• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

First Site-to-Site VPN Config

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> First Site-to-Site VPN Config Page: [1]
Login
Message << Older Topic   Newer Topic >>
First Site-to-Site VPN Config - 24.Feb.2010 3:01:02 PM   
lucianisa2006

 

Posts: 9
Joined: 24.Feb.2010
Status: offline
Good Day Forum,

This is my first post on this forum, so let me start by saying hello to everyone.

I am configuring a Site-to-Site VPN in a lab environment and I am receiving this error in running through the Connection Wizard under the Network Addresses step on the Main ISA server.I don't understand why I am getting this stop error.

"The Internal network includes IP addresses in the range 172.17.12.1-172.17.12.255. Networks cannot contain IP addresses that overlap with another network.

This environment has not gone live, so I can put in any IP scheme or range but they all come up with same error. Any ideas or suggestions?
Post #: 1
RE: First Site-to-Site VPN Config - 24.Feb.2010 3:13:21 PM   
hrsanchez

 

Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
Hi,

You have to exclude Vpn users ip range , from the Internal network ip range.
Regards,

Hector

_____________________________

Eng.Hector Sanchez
MCSE + Security 2000/2003
MCTS Isa 2004/Isa 2006

(in reply to lucianisa2006)
Post #: 2
RE: First Site-to-Site VPN Config - 24.Feb.2010 3:24:18 PM   
lucianisa2006

 

Posts: 9
Joined: 24.Feb.2010
Status: offline
As mentioned I am very rookie on this. Where do I make the exclusions? In the wizard?

I have been following along with this HTML document:

http://www.isaserver.org/tutorials/Creating-VPN-ISA-Server-2006-Firewalls-Main-Branch-Office-Part1html.html

(in reply to hrsanchez)
Post #: 3
RE: First Site-to-Site VPN Config - 25.Feb.2010 11:23:14 AM   
hrsanchez

 

Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
Open Isa server console, expand Isa server, expand Configuration -> networks -> right click Internal -> properties -> addresses -> exclude or delete ip range that you will use to VPN link.
regards,

Hector

_____________________________

Eng.Hector Sanchez
MCSE + Security 2000/2003
MCTS Isa 2004/Isa 2006

(in reply to lucianisa2006)
Post #: 4
RE: First Site-to-Site VPN Config - 2.Mar.2010 12:31:22 PM   
lucianisa2006

 

Posts: 9
Joined: 24.Feb.2010
Status: offline
Thank you! I was able to get past that hurdle but my question is. How do I test the connection in my lab environment and know, if it is working.

Here is an idea of my setup:

My branch site and branch ISA falls in the  internal range of 172.17.12.1- 172.17.12.255. Remote ISA internal adapter has an IP address of 172.17.12.1.
For the external adapter, does it need to have a static IP address from the "ISP" or it can be set to dynamic? In my lab environment, I get a 10.x.x.x, which provides me with internet access.

On my HQ site and HQ ISA falls in the range of 192.168.1.1 - 192.168.1.255. Main office ISA server internal adapter has an IP address of 192.168.1.5. My external adapter would once again receive a 10.x.x.x address.

Hope this makes sense!

Any assistance would be appreciated.

Any good site to site VPN config documents out there on the internet?


(in reply to hrsanchez)
Post #: 5
RE: First Site-to-Site VPN Config - 2.Mar.2010 1:56:00 PM   
hrsanchez

 

Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
Hi,

quote:


How do I test the connection in my lab environment and know, if it is working.


It depends of protocols that the access rules permit between the two sites.
Example: If you permit ping protocol, you can test it pinging machines from the one site to the other.

quote:


For the external adapter, does it need to have a static IP address from the "ISP" or it can be set to dynamic?


You will need a static Ip address or Remote VPN server name that could be always resolved with DNS servers.

quote:


Any good site to site VPN config documents out there on the internet?


http://technet.microsoft.com/es-es/library/cc302474(en-us).aspx

regards,

Hector

_____________________________

Eng.Hector Sanchez
MCSE + Security 2000/2003
MCTS Isa 2004/Isa 2006

(in reply to lucianisa2006)
Post #: 6
RE: First Site-to-Site VPN Config - 5.Mar.2010 2:59:55 PM   
lucianisa2006

 

Posts: 9
Joined: 24.Feb.2010
Status: offline
 Sanchez,
I am still having some problems! I have configured both Main & Remote ISA servers for Site to Site VPN using the wizards. I am trying to test my connection and I am unable to ping from one network to another. I have the setting to allow all outbound traffic. Is there something that I am missing. Under the session tab, I am seeing Secure NAT on one of the servers.

Thanks

(in reply to hrsanchez)
Post #: 7
RE: First Site-to-Site VPN Config - 5.Mar.2010 6:59:19 PM   
aliyanisabrey

 

Posts: 99
Joined: 12.Feb.2009
Status: offline
do you have anything between your Main ISA and Remote such as router?

have you check the event viewer. or in the session tab, you will see the ip address of your branch site. it tries to communicate with your isa.

(in reply to lucianisa2006)
Post #: 8
RE: First Site-to-Site VPN Config - 5.Mar.2010 9:49:31 PM   
lucianisa2006

 

Posts: 9
Joined: 24.Feb.2010
Status: offline
Thanks..Nothing in between. This might be silly of me but I have crossover cable, connecting to external interfaces to do my testing.

When running a simple ping between the two servers, I see activity under the session monitoring. SecureNat and the server IP trying to make the connection.

I checked the one Access rule created by the wizard and all appears to be good.

(in reply to aliyanisabrey)
Post #: 9
RE: First Site-to-Site VPN Config - 6.Mar.2010 11:57:58 AM   
aliyanisabrey

 

Posts: 99
Joined: 12.Feb.2009
Status: offline
are you pinging at the client-pc?
does it show "destination host unreachable"?

try to use PTPP.let's see whether it works.

the configuration is still the same. the only difference is the preshared key is not used in PTPP..

hope it works.

_____________________________

Aliyani Sabrey

MCSE+Security, MCSA+Security, ISA Server 2004 & 2006

(in reply to lucianisa2006)
Post #: 10
RE: First Site-to-Site VPN Config - 6.Mar.2010 2:20:51 PM   
lucianisa2006

 

Posts: 9
Joined: 24.Feb.2010
Status: offline
Yes! Pinging from a client PC. I am getting "request timed out" but I will verify soon. Will try PPTP, when I go back into the lab.
I  cannot ping the internal interface (192.168.1.1) of the ISA from my client pc (192.168.1.2) but however I can ping my client from the ISA server. Seems as though, its not accepting inbound traffic.


When I try to ping the other client on 172.17.12.2, I notice that there is activity in the sessions monitoring. Somehow the traffic is not getting across to the other ISA server.

Will do some further testing next week.

(in reply to aliyanisabrey)
Post #: 11
RE: First Site-to-Site VPN Config - 8.Mar.2010 10:34:28 AM   
hrsanchez

 

Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
Hi,

It sounds like you dont have appropiate Access rules.
Make an access rule in order to permit all outbound traffic from Internal/Vpn network to Internal/vpn network and put it in the first place.
Try to ping from internal pc to a remote site pc.
You can monitor ping in order to see is denying or not.
regards,

Hector

_____________________________

Eng.Hector Sanchez
MCSE + Security 2000/2003
MCTS Isa 2004/Isa 2006

(in reply to lucianisa2006)
Post #: 12
RE: First Site-to-Site VPN Config - 16.Mar.2010 11:15:05 AM   
lucianisa2006

 

Posts: 9
Joined: 24.Feb.2010
Status: offline
Hello Again,

Tiny measure of success!
I can now ping between the two external interfaces Main (208.147.66.2) and Branch (208.147.66.1) ISA servers but from a client (172.17.12.2) on internal network, I cannot ping the external interface (208.147.66.1) or even get out to remote ISA server interface (208.147.66.2).

Any ideas? Hope my scenario makes sense

Thanks

(in reply to hrsanchez)
Post #: 13
RE: First Site-to-Site VPN Config - 18.Mar.2010 11:42:56 AM   
hrsanchez

 

Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
Hi,

In order to test VPN tunnel , you have to test communication, between the private sites.
In other words, you have to do ping from Pc on site 1 to pc on site 2 or viceversa.
All other test to PUBLIC interfaces is NOT inside Vpn tunnel. Probably you have problems with the routes or access rules.
regards,

Hector

_____________________________

Eng.Hector Sanchez
MCSE + Security 2000/2003
MCTS Isa 2004/Isa 2006

(in reply to lucianisa2006)
Post #: 14
RE: First Site-to-Site VPN Config - 18.Mar.2010 12:28:59 PM   
lucianisa2006

 

Posts: 9
Joined: 24.Feb.2010
Status: offline
Yes, understood! I was trying to troubleshoot the issue in stages from a client and I noticed that I could not get to the external NIC IP address but I can ping the internal NIC. Seems like there is no routing internally between the NICs.

If you can give an example of rule that I should set up, that would be great.

Thanks

(in reply to hrsanchez)
Post #: 15
RE: First Site-to-Site VPN Config - 18.Mar.2010 2:31:20 PM   
hrsanchez

 

Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
Hi,

Your question is very general. In order to communicate two hosts in diferentes networks you have to:

1. Establish and configure a default gateway or/and specifics gateways to each networks involved.
These specifics routes and gateways have to make it in all networks.
2. Make access rules in a firewalls from one network to the other network with the protocols you are planning to use.
These access rules have to make it in all firewalls involved.

If you have these two things you will not have any problem to ping firewall external interfaces.

Regards,

Hector

_____________________________

Eng.Hector Sanchez
MCSE + Security 2000/2003
MCTS Isa 2004/Isa 2006

(in reply to lucianisa2006)
Post #: 16

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> First Site-to-Site VPN Config Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts