• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

PIX & ISA 2004 VPN issues

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> PIX & ISA 2004 VPN issues Page: [1]
Login
Message << Older Topic   Newer Topic >>
PIX & ISA 2004 VPN issues - 31.Aug.2006 5:22:19 PM   
Zunger

 

Posts: 5
Joined: 31.Aug.2006
Status: offline
I've been stumped at this for a few days reading around on this forum and google, but i just can't get it to work.
Here's the setup

SonicWall         PIX
   |                  |
    -------ISA----
               |
              Client

The sonicwall has nothing to do in it, but since my routing table is used with that, i figured i would include it.
Basically we have two T1's. One coming from the SW, and one from the PIX. Everything destined for our wan is sent
through the sonicwall (144.x.x.x and 150.x.x.x) and everything else (0.0.0.0) is sent through the PIX. This is working perfectly
using rras & ISA. Now here's the problem:

   I am using the ISA server for clients to VPN in through. If i connect to it locally 150.x.x.9 i can VPN in fine. If i try and connect
through the PIX (72.x.x.86) it sorta stalls. When i go through the ISA 2004 logs it shows 'Failed Connection' under Action, with the
error code 0x8007274c. I cannot find much information on this code. I'm relatively sure that everything is enabled under the PIX
to forward the traffic to the ISA since it's getting a failed connection instead of nothing in the logs.

On the pix:

Right now there is a translation rule from outside interface (72.x.x.86) to internal (192.168.153.2). If i try and add an access rule for the traffic, it wants me to add a static nat, and traffic just dies.

I would appreciate any help, comments, or suggestions.
Thanks.
Post #: 1
RE: PIX & ISA 2004 VPN issues - 31.Aug.2006 8:03:32 PM   
gja

 

Posts: 50
Joined: 15.Aug.2006
From: The Netherlands
Status: offline
When you want traffic from the external interface of the PIX to your internal network you have to add an static otherwise it won't work. For VPN traffic It also you be possible you must allow GRE traffic.


(in reply to Zunger)
Post #: 2
RE: PIX & ISA 2004 VPN issues - 31.Aug.2006 8:06:18 PM   
Zunger

 

Posts: 5
Joined: 31.Aug.2006
Status: offline
Currently there is a static translation rule: 72.x.x.86 -> 192.168.x.2

About the GRE, i read a little into that, but i don't actually see anything about the GRE in the PDM, nor did i see any actual examples of commands to allow that.

(in reply to gja)
Post #: 3
RE: PIX & ISA 2004 VPN issues - 31.Aug.2006 9:00:28 PM   
gja

 

Posts: 50
Joined: 15.Aug.2006
From: The Netherlands
Status: offline
GRE is a protocol like IP. I don't know how you do is in the PDM I normaly use the consoleand then it is:

permit GRE any(source) host 72.xx.xx.86(destination)

When you can't find it in the PDM I can look it up for you.

Gijs

(in reply to Zunger)
Post #: 4
RE: PIX & ISA 2004 VPN issues - 31.Aug.2006 11:12:31 PM   
Zunger

 

Posts: 5
Joined: 31.Aug.2006
Status: offline
I could never find it in the PDM but i found a few examples of the command once you mentioned it and i researched farther into it.
I'll try that command and report back.
Thanks.

(in reply to gja)
Post #: 5
RE: PIX & ISA 2004 VPN issues - 31.Aug.2006 11:18:40 PM   
Zunger

 

Posts: 5
Joined: 31.Aug.2006
Status: offline
ok, i did access-list vpn1 permit gre host 0.0.0.0 host 72.x.x.86
then i applied it with
access-group vpn1 in interface outside
but still no go.

(in reply to Zunger)
Post #: 6
RE: PIX & ISA 2004 VPN issues - 1.Sep.2006 12:59:43 PM   
gja

 

Posts: 50
Joined: 15.Aug.2006
From: The Netherlands
Status: offline
The access-list should be
access-list vpn1 permit GRE 0.0.0.0 0.0.0.0 host 72.x.x.86

When you use the PDM you have to make a new access-rule
And in the collumn Service (Protocol and Service) you must select IP en IPprotocol gre(47)

I looked it up in the PDM for you.

Gijs

(in reply to Zunger)
Post #: 7
RE: PIX & ISA 2004 VPN issues - 1.Sep.2006 8:00:36 PM   
Zunger

 

Posts: 5
Joined: 31.Aug.2006
Status: offline
Here is where the problem occurs with something where i was trying to do something similar (doing ports instead of IP[GRE])

I add it as source outside from ip 72.x.x.86 to dest inside 192.x.x.2 (the inside connection to the pix) so that all
traffic will be sent from that 72 address to the 192 one. I add it as IP[GRE] then when i hit OK i get
"No static network address translation(nat) rule is configured for the destintation host or network on interface outside.
Would you like to add a static nat rule for the host or network now?" I click ok to add it. If i add it as a dynamic nat, it goes
back to the access rule add rule tab and gives the same problem. if i add it as static 192.x.x.2 the connection dies.
When i go into the translation rules, i see "Int inside [address] 192.x.x.2 to translated outside [address] 192.x.x.2"
Once i remove that translation rule, the network goes back to normal.

I'm again at a stand still. Basically the network looks like this. the PIX dials into a T1 PPPoE. That address it gets is the 72.x.x.86. Then it translates it to 192.x.x.1 on the inside of the pix, and the ISA server is 192.x.x.2. From there, it also has an internal address of 150.x.x.9 which. Just a little fyi incase that might matter differantly.

When we try and vpn, we want to VPN through the 72.x.x.86 address that is given to the PIX by the PPPoE.
Thanks.

(in reply to gja)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> PIX & ISA 2004 VPN issues Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts