VPN clients can talk to internal, internal can't talk out? (Full Version)

All Forums >> [ISA 2006 Firewall] >> VPN



Message

jdostal -> VPN clients can talk to internal, internal can't talk out? (26.Jun.2008 1:11:33 PM)

I think I might have a routing table issue but I'm not sure where to look anymore.  I've got my VPN setup almost perfectly.  My VPN clients can ping via hostname/IP any host on my internal network, they can access fileshares, they can RDP, etc - but I can't do the reverse.  I can't do name lookups, can't ping, can't RDP any of my VPN clients from the internal network.

When monitoring the logs, ISA server is allowing the traffic - I can see the ICMP ping requests and I can see that the rule "Allow Internal to VPN Clients" is being applied to the traffic...but I just get a request timed out on my pings.

My clients are assigned IP's from a small pool - 172.16.25.70 to 172.16.25.80.  Here is what my routing table looks like -

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 50 56 b4 7c 79 ...... VMware Accelerated AMD PCNet Adapter
0x10004 ...00 50 56 b4 20 ed ...... VMware Accelerated AMD PCNet Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
         0.0.0.0          0.0.0.0     192.168.16.1    192.168.16.27     10
      75.8.37.28  255.255.255.255     192.168.16.1    192.168.16.27     10
       127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
       172.0.0.0        255.0.0.0    172.16.25.254    172.16.25.121      1
      172.16.0.0      255.255.0.0    172.16.25.254    172.16.25.121      1
     172.16.25.0    255.255.255.0    172.16.25.121    172.16.25.121     10
    172.16.25.70  255.255.255.255        127.0.0.1        127.0.0.1     50
    172.16.25.75  255.255.255.255     172.16.25.70     172.16.25.70      1
   172.16.25.121  255.255.255.255        127.0.0.1        127.0.0.1     10
  172.16.255.255  255.255.255.255    172.16.25.121    172.16.25.121     10
    192.168.16.0    255.255.255.0    192.168.16.27    192.168.16.27     10
   192.168.16.27  255.255.255.255        127.0.0.1        127.0.0.1     10
  192.168.16.255  255.255.255.255    192.168.16.27    192.168.16.27     10
       224.0.0.0        240.0.0.0    172.16.25.121    172.16.25.121     10
       224.0.0.0        240.0.0.0    192.168.16.27    192.168.16.27     10
255.255.255.255  255.255.255.255    172.16.25.121    172.16.25.121      1
255.255.255.255  255.255.255.255    192.168.16.27    192.168.16.27      1
Default Gateway:      192.168.16.1
===========================================================================

Any ideas?



paulo.oliveira -> RE: VPN clients can talk to internal, internal can't talk out? (26.Jun.2008 2:31:40 PM)

Hi,

how´s your access rules configured?

Is this your´s VPNs client routing table? Is this range part of your internal range?

Why you have different gateways here?
quote:

172.16.0.0      255.255.0.0    172.16.25.254    172.16.25.121      1
     172.16.25.0    255.255.255.0    172.16.25.121    172.16.25.121     10

How´s your ISA NIC configured?

Regards,
Paulo Oliveira.



jdostal -> RE: VPN clients can talk to internal, internal can't talk out? (26.Jun.2008 2:39:57 PM)

I have access rules setup to allow all traffic from VPN to Internal and vice versa - use the repro data capture tools I'm not seeing any traffic denied at all.

The 172.16.0.0 route is a manual entry by me to the routing table and the 172.16.25.254 is the correct default gateway for the ISA servers internal NIC. 

The 172.16.25.0 route was there by default basically.

The ISA NIC's are configured as such:

Internal NIC
IP - 172.16.25.121
Subnet - 255.255.255.0
No default gateway
2 DNS Servers

External NIC
IP - 192.168.16.27
Subnet - 255.255.255.0
Gateway - 192.168.1.1

My range for my VPN clients is a little weird, as my networking guys don't have the time to help me on this for awhile.  I've basically had to steal 10 IP's from the same subnet that the internal ISA nic is in so that traffic can come back to it.  Not sure if this is a good idea or not?



paulo.oliveira -> RE: VPN clients can talk to internal, internal can't talk out? (26.Jun.2008 3:41:37 PM)

Hi,

quote:

The 172.16.0.0 route is a manual entry by me to the routing table and the 172.16.25.254 is the correct default gateway for the ISA servers internal NIC.

This way you are setting a default gateway to ISA´s internal NIC. The ISA machine only have to have one DG configured, and it´s on ISA´s external NIC.

how´s your internal network object IP range defined in ISA?

Regards,
Paulo Oliveira.



jdostal -> RE: VPN clients can talk to internal, internal can't talk out? (26.Jun.2008 5:17:26 PM)

It's defined as
172.0.0.0 to 172.16.25.67
172.16.25.255 to 172.16.25.255
172.16.25.81 to 172.255.255.255



paulo.oliveira -> RE: VPN clients can talk to internal, internal can't talk out? (30.Jun.2008 9:59:37 AM)

Hi,

have you removed the wrong static route as mentioned in my last post?
quote:

It's defined as
172.0.0.0 to 172.16.25.67
172.16.25.255 to 172.16.25.255
172.16.25.81 to 172.255.255.255


What´s the mask of the above networks??

Regards,
Paulo Oliveira.



jdostal -> RE: VPN clients can talk to internal, internal can't talk out? (30.Jun.2008 10:33:23 AM)

Did you mean the  172.16.25.0 route?



paulo.oliveira -> RE: VPN clients can talk to internal, internal can't talk out? (30.Jun.2008 10:37:56 AM)

Hello,

check this:
quote:

Hi,

quote:

The 172.16.0.0 route is a manual entry by me to the routing table and the 172.16.25.254 is the correct default gateway for the ISA servers internal NIC.

This way you are setting a default gateway to ISA´s internal NIC. The ISA machine only have to have one DG configured, and it´s on ISA´s external NIC.

how´s your internal network object IP range defined in ISA?

Regards,
Paulo Oliveira.



jdostal -> RE: VPN clients can talk to internal, internal can't talk out? (30.Jun.2008 11:12:27 AM)

So you are saying my 172.16.0.0 route with DG 172.16.25.254 is incorrect?

That route is the route that allows my ISA box to talk to the rest of the network.  If I take that route out, neither the ISA box nor the VPN clients can talk to the network...



paulo.oliveira -> RE: VPN clients can talk to internal, internal can't talk out? (30.Jun.2008 12:06:56 PM)

Hi,

Yes! With this setting you´re defining a default gateway to the internal NIC of ISA and the only NIC that MUST have a default gateway is the External NIC.

Regards,
Paulo Oliveira.



jdostal -> RE: VPN clients can talk to internal, internal can't talk out? (30.Jun.2008 12:20:25 PM)

Huh...well thats...odd.  How on earth should my ISA server talk to the internal network then if it has no route to it?  If I delete that route I lose all communication w/ the internal network.



paulo.oliveira -> RE: VPN clients can talk to internal, internal can't talk out? (30.Jun.2008 1:20:32 PM)

Hi,

your answer made me think that you have a network behind network scenario. Please read this articles to a better understanding:

Network Behind a Network
Network Behind Network Scenarios

Regards,
Paulo Oliveira.



jdostal -> RE: VPN clients can talk to internal, internal can't talk out? (9.Jul.2008 6:31:37 PM)

So I spent a day on the phone with MS Premier support, and they ended the case by saying that this behavior is "working as intended".

The techs claim is that when the MS VPN client creates a VPN connection, the various services do not rebind to the new IP address - so, when I try to RDP or PING the new IP address the ISA server is allowing the traffic through but the client is not responding to the traffic.

Does this sound right to anyone?  Has anyone been able to talk to their VPN client network from their internal network?  I'm not doing a site to site, I'm just having laptops basically dial in to the network.



paulo.oliveira -> RE: VPN clients can talk to internal, internal can't talk out? (10.Jul.2008 7:42:23 AM)

Hi,

yes, I have. I tried to ping, rdp and it was successfully. My VPN configuration is DHCP from internal network and my VPN clients are receiving IP from internal network range.

Regards,
Paulo Oliveira.



jdostal -> RE: VPN clients can talk to internal, internal can't talk out? (10.Jul.2008 10:26:13 AM)

After some final tweaking on my route tables, I'm able to communicate with my VPN clients as well.

Can't believe MS support said it wasn't possible/supported by ISA...they basically said I needed to scrap everything and move over to IAG (which is not a terrible idea, but I don't really want to buy another appliance).

*whew*

All that is over with, now I need to move on to why my VPN clients can't communicate onto the internet!



paulo.oliveira -> RE: VPN clients can talk to internal, internal can't talk out? (10.Jul.2008 10:35:36 AM)

Hi,

that´s really sad. Please share with us what you did. Thanks!

Regards,
Paulo Oliveira.



jdostal -> RE: VPN clients can talk to internal, internal can't talk out? (10.Jul.2008 10:40:12 AM)

It was a lot of different things combined -

I've adjusted some of the rules - nothing major, but instead of saying "All Outbound" to the VPN Network I specified particular protocols.

I blocked off a /24 subnet for my VPN clients on my network -  and then I've placed a static route for that subnet with my VPN servers internal NIC as the hop for that subnet (this was key).

I adjusted the routing tables on the ISA server for some of the weird routes I needed for my particular network.

And finally, after all that, I had to tweak the local Windows Firewall on the VPN clients as it was blocking some of the VPN traffic (RDP, etc).

I'm almost all set - the only issue I have now is that the VPN clients have no internet access - if I try to browse the web I get a "10061" so I'm off to start googling that one.  I more than likely have routing issues again...



Page: [1]