This is my first post on this forum, so let me start by saying hello to everyone.
I am configuring a Site-to-Site VPN in a lab environment and I am receiving this error in running through the Connection Wizard under the Network Addresses step on the Main ISA server.I don't understand why I am getting this stop error.
"The Internal network includes IP addresses in the range 172.17.12.1-172.17.12.255. Networks cannot contain IP addresses that overlap with another network.
This environment has not gone live, so I can put in any IP scheme or range but they all come up with same error. Any ideas or suggestions?
Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
Open Isa server console, expand Isa server, expand Configuration -> networks -> right click Internal -> properties -> addresses -> exclude or delete ip range that you will use to VPN link. regards,
Hector
_____________________________
Eng.Hector Sanchez MCSE + Security 2000/2003 MCTS Isa 2004/Isa 2006
Thank you! I was able to get past that hurdle but my question is. How do I test the connection in my lab environment and know, if it is working.
Here is an idea of my setup:
My branch site and branch ISA falls in the internal range of 172.17.12.1- 172.17.12.255. Remote ISA internal adapter has an IP address of 172.17.12.1. For the external adapter, does it need to have a static IP address from the "ISP" or it can be set to dynamic? In my lab environment, I get a 10.x.x.x, which provides me with internet access.
On my HQ site and HQ ISA falls in the range of 192.168.1.1 - 192.168.1.255. Main office ISA server internal adapter has an IP address of 192.168.1.5. My external adapter would once again receive a 10.x.x.x address.
Hope this makes sense!
Any assistance would be appreciated.
Any good site to site VPN config documents out there on the internet?
Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
Hi,
quote:
How do I test the connection in my lab environment and know, if it is working.
It depends of protocols that the access rules permit between the two sites. Example: If you permit ping protocol, you can test it pinging machines from the one site to the other.
quote:
For the external adapter, does it need to have a static IP address from the "ISP" or it can be set to dynamic?
You will need a static Ip address or Remote VPN server name that could be always resolved with DNS servers.
quote:
Any good site to site VPN config documents out there on the internet?
Sanchez, I am still having some problems! I have configured both Main & Remote ISA servers for Site to Site VPN using the wizards. I am trying to test my connection and I am unable to ping from one network to another. I have the setting to allow all outbound traffic. Is there something that I am missing. Under the session tab, I am seeing Secure NAT on one of the servers.
Thanks..Nothing in between. This might be silly of me but I have crossover cable, connecting to external interfaces to do my testing.
When running a simple ping between the two servers, I see activity under the session monitoring. SecureNat and the server IP trying to make the connection.
I checked the one Access rule created by the wizard and all appears to be good.
Yes! Pinging from a client PC. I am getting "request timed out" but I will verify soon. Will try PPTP, when I go back into the lab. I cannot ping the internal interface (192.168.1.1) of the ISA from my client pc (192.168.1.2) but however I can ping my client from the ISA server. Seems as though, its not accepting inbound traffic.
When I try to ping the other client on 172.17.12.2, I notice that there is activity in the sessions monitoring. Somehow the traffic is not getting across to the other ISA server.
Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
Hi,
It sounds like you dont have appropiate Access rules. Make an access rule in order to permit all outbound traffic from Internal/Vpn network to Internal/vpn network and put it in the first place. Try to ping from internal pc to a remote site pc. You can monitor ping in order to see is denying or not. regards,
Hector
_____________________________
Eng.Hector Sanchez MCSE + Security 2000/2003 MCTS Isa 2004/Isa 2006
Tiny measure of success! I can now ping between the two external interfaces Main (208.147.66.2) and Branch (208.147.66.1) ISA servers but from a client (172.17.12.2) on internal network, I cannot ping the external interface (208.147.66.1) or even get out to remote ISA server interface (208.147.66.2).
Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
Hi,
In order to test VPN tunnel , you have to test communication, between the private sites. In other words, you have to do ping from Pc on site 1 to pc on site 2 or viceversa. All other test to PUBLIC interfaces is NOT inside Vpn tunnel. Probably you have problems with the routes or access rules. regards,
Hector
_____________________________
Eng.Hector Sanchez MCSE + Security 2000/2003 MCTS Isa 2004/Isa 2006
Yes, understood! I was trying to troubleshoot the issue in stages from a client and I noticed that I could not get to the external NIC IP address but I can ping the internal NIC. Seems like there is no routing internally between the NICs.
If you can give an example of rule that I should set up, that would be great.
Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
Hi,
Your question is very general. In order to communicate two hosts in diferentes networks you have to:
1. Establish and configure a default gateway or/and specifics gateways to each networks involved. These specifics routes and gateways have to make it in all networks. 2. Make access rules in a firewalls from one network to the other network with the protocols you are planning to use. These access rules have to make it in all firewalls involved.
If you have these two things you will not have any problem to ping firewall external interfaces.
Regards,
Hector
_____________________________
Eng.Hector Sanchez MCSE + Security 2000/2003 MCTS Isa 2004/Isa 2006
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> First Site-to-Site VPN Config 
First Site-to-Site VPN Config - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread