• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Outbound VPN Access to the ISP

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> Outbound VPN Access to the ISP Page: [1]
Login
Message << Older Topic   Newer Topic >>
Outbound VPN Access to the ISP - 14.Jan.2007 4:18:09 AM   
vikrant1971

 

Posts: 25
Joined: 24.Jun.2002
Status: offline
Hi,

Wish everyone a very happy new year.
Comming to my problem, I  have been provided with a CISCO VPN Client ver 4.0.3 to login to my ISP VPN network. I am using ISA 2000 server and XP client.
I am not able to initiate any conenction to the ISP VPN IP Address. While I use a dialup modem and bypassing the ISA server I am able to conenct.

As per the published documents I have  enabled IP routing and PPTP through ISA firewall. Defined two protocols IKE and NAT-T and created a L2TP-IPSec Outbound protocol rule.
I have also made the XP client a secured NAT.
But still it fails.
How can I initiate  a VPN conenction to my ISP.
Can I try and create a VPN connection in windows XP.
Please try to help me as this VPN conenction is very critical and important for me.
Thanks and Regards
Vik
Post #: 1
RE: Outbound VPN Access to the ISP - 14.Jan.2007 8:17:18 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Vik,

did you read How to pass IPSec traffic through ISA Server?

Any evidence such as:
- ISA logging
- VPN client logging
- Netmon/Ethereal/Wireshark traces
- ...

HTH,
Stefaan

(in reply to vikrant1971)
Post #: 2
RE: Outbound VPN Access to the ISP - 15.Jan.2007 2:43:28 AM   
vikrant1971

 

Posts: 25
Joined: 24.Jun.2002
Status: offline
Hi,

I did read How to pass IPSec traffic through ISA Server. and accrodingly configured the ISA server for outbound VPN.

I get this erro msg in the ISA server log.

1/14/2007, 12:53:52, MY.PC.IP.ADDRESS, 82.178.29.251, Udp, 500, 500, -, BLOCKED, Dialout, 45 00 01 54 41 a5 ........................................................................

2nd question:
How can i ping to some public ip address from a client, like ISP DNS Server? I made a firewall client but still not able to ping to any public IP add.I am able to ping from the ISA Server console.Is it a normal scenario?
Browsing is working fine.

I am follwoing all the standard as outlined by you for the ISA server. I have a internal DNS Server which is using forward to the ISP DNS Server.

thanks
Vik

(in reply to vikrant1971)
Post #: 3
RE: Outbound VPN Access to the ISP - 15.Jan.2007 2:12:07 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Vik,

Q1: What type of Internet connection do you have? It sounds that the ISA external interface is not a regular LAN interface. If it is some sort of dial-up, check out http://support.microsoft.com/default.aspx?scid=kb;EN-US;283635.

Q2: Ping is ICMP based, not TCP or UDP. Therefore it is not handled by the Firewall client. If you have to support ping, the clients *must* be configured as SecureNAT clients en you *must* enable IP routing on the ISA Server. For more info, check out Allowing Outbound PING and PPTP Connections.

HTH,
Stefaan

(in reply to vikrant1971)
Post #: 4
RE: Outbound VPN Access to the ISP - 16.Jan.2007 12:02:46 AM   
vikrant1971

 

Posts: 25
Joined: 24.Jun.2002
Status: offline
hi,
Q1: I am using a hierarchy network. Every floor has its own VLAN and using the VLAN IP as their gateway. Fortunately for my Outbound VPN clients I have an ISA server in the same VLAN. In this scenario I can make them act as a secured NAT.

The ISA server external Interface is connected to an ADSL Modem. The modem has been configured as a bridge device and so I am able to make a dialup connection in the ISA and using this as the dialup entry for the primary route.

When I am making the client as a secured NAT,  the ISA server does not dial automatically. While for other clients like firewall or web proxy, the ISA server is able to initiate a dial out.
I am able to browse, download mails using outlook and able to do all other activities like chat etc except VPN Outbound. Does this gives any kind of clues?

I have enabled IP routing as well as PPTP and created all the protocol definitions and rule as outlined in your document.


Q2. I have also enabled IP routing but still not able to initiate any ICMP packets like ping to yahoo.com..etc.

regards
Vik

(in reply to vikrant1971)
Post #: 5
RE: Outbound VPN Access to the ISP - 16.Jan.2007 3:09:26 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Vik,

quote:

I am using a hierarchy network. Every floor has its own VLAN and using the VLAN IP as their gateway. Fortunately for my Outbound VPN clients I have an ISA server in the same VLAN. In this scenario I can make them act as a secured NAT.

Every client can be made a SecureNAT client. If you have a routed internal network, check out Designing An ISA Server Solution on a Complex Network. how to properly configure the ISA server in such an environment.

quote:

When I am making the client as a secured NAT,  the ISA server does not dial automatically.

According to the info in the posted KB, a SecureNAT request should trigger ISA to dial the connection. Take note however that I have no experience with dialup connections on ISA.

What is the  ISA logging telling you? Make sure you have enebled the logging of the fields Rule #1 (protocol rule) and Rule #2 (Site&Content rule).

HTH,
Stefaan

(in reply to vikrant1971)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> Outbound VPN Access to the ISP Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts