• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VPN Clients can connect, but cannot communicate!

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> VPN Clients can connect, but cannot communicate! Page: [1]
Login
Message << Older Topic   Newer Topic >>
VPN Clients can connect, but cannot communicate! - 9.May2003 8:23:00 AM   
kernel32

 

Posts: 19
Joined: 13.Jan.2002
From: Canada
Status: offline
Ok, here is a challenge for you guys. I have set up an ISA server to accept incoming VPN calls using the ISA "allow remote VPN connections" wizard. It configured RRAS and created the packet filters fine. The problem is, when a remote user connects, they are correctly authenticated and assigned proper ip addresses, as well as DNS and WINS addresses, but they cannot ping ANY machines on the internal network - not even the ISA server itself! I have read Tom's articles on remote VPN server/client setup and all the RRAS settings are exactly as he suggests. The internal clients are a mixture of firewall clients and secure nat clients. It doesn't make any difference how the internal machine are configured (firewall client or secure nat) as they cannot be contacted either way. When I try to connect from my home machine, I get the same result as all of our other remote users in that I can login, but can't go anywhere. I am behind a firewall at home, and I am NAT'ed out to the Internet, and I am quite sure all our remote users are behind firewalls as well. One hint I have is from the ISA event logs, which generates the following error message when a remote user connects:

Microsoft Firewall failed. The failure occurred during Initialization of reverse Network Address Translation (NAT). because the configuration property of the key SOFTWARE\Microsoft\Fpc\Arrays\{ADCFA9D7-EAE3-4664-9C2B-673A50FF2AFA}\Publishing\PNATServerMappings\{5BB48C38-CF44-4D01-9078-426EE2B0C99C}\ClientSetsExcluded could not be accessed. Use the source location 2.546.3.0.1200.165 to report the failure. The error code in the Data area of the event properties indicates the cause of the failure. For more information about this event, see ISA Server Help. The error description is: The system cannot find the file specified.

What the heck is that Reverse NAT they mention? Is this something that needs to be setup on the ISA server, so that remote clients connecting from behind a firewall on their end can use the VPN correctly? I have my doubts, because I have set up other ISA firewalls using the exact same configuration, and remote users behind firewalls can do anything they want on the internal networks.

Any guidance on this would be greatly appreciated!

Thanks
kernel32
Post #: 1
RE: VPN Clients can connect, but cannot communicate! - 11.May2003 6:05:00 AM   
kernel32

 

Posts: 19
Joined: 13.Jan.2002
From: Canada
Status: offline
I have fixed this problem by changeing RRAS to use a static pool rather than a dhcp assignment. For reasons that I am not sure on, when the dhcp option was used, the server assignded the client the same ip that the server was using. See the following screenshot to see what I mean. The image on the right shows what happened when it was set to dhcp, and the image on the left was using a static pool. Note that in both cases, the ip addresses were valid on the remote network of 10.1.x.x.



Does anybody have any idea why RRAS would do this? Anyway, it is kind of nice using the static pool of 10.1.60.0 as I can now differentiate between user types just by looking at the ip address.

(in reply to kernel32)
Post #: 2
RE: VPN Clients can connect, but cannot communicate! - 11.May2003 9:59:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Kernel,

Check out my article on ISA Server and DHCP over at www.isaserver.org/shinder and see if that lends a hint.

HTH,
Tom

(in reply to kernel32)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> VPN Clients can connect, but cannot communicate! Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts