 9.Mar.2004 10:56:00 PM

abqtech

Posts: 216
Joined: 9.Mar.2004
Status: offline

Yes it is. And clients used to be able to create outbound VPN sessions. I changed the Extenal IP address from our class "C" public address to a private routable address "192.168.0.2". And ever since that change was made only the ISA server can make outbound pptp VPN sessions.

(in reply to abqtech)

Post #: 3

RE: cannot create outbound PPTP vpn through ISA - 9.Mar.2004 11:37:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi abqtech,

what is the content of the LAT on ISA server? Make sure that the LAT only contains your internal IP range 10.0.0.0/24.

HTH,
Stefaan

(in reply to abqtech)

Post #: 4

RE: cannot create outbound PPTP vpn through ISA - 9.Mar.2004 11:49:00 PM

abqtech

Posts: 216
Joined: 9.Mar.2004
Status: offline

The LAT was changed to include the 10x network only.
from to
10.0.0.0 10.0.0.255
10.255.255.255 10.255.255.255

I can make outbound VPN sessions to "server1" PPTP VPN server, however I cannot make outbound PPTP VPN Sessions to "server2". Both server1 & server2 are on different public IP networks. And I verfied that I could access both server1 & server2 PPTP VPN Servers from a different ISP. I verifed that server2 is allowing any remote IP to connect to it's VPN server. What I am missing?

[ March 11, 2004, 02:44 AM: Message edited by: abqtech ]

(in reply to abqtech)

Post #: 5

RE: cannot create outbound PPTP vpn through ISA - 11.Mar.2004 5:49:00 AM

abqtech

Posts: 216
Joined: 9.Mar.2004
Status: offline

Also somehow the VPN server stopped taking inbound connections. When I try to connect to the VPN server from a remote location, I get the connecting to site, followed by verifying username/password, and eventually a error 721 occurs. Not really sure what happened. I have verified that the Firewall is forwarding port 1723 to the VPN server. And GRE is on.

(in reply to abqtech)

Post #: 6

RE: cannot create outbound PPTP vpn through ISA - 11.Mar.2004 9:32:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi abqtech,

because your internal network ID is 10.0.0.0/24 the LAT should only contain the entry '10.0.0.0 10.0.0.255'. However, this sounds not to be the problem! [Wink]

So, you have changed the ISA external interface from a public to a private IP range. May I assume then that in the old config ISA was directly connected to the Internet and that in the new config there is some upstream NAT box or firewall? Therefore, did you already checked out that from a workstation connected to the ISA external subnet (192.168.0.0/24) you can make the outbound VPN connections to both VPN servers?

Also, from the same workstation connected to the ISA external subnet (192.168.0.0/24) can you make an inbound VPN connection to the ISA server?

HTH,
Stefaan

(in reply to abqtech)

Post #: 7

RE: cannot create outbound PPTP vpn through ISA - 11.Mar.2004 10:45:00 PM

abqtech

Posts: 216
Joined: 9.Mar.2004
Status: offline

I'll remove the additional 10.255.255.255 LAT Entry for good measure.
And you are correct there is an upstream NAT router. However the only device in the 192.168.0.0/24 subnet is the external NIC on the ISA server. So I will not be able to do any further testing in that subnet (The NAT router plugs directly into the ISA External NIC). If you suggest putting a swtich between the Upstream NAT router & ISA External NIC for testing purposes I will gladly give it a shot. And if from this newly instlled switch in the 192.168.0.0/24 I will plug in a laptop and attempt to make outbound & inbound VPN connections. If it works (and I suppose it will) Can you think of any other issues or rules in ISA that would prevent outbound PPTP VPN calls to host that we used to be albe to access?
thanks again, you are proving to be invaluable!

(in reply to abqtech)

Post #: 8

RE: cannot create outbound PPTP vpn through ISA - 11.Mar.2004 11:04:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi abqtech,

yes, I suggest to put a little hub or switch between the NAT router and the ISA external interface to make some tests. In that way it should be fairly easy to determine where the problem is situated.

Because all seems to be configured correctly, at least for the outbound VPN connections, I guess there is a problem with the NAT router or something must be screwed-up with changing the external interface.

HTH,
Stefaan

(in reply to abqtech)

Post #: 9

RE: cannot create outbound PPTP vpn through ISA - 4.Jan.2007 1:58:45 PM