Hello,
This is an issue with SBS 2003 Premium (running with ISA 2004) and a Cisco 831 IOS Router.
The main office's SBS Box has an internal ip address range of 172.16.1.0/24. The Cisco router in the branch office has an internal ip rangeof 192.168.3.0/24. The ipsec is setup identical on the two units and the tunnel is establishing. From within the sbs network from a client machine we can ping and remote to a machine on the cisco network, but not from the SBS machine itself. From the cisco network out to the sbs network nothing works (ping, trace, rdp, telnet)
We suspect the problem to be that in SBS running isaserver we never set a default gateway on the internal nic. On the external nic we set it up normally with its default gateway. So when you are working on the sbs box itself and trying to go somewhere other than 172.16.1.X it will always go out the external interface, but through the tunnel as encrypted. The cisco will not accept encrypted traffic from any ip range
other than 172.16.1.X so the packets are discarded.
If we replace the PIX in place of the existing Cisco, will the external sbs ip be accepted encrypted by the pix? This will have to happen as the cisco network will have to authenticate from the sbs box and the clients will be a part of the domain.
Summary:
- Clients in SBS network can ping/access/rdp machines on the cisco network.
- SBS machine itself (with ISA running) cannot ping/access/rdp machines on the cisco network.
- Clients in cisco network can access the Internet, but not anywhere else (including machines on the SBS network, or the SBS itself).
If the SBS (without ISA) is behind another Cisco device, and the tunnel is between 2 cisco routers, the problem would be fixed because the SBS is using the cisco router's LAN ip as the gateway. It seems to me its a SBS 2003 / ISA 2004 issue. We have checked the ACL on the Cisco routers and compare it with Cisco config/tech republic guides and they are all the same setting. Any ideas?
Start Free Trial
