I've been stumped at this for a few days reading around on this forum and google, but i just can't get it to work. Here's the setup
SonicWall PIX | | -------ISA---- | Client
The sonicwall has nothing to do in it, but since my routing table is used with that, i figured i would include it. Basically we have two T1's. One coming from the SW, and one from the PIX. Everything destined for our wan is sent through the sonicwall (144.x.x.x and 150.x.x.x) and everything else (0.0.0.0) is sent through the PIX. This is working perfectly using rras & ISA. Now here's the problem:
I am using the ISA server for clients to VPN in through. If i connect to it locally 150.x.x.9 i can VPN in fine. If i try and connect through the PIX (72.x.x.86) it sorta stalls. When i go through the ISA 2004 logs it shows 'Failed Connection' under Action, with the error code 0x8007274c. I cannot find much information on this code. I'm relatively sure that everything is enabled under the PIX to forward the traffic to the ISA since it's getting a failed connection instead of nothing in the logs.
On the pix:
Right now there is a translation rule from outside interface (72.x.x.86) to internal (192.168.153.2). If i try and add an access rule for the traffic, it wants me to add a static nat, and traffic just dies.
I would appreciate any help, comments, or suggestions. Thanks.
From: The Netherlands
When you want traffic from the external interface of the PIX to your internal network you have to add an static otherwise it won't work. For VPN traffic It also you be possible you must allow GRE traffic.
Here is where the problem occurs with something where i was trying to do something similar (doing ports instead of IP[GRE])
I add it as source outside from ip 72.x.x.86 to dest inside 192.x.x.2 (the inside connection to the pix) so that all traffic will be sent from that 72 address to the 192 one. I add it as IP[GRE] then when i hit OK i get "No static network address translation(nat) rule is configured for the destintation host or network on interface outside. Would you like to add a static nat rule for the host or network now?" I click ok to add it. If i add it as a dynamic nat, it goes back to the access rule add rule tab and gives the same problem. if i add it as static 192.x.x.2 the connection dies. When i go into the translation rules, i see "Int inside [address] 192.x.x.2 to translated outside [address] 192.x.x.2" Once i remove that translation rule, the network goes back to normal.
I'm again at a stand still. Basically the network looks like this. the PIX dials into a T1 PPPoE. That address it gets is the 72.x.x.86. Then it translates it to 192.x.x.1 on the inside of the pix, and the ISA server is 192.x.x.2. From there, it also has an internal address of 150.x.x.9 which. Just a little fyi incase that might matter differantly.
When we try and vpn, we want to VPN through the 72.x.x.86 address that is given to the PIX by the PPPoE. Thanks.