• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Site-to-Site VPN not working

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Site-to-Site VPN not working Page: [1]
Login
Message << Older Topic   Newer Topic >>
Site-to-Site VPN not working - 30.Oct.2004 6:34:00 PM   
wwolfeii

 

Posts: 9
Joined: 9.Sep.2004
Status: offline
We have a Site-to-Site VPN from ISA 2004 to CP NG configured as follows:

ISA 2004 - based upon the Configuring IPSec Site-to-Site Connections Between ISA Server 2004 and Third-Party Gateways Documentation

Remote Site VPN using IPSec Tunnel
Remote Site GW: 63.173.0.254
ISA Local External: 66.239.123.100
Remote Address Range: 170.217.0.0 - 170.217.255.255
DMZ Network: 172.16.0.0 - 172.16.255.255

Rule to allow traffic in both directions
DMZ -> Remote / All Traffic / All Users
Remote -> DMZ / All Traffic / All users

Our problem is that when we try to ftp from a host at (172.16.0.188)-DMZ to (170.217.31.27)-Remote we get notification in the event viewer that the tunnel has been established, but we get no response from the 170.217.31.27 FTP Server.

The partner needs to see that the request is coming from 170.217.135.89 and not 172.16.0.188 as it shows in the logs.

How does one create a NAT in ISA 2004 so that the traffic from 172.16.0.188 appears to be coming from 170.217.135.89?
Post #: 1
RE: Site-to-Site VPN not working - 31.Oct.2004 2:54:00 AM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
ISA doesn't have this IP address (170.217.135.89) assigned from the description you provided - it is an IP in the remote subnet. ISA can't NAT from this IP address if it's not assigned - that would be a spoofed packet.

[ October 31, 2004, 02:55 AM: Message edited by: ClintD ]

(in reply to wwolfeii)
Post #: 2
RE: Site-to-Site VPN not working - 31.Oct.2004 1:45:00 PM   
wwolfeii

 

Posts: 9
Joined: 9.Sep.2004
Status: offline
Thank you for that information. My next question would be that since the "Business Partner" has told us that our assigned IP range for devices that they will accept connections from is 170.217.135.88/30. Therefore we chose the first address 170.217.135.89 and need to NAT that to our DMZ address 172.16.0.188 for the FTP Server.

The Site-to-Site VPN configuration has this network block assigned to it 170.217.0.0/16 "Partners internal range including our block they gave us" as well as their gateway 63.173.0.254.

They inform us that they have hundereds of partners doing it this way, so it should be simple, however we just can't seem to get it to work.

I guess ultimately we need to know how we make an FTP server behind ISA 2004 in a DMZ allow connections from their address block. Also, we need to be able to FTP back to them to an address of an FTP server (170.217.31.27).

Thanks. If you need a drawing of this configuration, please give me your email address and I will send one.

(in reply to wwolfeii)
Post #: 3
RE: Site-to-Site VPN not working - 31.Oct.2004 2:29:00 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
Are they allowing you to assign the IP address 170.217.135.89 to a system on your network (ISA hopefully)?

This is what is unclear in the description you've provided.

(in reply to wwolfeii)
Post #: 4
RE: Site-to-Site VPN not working - 31.Oct.2004 5:53:00 PM   
wwolfeii

 

Posts: 9
Joined: 9.Sep.2004
Status: offline
Actually the 170.217.135.89 address is for the FTP server protected by ISA 2004.

I believe that I have this working now, however, I had to create a completely seperate network in ISA 2004 and had to bind 170.217.135.89 to the DMZ card on FTP and 170.217.135.90 on ISA 2004 DMZ and setup multiple persistent routes in the FTP server for the hosts at the partner end using ISA as the Gateway.

In fact, other than the Site-to-Site VPN IPSec Tunnel in ISA 2004, this turned out to be totally a "Routing" configuration within ISA and on the FTP Server itself.

Thanks again for your questions as they had me re-think the problem.

(in reply to wwolfeii)
Post #: 5
RE: Site-to-Site VPN not working - 31.Oct.2004 5:57:00 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
Ahh - good deal.

(in reply to wwolfeii)
Post #: 6
RE: Site-to-Site VPN not working - 11.Nov.2004 2:27:00 AM   
phillipm

 

Posts: 23
Joined: 7.Jun.2004
From: Wellington, New Zealand
Status: offline
Hi bud

having to config the same as yourself for our site to site vpn to a third party!

my question is ? the ftp server is it multi homed or did you just bind that to the one NIC?

my current config is isa server 2004
with three nics

trihomed DMZ
WITH private address instead of public

1 x nic = LAT 172.16.0.0
1 X nic = DMZLAT 192.168.0.0
1 x nic = PUBLIC

web servers are sitting on the DMZLAT

(in reply to wwolfeii)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Site-to-Site VPN not working Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts