From: Fairview Heights, IL, USA
My ISA LAT contains 192.168.X.X. My main network is 192.168.1.X. I have networks at six remote offices with addresses 192.168.n.X where "n" is 2 through 7. RRAS is configured for demand-dial/persistent VPN to these remote networks (each remote network is connected to the Internet via a NAT router that is also a VPN gateway).
Everything was working until last weekend when I upgraded from SBS2000 to SBS2003 and applied all available service packs and hotfixes.
From any SNAT host in 192.168.1.X I am able to ping any host in the remote 192.168.n.X networks. Therefore, routing works fine. I am able to Remote Desktop (RDP) from hosts in 192.168.1.X to hosts in 192.168.n.X. Therefore, TCP packets are definitely being routed (not just ICMP). However, I have a UNIX-based SNAT client in 192.168.1.X that is not able to print to printer servers via RAW TCP/9100 in the 192.168.n.X networks. This traffic is being filtered by the Microsoft Firewall Service (if I stop the Microsoft Firewall Service, printing works flawlessly). Yes, all IP traffic is allowed for SNAT clients and there is a protocol definition for TCP/9100, but this should not be needed since all remote/VPN networks are in the LAT. I am also unable to TELNET or FTP to the printer servers in the remote networks unless I stop the Microsoft Firewall Service. Disabling packet filtering does not fix it.
KEEP IN MIND that this all worked fine under SBS2000 (except that RRAS routing would periodically choke -- the connections stayed up and I could ping the remote VPN endpoints but could not ping hosts beyond them until the connections were reset -- it did not happen on all VPN connections at the same time but was random). The demand-dial VPN connections seem much more solid now except for this damned filtering issue.
The Access Policies under ISA2000 did not change when I upgraded to SBS2003 (I did not re-run ISA setup as part of the SBS2003 Premium installation), nor did the Protocol Definitions. NAT is not enabled in RRAS. No filtering has been enabled on RRAS interfaces. There is nothing related in my firewall or packet filter logs.
I've scoured the 'net for hints over the past seven days to no avail. I'm no amateur...I feel I have a very good understanding and command usage of the underlying concepts involved. Nevertheless, this one is kicking my ass.
Any/all expert help would be appreciated.
[ July 12, 2004, 07:02 AM: Message edited by: Kevin Sawyer ]