Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

ISA block VPN packet

Posted on 2003-03-24
23
Medium Priority
?
2,779 Views
Last Modified: 2008-02-01
I'm searching forever on this one. your help would be generous appreciate.

we gat an I.S.A server in the front of our organization.
I config my system so that local users on my LAN can connect to our firewall server through VPN connection. this part is working perfectly right.
I now need to config ISA server to allow remove users to gain access to our network throgugh the internet.
I can monitor our router to see that 1723 port traffic is indeed route to our I.S.A server machine, however our I.S.A machine is not response back to client and a "Error 678: There was no answer" message appear.

Here is what I did so far with no luck:

1) In "IP Packet Filter" section I created two additional rule the allow port 1723 and port 47 to be route.
   also in that section I right click on "IP Packet Filter" and select "properties" Then select "Enabled packet filtering", "Enabled IP routring" and "Enabled intrustion detection" from the general tab.
I allso select "PPTP through ISA firewall" from the PPTP tab.

2) I open port 1723 and port 47 in "protocol rules" section

3) I repeat step 2 also for "access policy" and "Server publishing rules section".

Network structure (not sure if relevant)
----------------------------------------

* In the front of our organization there is a router which redirect all relevent protocol traffic from the internet to I.S.A server machine.

* Our I.S.A server machine has it's own segment and it's is working on workgroup mode outside our domain.

* Our I.S.A server has two network adapter one for in/out Internet to lan connection and the other one is for just inside the  LAN trafic

0
Comment
Question by:zeheb
22 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8194263
>and port 47
It is not TCP port 47, it is PROTOCOL 47, GRE that you must permit
0
 
LVL 1

Author Comment

by:zeheb
ID: 8194325
>> It is not TCP port 47, it is PROTOCOL 47, GRE that you must permit

Do you know what port must I open, that is correspondence to the above protocol? How do I config it?
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 8196054
ISA will not allow PPTP to connect inbound through the ISA.  That would require the ISA server to be able to publish GRE.  It cannot.  The only thing you can do is allow ISA to terminate the VPN, you cannot pass it through.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 1

Author Comment

by:zeheb
ID: 8196146
You mean to tell me there is no way I can allow my remote users to use VPN to gain access to my network?
>> I allso select "PPTP through ISA firewall" from the PPTP tab.

Then what is it mean?

How are other organization  allow VPN?
0
 
LVL 11

Accepted Solution

by:
geoffryn earned 2000 total points
ID: 8196264
That allows client systems to connect outbound to VPNs, it does not allow PPTP to transverse the ISA inbound.  Other orgs terminate the VPN on the ISA server itself and allow access to host on the internal network from there.   ISA has a set of configuration wizards to help you.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 8199835
Geoffryn is correct.  Terminate your VPN connection at the ISA server itself.

0
 
LVL 4

Expert Comment

by:huckey
ID: 8200301
geoffryn.

check out ISAserver.org its has a large number of VPN related step by step guidelines..

there are too many of them to list here however they are extremely easy to find.

this site is a must have for any ISA configs..
0
 
LVL 1

Author Comment

by:zeheb
ID: 8201164
>> Other orgs terminate the VPN on the ISA....

o.k: How do I config that?
I'm new to this field.
0
 
LVL 1

Author Comment

by:zeheb
ID: 8201407
>> Other orgs terminate the VPN on the ISA....

o.k: How do I config that?
I'm new to this field.
0
 
LVL 1

Author Comment

by:zeheb
ID: 8201412
>> Other orgs terminate the VPN on the ISA....

o.k: How do I config that?
I'm new to this field.
0
 
LVL 1

Author Comment

by:zeheb
ID: 8201648
>> Other orgs terminate the VPN on the ISA....

o.k: How do I config that?
I'm new to this field.
0
 
LVL 1

Author Comment

by:zeheb
ID: 8201681
>> Other orgs terminate the VPN on the ISA....

o.k: How do I config that?
I'm new to this field.
0
 
LVL 1

Author Comment

by:zeheb
ID: 8201849
>> Other orgs terminate the VPN on the ISA....

o.k: How do I config that?
I'm new to this field.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 8203609
Run the Local VPN wizard in ISA Management.
0
 
LVL 1

Author Comment

by:zeheb
ID: 8208967
Sorry for the delay.
I can't seem to find this wizard.
Where can I found it?
How can I tigger it?
I'm new to this field so take it easy please.
0
 
LVL 1

Author Comment

by:zeheb
ID: 8210978
I was hearded that ISA can be work in "client server" configuration.
This mean, so I heard, that ISA should be install both at server and workstation size (i.e at "win2k pro" and "win2k server" os) in this configuration. could it be that ISA "Local VPN wizard" can be found only in the above  configuration? because I did some reading and in every tutorial I was read they insist that "Local VPN wizard" should be trigger by right click "Network Configuration" node and choose that wizard from the menu that appeard.

I triple check it, however, and I'm positive that there is no such option in that menu in my case. could it be because I'm not working with "client server" configuration and the refered tutorial just assume that I am? If so how can I change that configuration?

Thank you

zeheb -)
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 8211229
In ISA Management, click Home, Configure Servers and Arrays, Configure Network Connection, then click the configure Local VPN.

 
0
 
LVL 1

Author Comment

by:zeheb
ID: 8217151
>>In ISA Management, click Home, Configure Servers and Arrays, Configure Network Connection, then click the configure Local VPN

But there is no such option in my case.
I don't know why. You can look at my ISA screenshot at:
http://www.bluebird-optical-mems.com/ISAScreenshot/ISAScreenshot.jpg
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 8218515
Lower right hand corner of the screen.  Click Home,  Configure Servers and Arrays, Configure Network Connection, then click the configure Local VPN.

0
 
LVL 1

Author Comment

by:zeheb
ID: 8404724
I'm appreciate very muth you time and effort to help me.
I'm sorry for the long periot of waiting time.

I affrid I get no "Configure Network Connection" section in my isa. I don't know why? I just don't have it as shown in the site above. Is it o.k with you if just erase this question sine no one has been abled to resolve this issue?
If so how shell I do it? I cold'nt find to link for this as wall
0
 

Expert Comment

by:CleanupPing
ID: 9152932
zeheb:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 5

Expert Comment

by:juliancrawford
ID: 10088595
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

Accept: geoffryn {http:#8196264}

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Julian Crawford
EE Cleanup Volunteer
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question