Hello, ISA 2K is running on server 2003. The internal card is running on a 10.0.0.0/24 network, and the external card is running on a 192.168.0.0/24 network. From the ISA server I can create a outbound pptp session to a remote VPN server. From a client on the 10.0.0.0 network I cannot create a outbound session to a PPTP VPN Server. Rule outbound PPTP Call allows 10.0.0.0/24 to any destination. The Packet Rule allows outbound PPTP through ISA. I have been scratching my head on this for hours. Anybody seen this before? What's missing?
Yes it is. And clients used to be able to create outbound VPN sessions. I changed the Extenal IP address from our class "C" public address to a private routable address "192.168.0.2". And ever since that change was made only the ISA server can make outbound pptp VPN sessions.
The LAT was changed to include the 10x network only. from to 10.0.0.0 10.0.0.255 10.255.255.255 10.255.255.255
I can make outbound VPN sessions to "server1" PPTP VPN server, however I cannot make outbound PPTP VPN Sessions to "server2". Both server1 & server2 are on different public IP networks. And I verfied that I could access both server1 & server2 PPTP VPN Servers from a different ISP. I verifed that server2 is allowing any remote IP to connect to it's VPN server. What I am missing?
Also somehow the VPN server stopped taking inbound connections. When I try to connect to the VPN server from a remote location, I get the connecting to site, followed by verifying username/password, and eventually a error 721 occurs. Not really sure what happened. I have verified that the Firewall is forwarding port 1723 to the VPN server. And GRE is on.
because your internal network ID is 10.0.0.0/24 the LAT should only contain the entry '10.0.0.0 10.0.0.255'. However, this sounds not to be the problem!
So, you have changed the ISA external interface from a public to a private IP range. May I assume then that in the old config ISA was directly connected to the Internet and that in the new config there is some upstream NAT box or firewall? Therefore, did you already checked out that from a workstation connected to the ISA external subnet (192.168.0.0/24) you can make the outbound VPN connections to both VPN servers?
Also, from the same workstation connected to the ISA external subnet (192.168.0.0/24) can you make an inbound VPN connection to the ISA server?
I'll remove the additional 10.255.255.255 LAT Entry for good measure. And you are correct there is an upstream NAT router. However the only device in the 192.168.0.0/24 subnet is the external NIC on the ISA server. So I will not be able to do any further testing in that subnet (The NAT router plugs directly into the ISA External NIC). If you suggest putting a swtich between the Upstream NAT router & ISA External NIC for testing purposes I will gladly give it a shot. And if from this newly instlled switch in the 192.168.0.0/24 I will plug in a laptop and attempt to make outbound & inbound VPN connections. If it works (and I suppose it will) Can you think of any other issues or rules in ISA that would prevent outbound PPTP VPN calls to host that we used to be albe to access? thanks again, you are proving to be invaluable!
yes, I suggest to put a little hub or switch between the NAT router and the ISA external interface to make some tests. In that way it should be fairly easy to determine where the problem is situated.
Because all seems to be configured correctly, at least for the outbound VPN connections, I guess there is a problem with the NAT router or something must be screwed-up with changing the external interface.