?
Solved

ISA block VPN packet

Posted on 2003-03-24
23
Medium Priority
?
2,778 Views
Last Modified: 2008-02-01
I'm searching forever on this one. your help would be generous appreciate.

we gat an I.S.A server in the front of our organization.
I config my system so that local users on my LAN can connect to our firewall server through VPN connection. this part is working perfectly right.
I now need to config ISA server to allow remove users to gain access to our network throgugh the internet.
I can monitor our router to see that 1723 port traffic is indeed route to our I.S.A server machine, however our I.S.A machine is not response back to client and a "Error 678: There was no answer" message appear.

Here is what I did so far with no luck:

1) In "IP Packet Filter" section I created two additional rule the allow port 1723 and port 47 to be route.
   also in that section I right click on "IP Packet Filter" and select "properties" Then select "Enabled packet filtering", "Enabled IP routring" and "Enabled intrustion detection" from the general tab.
I allso select "PPTP through ISA firewall" from the PPTP tab.

2) I open port 1723 and port 47 in "protocol rules" section

3) I repeat step 2 also for "access policy" and "Server publishing rules section".

Network structure (not sure if relevant)
----------------------------------------

* In the front of our organization there is a router which redirect all relevent protocol traffic from the internet to I.S.A server machine.

* Our I.S.A server machine has it's own segment and it's is working on workgroup mode outside our domain.

* Our I.S.A server has two network adapter one for in/out Internet to lan connection and the other one is for just inside the  LAN trafic

0
Comment
Question by:zeheb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
23 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8194263
>and port 47
It is not TCP port 47, it is PROTOCOL 47, GRE that you must permit
0
 
LVL 1

Author Comment

by:zeheb
ID: 8194325
>> It is not TCP port 47, it is PROTOCOL 47, GRE that you must permit

Do you know what port must I open, that is correspondence to the above protocol? How do I config it?
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 8196054
ISA will not allow PPTP to connect inbound through the ISA.  That would require the ISA server to be able to publish GRE.  It cannot.  The only thing you can do is allow ISA to terminate the VPN, you cannot pass it through.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 1

Author Comment

by:zeheb
ID: 8196146
You mean to tell me there is no way I can allow my remote users to use VPN to gain access to my network?
>> I allso select "PPTP through ISA firewall" from the PPTP tab.

Then what is it mean?

How are other organization  allow VPN?
0
 
LVL 11

Accepted Solution

by:
geoffryn earned 2000 total points
ID: 8196264
That allows client systems to connect outbound to VPNs, it does not allow PPTP to transverse the ISA inbound.  Other orgs terminate the VPN on the ISA server itself and allow access to host on the internal network from there.   ISA has a set of configuration wizards to help you.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 8199835
Geoffryn is correct.  Terminate your VPN connection at the ISA server itself.

0
 
LVL 4

Expert Comment

by:huckey
ID: 8200301
geoffryn.

check out ISAserver.org its has a large number of VPN related step by step guidelines..

there are too many of them to list here however they are extremely easy to find.

this site is a must have for any ISA configs..
0
 
LVL 1

Author Comment

by:zeheb
ID: 8201164
>> Other orgs terminate the VPN on the ISA....

o.k: How do I config that?
I'm new to this field.
0
 
LVL 1

Author Comment

by:zeheb
ID: 8201407
>> Other orgs terminate the VPN on the ISA....

o.k: How do I config that?
I'm new to this field.
0
 
LVL 1

Author Comment

by:zeheb
ID: 8201412
>> Other orgs terminate the VPN on the ISA....

o.k: How do I config that?
I'm new to this field.
0
 
LVL 1

Author Comment

by:zeheb
ID: 8201648
>> Other orgs terminate the VPN on the ISA....

o.k: How do I config that?
I'm new to this field.
0
 
LVL 1

Author Comment

by:zeheb
ID: 8201681
>> Other orgs terminate the VPN on the ISA....

o.k: How do I config that?
I'm new to this field.
0
 
LVL 1

Author Comment

by:zeheb
ID: 8201849
>> Other orgs terminate the VPN on the ISA....

o.k: How do I config that?
I'm new to this field.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 8203609
Run the Local VPN wizard in ISA Management.
0
 
LVL 1

Author Comment

by:zeheb
ID: 8208967
Sorry for the delay.
I can't seem to find this wizard.
Where can I found it?
How can I tigger it?
I'm new to this field so take it easy please.
0
 
LVL 1

Author Comment

by:zeheb
ID: 8210978
I was hearded that ISA can be work in "client server" configuration.
This mean, so I heard, that ISA should be install both at server and workstation size (i.e at "win2k pro" and "win2k server" os) in this configuration. could it be that ISA "Local VPN wizard" can be found only in the above  configuration? because I did some reading and in every tutorial I was read they insist that "Local VPN wizard" should be trigger by right click "Network Configuration" node and choose that wizard from the menu that appeard.

I triple check it, however, and I'm positive that there is no such option in that menu in my case. could it be because I'm not working with "client server" configuration and the refered tutorial just assume that I am? If so how can I change that configuration?

Thank you

zeheb -)
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 8211229
In ISA Management, click Home, Configure Servers and Arrays, Configure Network Connection, then click the configure Local VPN.

 
0
 
LVL 1

Author Comment

by:zeheb
ID: 8217151
>>In ISA Management, click Home, Configure Servers and Arrays, Configure Network Connection, then click the configure Local VPN

But there is no such option in my case.
I don't know why. You can look at my ISA screenshot at:
http://www.bluebird-optical-mems.com/ISAScreenshot/ISAScreenshot.jpg
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 8218515
Lower right hand corner of the screen.  Click Home,  Configure Servers and Arrays, Configure Network Connection, then click the configure Local VPN.

0
 
LVL 1

Author Comment

by:zeheb
ID: 8404724
I'm appreciate very muth you time and effort to help me.
I'm sorry for the long periot of waiting time.

I affrid I get no "Configure Network Connection" section in my isa. I don't know why? I just don't have it as shown in the site above. Is it o.k with you if just erase this question sine no one has been abled to resolve this issue?
If so how shell I do it? I cold'nt find to link for this as wall
0
 

Expert Comment

by:CleanupPing
ID: 9152932
zeheb:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 5

Expert Comment

by:juliancrawford
ID: 10088595
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

Accept: geoffryn {http:#8196264}

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Julian Crawford
EE Cleanup Volunteer
0

Featured Post

WordPress Tutorial 4: Recommended Plugins

Now that you have WordPress installed, understand the interface, and know how to install new parts, let’s take a look at our recommended plugins.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses
Course of the Month13 days, 13 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question