PIX & ISA 2004 VPN issues (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Firewall Client


Zunger -> PIX & ISA 2004 VPN issues (31.Aug.2006 5:22:19 PM)

I've been stumped at this for a few days reading around on this forum and google, but i just can't get it to work.
Here's the setup

SonicWall         PIX
   |                  |

The sonicwall has nothing to do in it, but since my routing table is used with that, i figured i would include it.
Basically we have two T1's. One coming from the SW, and one from the PIX. Everything destined for our wan is sent
through the sonicwall (144.x.x.x and 150.x.x.x) and everything else ( is sent through the PIX. This is working perfectly
using rras & ISA. Now here's the problem:

   I am using the ISA server for clients to VPN in through. If i connect to it locally 150.x.x.9 i can VPN in fine. If i try and connect
through the PIX (72.x.x.86) it sorta stalls. When i go through the ISA 2004 logs it shows 'Failed Connection' under Action, with the
error code 0x8007274c. I cannot find much information on this code. I'm relatively sure that everything is enabled under the PIX
to forward the traffic to the ISA since it's getting a failed connection instead of nothing in the logs.

On the pix:

Right now there is a translation rule from outside interface (72.x.x.86) to internal ( If i try and add an access rule for the traffic, it wants me to add a static nat, and traffic just dies.

I would appreciate any help, comments, or suggestions.

gja -> RE: PIX & ISA 2004 VPN issues (31.Aug.2006 8:03:32 PM)

When you want traffic from the external interface of the PIX to your internal network you have to add an static otherwise it won't work. For VPN traffic It also you be possible you must allow GRE traffic.

Zunger -> RE: PIX & ISA 2004 VPN issues (31.Aug.2006 8:06:18 PM)

Currently there is a static translation rule: 72.x.x.86 -> 192.168.x.2

About the GRE, i read a little into that, but i don't actually see anything about the GRE in the PDM, nor did i see any actual examples of commands to allow that.

gja -> RE: PIX & ISA 2004 VPN issues (31.Aug.2006 9:00:28 PM)

GRE is a protocol like IP. I don't know how you do is in the PDM I normaly use the consoleand then it is:

permit GRE any(source) host 72.xx.xx.86(destination)

When you can't find it in the PDM I can look it up for you.


Zunger -> RE: PIX & ISA 2004 VPN issues (31.Aug.2006 11:12:31 PM)

I could never find it in the PDM but i found a few examples of the command once you mentioned it and i researched farther into it.
I'll try that command and report back.

Zunger -> RE: PIX & ISA 2004 VPN issues (31.Aug.2006 11:18:40 PM)

ok, i did access-list vpn1 permit gre host host 72.x.x.86
then i applied it with
access-group vpn1 in interface outside
but still no go.

gja -> RE: PIX & ISA 2004 VPN issues (1.Sep.2006 12:59:43 PM)

The access-list should be
access-list vpn1 permit GRE host 72.x.x.86

When you use the PDM you have to make a new access-rule
And in the collumn Service (Protocol and Service) you must select IP en IPprotocol gre(47)

I looked it up in the PDM for you.


Zunger -> RE: PIX & ISA 2004 VPN issues (1.Sep.2006 8:00:36 PM)

Here is where the problem occurs with something where i was trying to do something similar (doing ports instead of IP[GRE])

I add it as source outside from ip 72.x.x.86 to dest inside 192.x.x.2 (the inside connection to the pix) so that all
traffic will be sent from that 72 address to the 192 one. I add it as IP[GRE] then when i hit OK i get
"No static network address translation(nat) rule is configured for the destintation host or network on interface outside.
Would you like to add a static nat rule for the host or network now?" I click ok to add it. If i add it as a dynamic nat, it goes
back to the access rule add rule tab and gives the same problem. if i add it as static 192.x.x.2 the connection dies.
When i go into the translation rules, i see "Int inside [address] 192.x.x.2 to translated outside [address] 192.x.x.2"
Once i remove that translation rule, the network goes back to normal.

I'm again at a stand still. Basically the network looks like this. the PIX dials into a T1 PPPoE. That address it gets is the 72.x.x.86. Then it translates it to 192.x.x.1 on the inside of the pix, and the ISA server is 192.x.x.2. From there, it also has an internal address of 150.x.x.9 which. Just a little fyi incase that might matter differantly.

When we try and vpn, we want to VPN through the 72.x.x.86 address that is given to the PIX by the PPPoE.

Page: [1]