Thanks for the article it helped out a lot. I'm having a problem and maybe you guys can shed some light. The IKE connection is establish and I can start to ping two ip's in the internal range (10.0.0.1 and 10.0.0.100) after a while of the ping the 10.0.0.100 stops to respond and 10.0.0.1 continues. I checked the Alerts and I have the following two errors:
Spoof attack on 10.0.0.100...
ISA Server detected routes through adapter "External" that do not correlate with the network element to which this adapter belongs. The adapter ranges in conflict are: 10.255.255.255 - 10.255.255.255...
It turns out I figured out what my problem was. The test machine I was pinging on the internal LAN (10.0.0.100) was establishing a VPN connection to the ISA server as well ending up with an adaptor in the private ip ranage(172.x.x.x). When ever I have the VPN connection up on this machine the ping starts to fail. I guess ISA feels there some spoofing going on. This wont be a real problem because I won't have clients in the inside establishing VPN connections.
From: Curitiba/PR - Brasil
quote:Originally posted by ne0nm4n: Is it possible to setup the DI-804HV so it routes all traffic through the VPN tunnel to the ISA server? If so can you let me know what I need to do?
Well, you could create filters on the D-Link in order to allow only traffic going to your HQ network and the ISA External IP Address and block all the rest. I don't know if it's possible but it should!
There are couple questions. 1. Can we assign the ipsec policy on the ISA Server 2000 and also open some UDP port for ipsec to make the ISA2000 support IPSec VPN? I remember it was udp500,4500 and something.
2. ISA2000 only support ISA to ISA in the Gateway to Gateway mode. How about there is only couple computer in the branch office and there is a cheap router to hookup all the computer to the internet. Is there any cheap router (linksys,smc,dlink) can support vpn(site to site) with ISA 2000?
3. Does the remote site have to use static ip address? I know the cisco device can support ip pool on ipsec vpn. How about ISA 2004? Because most remote site doesn't have static ip address.
RE: Discussion for article on Site to Site ISA to DLink... - 28.Sep.2004 4:57:00 PM
Hi, Thanks for the article. I have done a similar configuration with a Draytek DSL Router. I can do everything I need to (file share browsing, exchange access etc) apart from getting the firewall client to connect to the isa server, or being able to use the web proxy client to browse the web. I would still like my clients to browse the web via the isa server because of http filter and GFI. I don't think they can beacuse the web proxy requests are coming from a network outside 'Internal', is this correct and if so how do I fix it? Also, my draytek does not like it if I include the gateway address of the isa server as part if the VPN networks protected by isa, but I can include the gateway address of the darytek in the isa config.
RE: Discussion for article on Site to Site ISA to DLink... - 8.Oct.2004 9:59:00 AM
Hi, thanks for the reply! Yes absolutly everything works except for the web proxy stuff. At present I have got around this by tunneling my draytek into a checkpoint box that runs in parallel to my ISA 2004 at the head office. I have then included the 'draytek' remote network in the internal network object on the isa 2004 and all works prefectly. It is my aim to remove the checkpoint at some point in the future and have the drayteks tunnelling in to the isa once I have the web proxy client issue sorted.