• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Joining Networks over the Internet with a Gateway to Gateway VPN:ISA to RRAS

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> RE: Joining Networks over the Internet with a Gateway to Gateway VPN:ISA to RRAS Page: <<   < prev  1 [2] 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Joining Networks over the Internet with a Gateway t... - 26.Mar.2003 7:16:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Alex,

That is correct. You need to create a user that uses the same name as the interface. In my examples, I recommended that you name the user accounts based on the computer names, and then I went through the procedures where you create the user accounts and why they're created. Its *critical* that the user accounts have the same name as the interface that's dialing in. You'll run into big problems if the interface account isn't named correctly.

Thanks!
Tom

(in reply to tshinder)
Post #: 21
RE: Joining Networks over the Internet with a Gateway t... - 26.Mar.2003 7:53:00 PM   
palindroem

 

Posts: 40
Joined: 14.Aug.2002
From: N. Fla
Status: offline
Thanks Tom, I've downloaded the script and will take a look at it. This started happening after I configured ISA for VPN, to your knowledge, would this contribute to the intra-array address problems?
With the IP spoofing, currently I have the ISA on a test network.

remote VPN (not configured)- - > NT "Public" router - -> ISA

the remote is 150.176.8.1 (10.10.1.10 inside, intf down)
public is 150.176.8.100 <> 164.51.156.49
ISA 164.51.156.50 (10.108.0.53 inside, intf down)

(in reply to tshinder)
Post #: 22
RE: Joining Networks over the Internet with a Gateway t... - 26.Mar.2003 9:10:00 PM   
palindroem

 

Posts: 40
Joined: 14.Aug.2002
From: N. Fla
Status: offline
Ok, I discovered one of the "problems". After configuring the local VPN (ISA) and rebooted, I was getting the LAT error. When I brought the internal interface up (connected it to a switch) the LAT problem resolved. Appearently the lack of the internal interface was causing ISA concern.

I've finished the configuration, and both ends show the demand-dial as connected.
??The packets continue to count on the "standard" interface instead of the demand-dial in RRAS though ???

Can I turn this configuration around to initiate connection from the remote to the local instead. I'm still trying to figure out how to allow a remote bdc to have domain (netb) communication to a local PDC through the firewall. I was hoping this router-to-router vpn through ISA would be the answer. I was figuring I can connect the two routers and use the remote VPN router as the gateway for my BDC. Does this sounds reasonable?

thanks for you help.

Oh, the intra-array script told me there was nothing for it to do, so it didn't do anything (cute).

(in reply to tshinder)
Post #: 23
RE: Joining Networks over the Internet with a Gateway t... - 27.Mar.2003 8:48:00 AM   
Groenbech

 

Posts: 29
Joined: 1.Feb.2002
Status: offline
Hi Tom!
My ISP allows VPN. When I connect from a client with Windows XP VPN client, it works very well.
Besides - when the connection is established, it works fine from RemoteISA to LocalISA, but no clients on either network can connect to the remote network and the LocalISA cannot ping the RemoteISA.

(in reply to tshinder)
Post #: 24
RE: Joining Networks over the Internet with a Gateway t... - 27.Mar.2003 4:00:00 PM   
palindroem

 

Posts: 40
Joined: 14.Aug.2002
From: N. Fla
Status: offline
Will this kind of VPN connection support trust related communication, ie. the type required to initiate a trust?

thanks

(in reply to tshinder)
Post #: 25
RE: Joining Networks over the Internet with a Gateway t... - 27.Mar.2003 5:45:00 PM   
palindroem

 

Posts: 40
Joined: 14.Aug.2002
From: N. Fla
Status: offline
Tom, in my test network, when I add the static route to the local side, I am not able to connect the VPN. If I remove the static route, it connects just fine. As if it can't find the route over the VPN demand dial interface because it isn't connected yet. Does this make any sense?

(in reply to tshinder)
Post #: 26
RE: Joining Networks over the Internet with a Gateway t... - 27.Mar.2003 6:16:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by palindroem:
Ok, I discovered one of the "problems". After configuring the local VPN (ISA) and rebooted, I was getting the LAT error. When I brought the internal interface up (connected it to a switch) the LAT problem resolved. Appearently the lack of the internal interface was causing ISA concern.

I've finished the configuration, and both ends show the demand-dial as connected.
??The packets continue to count on the "standard" interface instead of the demand-dial in RRAS though ???

Can I turn this configuration around to initiate connection from the remote to the local instead. I'm still trying to figure out how to allow a remote bdc to have domain (netb) communication to a local PDC through the firewall. I was hoping this router-to-router vpn through ISA would be the answer. I was figuring I can connect the two routers and use the remote VPN router as the gateway for my BDC. Does this sounds reasonable?

thanks for you help.

Oh, the intra-array script told me there was nothing for it to do, so it didn't do anything (cute).

Hi Droem,

These VPN gateways are VPN Routers. This means that anything you can do across a conventional LAN router, you can do through your VPN router. The only difference is that the "wire" connecting the local and remote VPN routers is a virtual one across the Internet.

So, you can put domain controllers on both sides of the link. The ISA Server doesn't not apply firewall policy to the routed link, because the local and remote network IDs are internal and are placed in the LAT.

HTH,
Tom

(in reply to tshinder)
Post #: 27
RE: Joining Networks over the Internet with a Gateway t... - 27.Mar.2003 6:17:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Groenbech:
Hi Tom!
My ISP allows VPN. When I connect from a client with Windows XP VPN client, it works very well.
Besides - when the connection is established, it works fine from RemoteISA to LocalISA, but no clients on either network can connect to the remote network and the LocalISA cannot ping the RemoteISA.

Hi Groenbech,

Are the clients configured with a default gateway that's aware of the route to the remote network?

Thanks!
Tom

(in reply to tshinder)
Post #: 28
RE: Joining Networks over the Internet with a Gateway t... - 27.Mar.2003 6:19:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by palindroem:
Tom, in my test network, when I add the static route to the local side, I am not able to connect the VPN. If I remove the static route, it connects just fine. As if it can't find the route over the VPN demand dial interface because it isn't connected yet. Does this make any sense?

Hi Droem,

Make sure the static route uses the demand dial interface. Both sides need to be on different network IDs becuase these VPN gateways are VPN ROUTERS -- routers can't route between two segments with the same network ID.

HTH,
Tom

(in reply to tshinder)
Post #: 29
RE: Joining Networks over the Internet with a Gateway t... - 27.Mar.2003 7:14:00 PM   
palindroem

 

Posts: 40
Joined: 14.Aug.2002
From: N. Fla
Status: offline
Current test network:

Remote VPN router - 150.176.8.1
|
|
|
"Public" router - 150.176.8.100
| -164.51.156.49
|
|
ISA -164.51.156.50

In this configuration, the route the demand dial uses to the remote is the same rout that the outside interface uses. They are on different networks.
The problem is when the static route defines that only the demand dial interface can be used to reach the remote router. But at that point the demand dial has no connection to the router, so it appears to not know where to go to connect, and just sits there saying "connecting".
Any suggestiongs?

thanks

(in reply to tshinder)
Post #: 30
RE: Joining Networks over the Internet with a Gateway t... - 27.Mar.2003 7:17:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Droem,

The VPN demand dial interface isn't connecting to any public segments. It routes to your private segments on the other side of the remote VPN router. Take a close look at the picture in the first part of the article and then pay close attention to the network IDs in the article.

HTH,
Tom

[ March 27, 2003, 07:18 PM: Message edited by: tshinder ]

(in reply to tshinder)
Post #: 31
RE: Joining Networks over the Internet with a Gateway t... - 10.May2003 8:26:00 PM   
davidrb

 

Posts: 1
Joined: 10.May2003
From: boone nc
Status: offline
Tom: As new reader and new fan, this article is right-on. I would like to know how to do the same action. ISA to remote with a vpn and not demand dial but rather fixed ip to fixed ip. I need to attach a branch office to the ISA server as a Child domain (?). with a persisant connection through an outbound t1 and inbound DSL connection.

davidrb [Confused]

(in reply to tshinder)
Post #: 32
RE: Joining Networks over the Internet with a Gateway t... - 13.May2003 10:40:00 PM   
jeroenHermans

 

Posts: 37
Joined: 4.Nov.2002
Status: offline
Hi guys,

I followed article 1, but if I try to ping a remote computer my routing interface does not try to connect.
I then configured the remote server by follozing part 2 of the guide and tried it again, but still it would not connect.
When I try to make a connection with a vpn client to the remote machine,it connects fine?

What am I doing wrong?

Thanks for your time.

Jeroen

(in reply to tshinder)
Post #: 33
RE: Joining Networks over the Internet with a Gateway t... - 14.May2003 4:13:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by davidrb:
Tom: As new reader and new fan, this article is right-on. I would like to know how to do the same action. ISA to remote with a vpn and not demand dial but rather fixed ip to fixed ip. I need to attach a branch office to the ISA server as a Child domain (?). with a persisant connection through an outbound t1 and inbound DSL connection.

davidrb [Confused]

Hi David,

First, make sure you can perform the procedure correctly in the lab. If you can't do it in the lab, you will definitely not be able to do it on the production network!

Second, check and double and then triple and then check ten more times to make sure the configuration is correct. I find that I can spend hours on a problem related to entering the wrong IP address, subnet mask or gateway on a client or server.

HTH,
Tom

(in reply to tshinder)
Post #: 34
RE: Joining Networks over the Internet with a Gateway t... - 14.May2003 4:14:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by jeroenHermans:
Hi guys,

I followed article 1, but if I try to ping a remote computer my routing interface does not try to connect.
I then configured the remote server by follozing part 2 of the guide and tried it again, but still it would not connect.
When I try to make a connection with a vpn client to the remote machine,it connects fine?

What am I doing wrong?

Thanks for your time.

Jeroen

Hi Jeroen,

Same advice! Make sure you can make it work in the lab, and then make it work in the lab four more times, so that you understand what you're doing and why you're doing it. Then you'll be able to make it work in your production network and you'll be better at troubleshooting potential problems.

HTH,
Tom

(in reply to tshinder)
Post #: 35
RE: Joining Networks over the Internet with a Gateway t... - 15.May2003 2:52:00 PM   
allenlu

 

Posts: 6
Joined: 15.May2003
From: Vandalia, OH
Status: offline
I am curious if it possible to have two Demand- Dials setup. In my particular case I want to have a branch office server running just the RRAS to dial-up to a local ISP first and then automatically connect to our Main office using VPN. I can get the scenario that I want working using Internet Connection Sharing, but I would prefer to use RRAS so I can set the IP Address scheme for the branch office instead of the default 192.168.0.x that ICS uses. Does anyone know of any good articles that describes how to set this particular scenario up? I have tried a few times in my test environment but I cannot seem to find any options on which Demand-Dial goes first. The ICS VPN setup that I have had working gives me the option to use a analog modem and ISP account prior to connecting to the VPN, but I cannot find a similar option in RRAS.

I would like to say how nice it is to have a place (isaserver.org) and newsgroups to search for problems and great ideas from other people in the community. I am pretty much just a lone administrator so I cannot ask anyone in my company. Again thanks for all the hard work.

Thanks in advance for any help,
Lucas Allen
WAN Administrator
lucas.allen@saia-burgess-inc.com

[ May 15, 2003, 02:53 PM: Message edited by: Lucas ]

(in reply to tshinder)
Post #: 36
RE: Joining Networks over the Internet with a Gateway t... - 21.May2003 9:45:00 PM   
Hawkeye_820

 

Posts: 25
Joined: 1.Oct.2002
Status: offline
Has anyone tried to set up a Gateway to Gateway vpn using ISA on a Win 2000 machine connecting with a Windows 2003 RRAS (w/o ISA)?

We have tried to set one up following the article and everything seems to work for a minute.

After the first minute the Remote server (Win 2K3) disconnects.
Another minute or so later the Local VPN (Win 2000 ISA) realizes that the connection is dropped and it reconnects and the whole process starts over again.

Any ideas why the server drops after a minute ?

(in reply to tshinder)
Post #: 37
RE: Joining Networks over the Internet with a Gateway t... - 17.Sep.2003 12:24:00 PM   
akordwig

 

Posts: 3
Joined: 16.Sep.2003
Status: offline
Hello!

I've ste up the ISA server and RRAS according to your article. Very straight forward, thanks!
But: I can only ping the remote notwork from the ISA (acting as gateway) server, trying to ping the remote IPs from a client in the local LAN does not work. I have added the remote IP adresses to the ISAs LAT, and all local clients have the ISA server set as their standard gateway. Any ideas?

Thanks a lot,
Andreas

(in reply to tshinder)
Post #: 38
RE: Joining Networks over the Internet with a Gateway t... - 17.Sep.2003 3:44:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Lucas:
I am curious if it possible to have two Demand- Dials setup. In my particular case I want to have a branch office server running just the RRAS to dial-up to a local ISP first and then automatically connect to our Main office using VPN. I can get the scenario that I want working using Internet Connection Sharing, but I would prefer to use RRAS so I can set the IP Address scheme for the branch office instead of the default 192.168.0.x that ICS uses. Does anyone know of any good articles that describes how to set this particular scenario up? I have tried a few times in my test environment but I cannot seem to find any options on which Demand-Dial goes first. The ICS VPN setup that I have had working gives me the option to use a analog modem and ISP account prior to connecting to the VPN, but I cannot find a similar option in RRAS.

I would like to say how nice it is to have a place (isaserver.org) and newsgroups to search for problems and great ideas from other people in the community. I am pretty much just a lone administrator so I cannot ask anyone in my company. Again thanks for all the hard work.

Thanks in advance for any help,
Lucas Allen
WAN Administrator
lucas.allen@saia-burgess-inc.com

Hi Lucus,

Thanks! ISAServer.org is a great place to ask questions and give answers [Smile]

You can use a demand dial connection, like a modem, together with a demand dial interface to create a gateway to gateway VPN. I've never worked with that combination in an ISA firewall environment, but I used to do it a lot when Win2k first came out in the first have of year 2000.

Check out the Microsoft site for the White papers on Demand Dial routing. Those were very helpful to me in getting it working.

HTH<
Tom

(in reply to tshinder)
Post #: 39
RE: Joining Networks over the Internet with a Gateway t... - 17.Sep.2003 3:50:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Andreas:
Hello!

I've ste up the ISA server and RRAS according to your article. Very straight forward, thanks!
But: I can only ping the remote notwork from the ISA (acting as gateway) server, trying to ping the remote IPs from a client in the local LAN does not work. I have added the remote IP adresses to the ISAs LAT, and all local clients have the ISA server set as their standard gateway. Any ideas?

Thanks a lot,
Andreas

Hi Andreas,

Thanks! But the Wizard automatically adds them to the LAT, so you don't need to add them [Smile]

I sometimes find that you have to establish the first connections manually. After that, I manually disconnect the session and then an internal client can trigger the demand dial interface.

HTH,
Tom

(in reply to tshinder)
Post #: 40

Page:   <<   < prev  1 [2] 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> RE: Joining Networks over the Internet with a Gateway to Gateway VPN:ISA to RRAS Page: <<   < prev  1 [2] 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts