Welcome to ISAserver.org

RE: Discussion about article on site to site VPN between ISA 2000 and the ISA firewall

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> VPN >> RE: Discussion about article on site to site VPN between ISA 2000 and the ISA firewall

Page: << < prev 1 [2]

Message

<< Older Topic Newer Topic >>

RE: Discussion about article on site to site VPN betwee... - 18.May2006 10:41:50 AM

Adham

Posts: 4
Joined: 12.Apr.2005
From: Amman, Jordan
Status: offline

by the way, when i ran netstat -n on one of the SQL servers i got the following result:

C:\Documents and Settings\Karol>netstat -nActive Connections Proto Local Address Foreign Address StateTCP 192.168.2.10:4086 192.168.16.1:445 SYN_SENTTCP 192.168.2.10:4087 192.168.16.1:139 SYN_SENT
(this is just a couple of rows)

The state SYN_SENT means that an application has made arequest for a TCP session, but has not yet received the return SYN+ACK packet.

(in reply to Adham)

Post #: 21

Featured Links*

RE: Discussion about article on site to site VPN betwee... - 24.May2006 4:17:11 PM

acrimony

Posts: 1
Joined: 24.May2006
Status: offline

Hi Tom,

Great article. Thanks for the help. I have what is probably probably a n00b question, but I'll ask it anyway:

Where I work we have 1 main site, and 2 secondary sites connected by T1's to the main site. All three sites are running different NAT'd subnets. Our ISA/Proxy/Firewall server at the main site handles internet bound traffic for all 3 sites.

We are interested in linking the two secondary sites together by getting them each a DSL connection, and then setting up a VPN between them (In this scenario we would get another ISA server for each secondary site). What you describe in the article about demand-dial seems to fit perfectly, but my question is:

Is there a way, with the ISA servers at each secondary site, to have each site's internet bound traffic use the DSL connection at that site while also maintaining the demand-dial VPN link between the secondary sites?
So essentially what I'm wondering is if you can have a demand-dial VPN established between two ISA servers, and route it such that all traffic between internal subnets uses the VPN tunnel AND all traffic going out to the internet from a given site is routed through the DSL line at that site bypassing the VPN.

I'd greatly appreciate any information that would help me understand this better. Thanks.

-acrimony

(in reply to Adham)

Post #: 22

RE: Discussion about article on site to site VPN betwee... - 7.Jul.2006 5:51:47 AM

tomsimon

Posts: 17
Joined: 28.Mar.2006
Status: offline

I am having a problem where I get my site to site L2TP VPN connected between my main and branch offices, but I cannot even ping from the branch office any IP address at the main office. I can ping a remote client from the main office.

Main Office
========
192.168.1.1: router
192.168.1.3 - 192.168.1.99: Assiged to VPN clients via static address pool
192.168.1.100 - 192.168.1.255: DHCP assigned to rest of local clients (ISA in here)

Branch Office
==========
10.2.1.1 - ISA
10.2.1.10 - test client (IP manually assigned)

In my Main Office event log I get the error:
ISA Server detected routes through adapter "External Network" that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 169.254.255.255-169.254.255.255;192.168.1.0-192.168.1.0;.

I also get another event with the same error but different IP range: The address ranges in conflict are: 10.2.0.0-10.2.1.0 (adapter "Branch")

In my Branch Office event log I get the same message regarding these address ranges:
192.168.1.1 - 192.168.1.2; 192.168.1.100 - 192.168.1.254 (adapter "MAIN")
10.2.0.0 - 10.2.0.255; 10.2.255.255 - 10.255.255.255 (adapter "EXTERNAL NETWORK")
192.168.1.4 - 192.168.1.4 (adapter "LOOPBACK")
0.0.0.1 - 10.1.255.255; 10.3.0.0 - 10.255.255.254; ...... on and on and on (adapter "INTERNAL NETWORK")

I believe I have setup the VPN remote sites, Networks, Network Rules, and Access rules correctly, but I see conflicting information on whether static routes and/or subnets added to ISA Server are required. I saw no reference to either of these in the Microsoft document "ISA Server 2004 Branch Office Kit" that I followed.

Thanks for the help.

Tom

(in reply to Adham)

Post #: 23