I currently have a site-to-site VPN set up from our office using ISA 2006 multi array firewalls, to our production servers at a datacenter. Users at the office (subnet 10.10.10.x) are able to connect to the servers (subnet 10.10.9.x).
We have a new site which is using an ADSL broadband connection on a dynamic public IP, and I would like to allow these users to connect to the ISA servers as VPN clients.
I have created the necessary VPN groups and config, and am able to connect to the office 10.10.10.x network as a VPN client. However, whilst connected, the VPN clients are unable to connect to the 10.10.9.x network. I am wondering if it is a routing issue, as the VPN clients have been configured to be issued 192.168.200.x IP addresses, but I do not have any idea how to fix this.
the VPN clients are currently allowed All Outbound traffic to Internal (10.10.10.0 - 10.10.10.255). I tried adding the Site-to-Site VPN network (Address range 10.10.9.0-10.10.9.255, as well as the Public StaticIP of the remote VPN site) which had been created previously, as a destination network to the above rule, but it still does not seem to work.
I did a route print on a VPN client, and I do not see any route for 10.10.9.0 Destination. There are 2 routes for 0.0.0.0. Destination Netmask Gateway Interface Metric 1. 0.0.0.0 0.0.0.0 192.168.20.1 192.168.20.2 26 2. 0.0.0.0 0.0.0.0 192.168.200.3 192.168.200.3 1
1st route interface belongs to the Internet connection of the client, 2nd route interface belongs to the VPN connection, and the IP address is the current IP for that interface.
I have tried adding a persistent route as follows:
route add -p 10.10.9.0 mask 255.255.255.0 192.168.200.3 IF 0x40005 (IF info taken from Interface List in Route print)
Users are assigned 192.168.200.x addresses when they connect to the office VPN. I would like them to be able to connect to the office network (10.10.10.x), which they are able to, as well as to the datacenter (10.10.9.x, connected to the office network via site-to-site VPN).
Is there any routing which I need to do on the ISA servers, or on the VPN clients?
Hi, if the vpn clients can not see the data center there two configs which you should do 1- on isa at the office add routing from vpn clients to datacenter (on network configuration) 2- on isa at the datacenter check the logs and if there is any deny rule for vpn clients add that rule to the isa
and the last thing is checking the log of the office's isa
the datacenter is using a Sonicwall firewall/gateway. Sorry I did not mention this earlier.
ISA is only being used in the office.
For 1., are you referring to adding of a static route on the ISA gateways, or on the VPN clients?
I have 2 ISA gateways (10.10.10.7 and 10.10.10.20) in an array set up for the office network. Array VIP is 10.10.10.254 A site-to-site VPN is set up to the remote network (10.10.9.x) and is working properly.
I have checked the route tables for both ISA gateways; 10.10.10.7 does not have any route to 10.10.9.x destination, and 10.10.10.20 has a route to 10.10.9.x destination, Gateway 10.10.10.7 on Internal Interface.
Could you advise on how I can create a route from my VPN clients to the datacenter?