• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

cannot accesss www over vpn site to site

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> cannot accesss www over vpn site to site Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
cannot accesss www over vpn site to site - 13.Oct.2006 5:30:05 PM   
jimmyk

 

Posts: 37
Joined: 22.Sep.2006
Status: offline
ISA 2006
  • Hello
    I cannot access a remote web server, from an internal Internet Explorer client, over an ISA 2006 site-to-site vpn.
  • I get a 500 error on the internal web client.
  • I CAN ping across the vpn tunnel between the same internal client and the destination web server.


1 .Does an internal web client (client trying to access a www server through the ISA) have its source ip address replaced by the ISA's external ip by default?

2. If so, and how do I disable it?

3. If I disable it, does it remove the www filtering capability of the ISA?  I would think so.

4. If the answer to #1 is YES, is this to allow the ISA to use its web filter on any incoming responses?

If the ISA does replace the client's source ip address with its external ip address, I think that this situation may be preventing the web client from accessing the remote www server across the vpn tunnel. 
I think this is because the remote end of the vpn tunnel has a firewall that is filtering on the source ip address of the packet.  If the firewall sees a packet being sourced from the ISA's external ip address instead of the web client's ip address, it is dropping the packet. 

Thanks for any help on any of this comment / question.\

Cliff
Post #: 1
RE: cannot accesss www over vpn site to site - 13.Oct.2006 6:06:44 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Cliff,

the HTTP traffic will be intercepted by the Web Proxy filter and therefore be sourced from the primary IP address assigned to the ISA outgoing interface. As a result you'll have to include that IP address in the IPSec policy of the remote box.

For more info, check out http://www.isaserver.org/tutorials/Troubleshooting-IPSec-Tunnel-Mode-Scenarios.html.

HTH,
Stefaan

(in reply to jimmyk)
Post #: 2
RE: cannot accesss www over vpn site to site - 13.Oct.2006 6:31:28 PM   
jimmyk

 

Posts: 37
Joined: 22.Sep.2006
Status: offline
Thanks Stefaan!
I will configure the remote 3rd party to add the ISA's external interface ip to the IPSec policy.

The weird thing is, I can ping across the vpn tunnel.
Also, if I issue the TELNET 1.1.1.1 80 command from the client to the web server, I get an indication that the remote web server is listening on TCP port 80.

(in reply to spouseele)
Post #: 3
RE: cannot accesss www over vpn site to site - 14.Oct.2006 6:25:47 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Cliff,

if you would ping from the ISA itself you would see that it doesn't work either.

BTW --- you might check out my article http://www.isaserver.org/tutorials/enable-ESP-Null-Encryption-ISA-2004-site-to-site-VPN-scenario.html. I've learned a lot by peeking into the packets flying accross the wire.

HTH,
Stefaan 

(in reply to jimmyk)
Post #: 4
RE: cannot accesss www over vpn site to site - 24.Oct.2006 9:52:52 AM   
itadmin

 

Posts: 30
Joined: 21.Jul.2006
Status: offline
I have a similar issue.  I have an ISA 2006 on one end and a Pix 501 on the other.  I can telnet on port 80 to a printer or internal web server on the Pix end of my tunnel, but I can't open it in Internet Explorer.  I was told to add the the external IP of the ISA to the IPSec Filter List on the Pix.  I am new to dealing with these Pix units and usually use the PDM to make changes.  I would appreciate someone telling me what to do to that Pix to make this work.

(in reply to spouseele)
Post #: 5
RE: cannot accesss www over vpn site to site - 24.Oct.2006 2:21:12 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi itadmin,

check out http://www.microsoft.com/technet/isa/2004/plan/ipsecvpn.mspx.

HTH,
Stefaan

(in reply to itadmin)
Post #: 6
RE: cannot accesss www over vpn site to site - 25.Oct.2006 6:21:03 PM   
itadmin

 

Posts: 30
Joined: 21.Jul.2006
Status: offline
OK, I added the ISA box to the config on the PIX.  Still kind of dead in the water.

I get this when I connect to that machine using Internet Explorer. 

  • Error Code 10061: Connection refused
    Background: When the gateway or proxy server contacted the upstream (Web) server, the connection was refused. This usually results from trying to connect to a service that is inactive on the upstream server.

    When I telnet 192.168.x.x using port 80, it blanks out like it connected.

    What am I doing wrong?

    (in reply to spouseele)
  • Post #: 7
    RE: cannot accesss www over vpn site to site - 26.Oct.2006 2:40:31 PM   
    spouseele

     

    Posts: 12830
    Joined: 1.Jun.2001
    From: Belgium
    Status: offline
    Hi itadmin,

    quote:

    I get this when I connect to that machine using Internet Explorer.

    you are connecting from where to where? Please be very *exact* in your answer! Also, keep in mind you can't test TCP port 80 (HTTP) with the help of the telnet command due to the web proxy filter. It will redirect you to the Web Proxy listener, not the intended destination.

    Is the main and quick mode SA established? Is there an access rule allowing that traffic? What do you see when taking a NetMon trace on the ISA external interface? ...

    You might also check out:
    - http://www.isaserver.org/tutorials/Troubleshooting-IPSec-Tunnel-Mode-Scenarios.html
    - http://www.isaserver.org/tutorials/enable-ESP-Null-Encryption-ISA-2004-site-to-site-VPN-scenario.html 

    HTH,
    Stefaan

    (in reply to itadmin)
    Post #: 8
    RE: cannot accesss www over vpn site to site - 1.Nov.2006 1:38:03 PM   
    itadmin

     

    Posts: 30
    Joined: 21.Jul.2006
    Status: offline
    When I try to connect to a machine at the remote location through Internet Explorer from my workstation in the main location, that is when I have the problems.

    ME ---> ISA 2006 ---->Pix501 ---->remote box running web service.

    I'll get back to you on the other answers once I check.

    (in reply to spouseele)
    Post #: 9
    RE: cannot accesss www over vpn site to site - 1.Nov.2006 1:43:40 PM   
    spouseele

     

    Posts: 12830
    Joined: 1.Jun.2001
    From: Belgium
    Status: offline
    Hi itadmin,

    OK, keep us informed...  

    Thanks,
    Stefaan

    (in reply to itadmin)
    Post #: 10
    RE: cannot accesss www over vpn site to site - 14.Nov.2006 9:57:42 AM   
    Mr_Logic

     

    Posts: 32
    Joined: 15.Jun.2004
    Status: offline
    itadmin,

    Not done exactly your scenario, but I have worked with PIX boxes quite a bit. You need to configure an IPSec rule from the PIX's External IP to the ISA's network range. You should then find all is well.

    (in reply to spouseele)
    Post #: 11
    RE: cannot accesss www over vpn site to site - 22.Nov.2006 9:38:48 AM   
    JBakels

     

    Posts: 78
    Joined: 4.Jan.2002
    From: Bradenton, FL USA
    Status: offline
    Are you using multiple external IP address on the ISA box?  If so, you may be using an IP other than the first IP for the tunnel.  I can't get my site-to-site working with HTTP when using any IP address other than the first external IP.

    I believe this is a limitation of ISA.  I do know it does not support using one external IP for say HTTP and another for SMTP.

    (in reply to Mr_Logic)
    Post #: 12
    RE: cannot accesss www over vpn site to site - 22.Nov.2006 9:53:04 AM   
    Mr_Logic

     

    Posts: 32
    Joined: 15.Jun.2004
    Status: offline
    ISA does support having HTTP and SMTP on different IPs - I am doing this and it works fine. The VPN tunnel is on the primary IP (or it was, I have given up and now put VPN through a separate device, which works very nicely).

    (in reply to JBakels)
    Post #: 13
    RE: cannot accesss www over vpn site to site - 22.Nov.2006 10:07:18 AM   
    JBakels

     

    Posts: 78
    Joined: 4.Jan.2002
    From: Bradenton, FL USA
    Status: offline
    Sorry.  I read the article wrong.  ISA does not support multiple external interfaces.
    http://www.microsoft.com/technet/isa/2004/plan/ts_networks.mspx

    I'm having trouble getting HTTP over a site to site.  I've had the PIX admin add the external IP to the policy but it still does not work.

    The traffic goes through the first external IP.  The site to site is not on the first IP so HTTP traffic fails.

    (in reply to Mr_Logic)
    Post #: 14
    RE: cannot accesss www over vpn site to site - 22.Nov.2006 10:20:20 AM   
    Mr_Logic

     

    Posts: 32
    Joined: 15.Jun.2004
    Status: offline
    I had the same problem with HTTP - hence the reason I used the separate VPN box. Couldn't find a way to fix it. I have reached the conclusion that ISA is rubbish for site to site VPN :-)

    (in reply to JBakels)
    Post #: 15
    RE: cannot accesss www over vpn site to site - 27.Nov.2006 12:59:48 PM   
    JBakels

     

    Posts: 78
    Joined: 4.Jan.2002
    From: Bradenton, FL USA
    Status: offline
    Someone must know how to get this working.

    2 network cards
    One internal, one external
    Internal has one IP address
    External has 2 or more IP addresses
    Site-to-Site VPN created on address other than first IP on external.
    WebProxy traffic destined for Site-to-Site attempts connection through first IP of external.
    Connection fails.

    Help please!

    (in reply to Mr_Logic)
    Post #: 16
    RE: cannot accesss www over vpn site to site - 29.Nov.2006 9:58:47 AM   
    itadmin

     

    Posts: 30
    Joined: 21.Jul.2006
    Status: offline
    Sorry I have been off here for a month or so.  My problem is still not solved.  Everything else works fine on this VPN.  I can use remote desktop both ways, etc...  I just can't view that internal web server.  I even tried to connect to an HP print server that is at the other site.  When I do that, I can see some of the page, but not much.  I am going to dedicate my day to solving this problem...  If I do, I will post my results.  I may have to go to the master. 

    (in reply to jimmyk)
    Post #: 17
    RE: cannot accesss www over vpn site to site - 4.Dec.2006 9:21:28 AM   
    JBakels

     

    Posts: 78
    Joined: 4.Jan.2002
    From: Bradenton, FL USA
    Status: offline
    Can anyone confirm or deny ISA has a limitation when creating Site-to-Site VPN using an IP other than the first on the external NIC?

    (in reply to jimmyk)
    Post #: 18
    RE: cannot accesss www over vpn site to site - 5.Dec.2006 10:08:04 AM   
    JBakels

     

    Posts: 78
    Joined: 4.Jan.2002
    From: Bradenton, FL USA
    Status: offline
    Here is a detail of the problem

    ISA External NIC
    *.*.*.35  Used for incoming/outgoing e-mail and OWA.
    *.*.*.36  Used for Published Site
    *.*.*.37  Used for Site-to-Site
    *.*.*.38  Used for Site-to-Site

    ISA Internal NIC
    192.168.1.1

    Remote Desktop works over site-to-site
    HTTP traffic fails over site-to-site
    Logging indicates http traffic from internal clients trying to access remote web server is using *.*.*.35 instead of *.*.*.38 on the ISA server.
    How do we force http destined from remote site to use *.*.*.38?

    (in reply to JBakels)
    Post #: 19
    RE: cannot accesss www over vpn site to site - 7.Dec.2006 8:42:20 AM   
    JBakels

     

    Posts: 78
    Joined: 4.Jan.2002
    From: Bradenton, FL USA
    Status: offline
    Well, I spent the afternoon on the phone with Microsoft.  We still have not resolved the issue.

    I can setup a Site-to-Site ISA to ISA and send HTTP over with no problems.

    When a Site-to-Site is created using IPSec to a PIX, HTTP fails (times out).

    I noticed that HTTP and FTP traffic using IE attempts to connect to the remote site using ISA's external IP.  If I FTP using explorer is passes from my IP to the Remote site.  I can telnet 80 to the remote site.

    Does anyone out there have a Site-to-Site working from ISA to PIX and access a web server on the remote site?

    (in reply to jimmyk)
    Post #: 20

    Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
    All Forums >> [ISA 2006 Firewall] >> VPN >> cannot accesss www over vpn site to site Page: [1] 2   next >   >>
    Jump to:

    New Messages No New Messages
    Hot Topic w/ New Messages Hot Topic w/o New Messages
    Locked w/ New Messages Locked w/o New Messages
     Post New Thread
     Reply to Message
     Post New Poll
     Submit Vote
     Delete My Own Post
     Delete My Own Thread
     Rate Posts