• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA VPN client cannot route to remote VPN site-to-site network

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> ISA VPN client cannot route to remote VPN site-to-site network Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA VPN client cannot route to remote VPN site-to-site ... - 29.Dec.2011 4:49:32 AM   
bingyeo

 

Posts: 23
Joined: 4.Dec.2008
Status: offline
Hi

I currently have a site-to-site VPN set up from our office using ISA 2006 multi array firewalls, to our production servers at a datacenter.
Users at the office (subnet 10.10.10.x) are able to connect to the servers (subnet 10.10.9.x).

We have a new site which is using an ADSL broadband connection on a dynamic public IP, and I would like to allow these users to connect to the ISA servers as VPN clients.

I have created the necessary VPN groups and config, and am able to connect to the office 10.10.10.x network as a VPN client. However, whilst connected, the VPN clients are unable to connect to the 10.10.9.x network.
I am wondering if it is a routing issue, as the VPN clients have been configured to be issued 192.168.200.x IP addresses, but I do not have any idea how to fix this.

If anyone could provide some ideas?
Post #: 1
RE: ISA VPN client cannot route to remote VPN site-to-s... - 29.Dec.2011 5:25:39 AM   
hadideveloper

 

Posts: 156
Joined: 20.Jun.2011
Status: offline
Hi,
1-check which ips are allowed for vpn clients
2- check routing as a vpn client with route -print

(in reply to bingyeo)
Post #: 2
RE: ISA VPN client cannot route to remote VPN site-to-s... - 30.Dec.2011 12:08:12 AM   
bingyeo

 

Posts: 23
Joined: 4.Dec.2008
Status: offline
Hi hadideveloper

the VPN clients are currently allowed All Outbound traffic to Internal (10.10.10.0 - 10.10.10.255). I tried adding the Site-to-Site VPN network (Address range 10.10.9.0-10.10.9.255, as well as the Public StaticIP of the remote VPN site) which had been created previously, as a destination network to the above rule, but it still does not seem to work.

I did a route print on a VPN client, and I do not see any route for 10.10.9.0 Destination.
There are 2 routes for 0.0.0.0.
Destination Netmask Gateway Interface Metric
1. 0.0.0.0 0.0.0.0 192.168.20.1 192.168.20.2 26
2. 0.0.0.0 0.0.0.0 192.168.200.3 192.168.200.3 1

1st route interface belongs to the Internet connection of the client, 2nd route interface belongs to the VPN connection, and the IP address is the current IP for that interface.

I have tried adding a persistent route as follows:

route add -p 10.10.9.0 mask 255.255.255.0 192.168.200.3 IF 0x40005 (IF info taken from Interface List in Route print)

However this still does not work.

(in reply to hadideveloper)
Post #: 3
RE: ISA VPN client cannot route to remote VPN site-to-s... - 30.Dec.2011 3:50:46 AM   
hadideveloper

 

Posts: 156
Joined: 20.Jun.2011
Status: offline
Hi,
as I read your question I get it,

users(192.168.x.x)--vpn---->office(10.10.10.x)---vpn--->datacenter(10.10.9.x)

if the situation is like this the problem is on your allowance on datacenter and reconfiguring vpn site to site to allow vpn clients from 192.168.x.x

(in reply to bingyeo)
Post #: 4
RE: ISA VPN client cannot route to remote VPN site-to-s... - 30.Dec.2011 4:02:00 AM   
bingyeo

 

Posts: 23
Joined: 4.Dec.2008
Status: offline
Hi

that's right.

Users are assigned 192.168.200.x addresses when they connect to the office VPN.
I would like them to be able to connect to the office network (10.10.10.x), which they are able to, as well as to the datacenter (10.10.9.x, connected to the office network via site-to-site VPN).

Is there any routing which I need to do on the ISA servers, or on the VPN clients?

(in reply to hadideveloper)
Post #: 5
RE: ISA VPN client cannot route to remote VPN site-to-s... - 30.Dec.2011 12:21:46 PM   
hadideveloper

 

Posts: 156
Joined: 20.Jun.2011
Status: offline
Hi,
if the vpn clients can not see the data center there two configs which you should do
1- on isa at the office add routing from vpn clients to datacenter (on network configuration)
2- on isa at the datacenter check the logs and if there is any deny rule for vpn clients add that rule to the isa

and the last thing is checking the log of the office's isa

(in reply to bingyeo)
Post #: 6
RE: ISA VPN client cannot route to remote VPN site-to-s... - 9.Jan.2012 12:27:36 AM   
bingyeo

 

Posts: 23
Joined: 4.Dec.2008
Status: offline
Hi

the datacenter is using a Sonicwall firewall/gateway. Sorry I did not mention this earlier.

ISA is only being used in the office.

For 1., are you referring to adding of a static route on the ISA gateways, or on the VPN clients?

I have 2 ISA gateways (10.10.10.7 and 10.10.10.20) in an array set up for the office network.
Array VIP is 10.10.10.254
A site-to-site VPN is set up to the remote network (10.10.9.x) and is working properly.

I have checked the route tables for both ISA gateways;
10.10.10.7 does not have any route to 10.10.9.x destination, and 10.10.10.20 has a route to 10.10.9.x destination, Gateway 10.10.10.7 on Internal Interface.

Could you advise on how I can create a route from my VPN clients to the datacenter?

Thanks

(in reply to hadideveloper)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> ISA VPN client cannot route to remote VPN site-to-site network Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts