?
Solved

ISA Server 2004 Site to Site VPN

Posted on 2006-06-05
11
Medium Priority
?
1,167 Views
Last Modified: 2013-11-16
To who ever reads this:

This is possibly the hardest question I have posted and the solution has eluded me for the last three days and I am on the verge of giving up altogether in trying to get this to work.  The problem has probably generated itself because I am probably attempting to make something work in what everyone else would think as an impossible scenario.  I applied logic to this problem and I think it should work but it just doesn't.  Here goes:

I have two networks - they are seperated by the Internet.  My main network at the HQ is set up as follows:

One Server - Two NICS
NIC One - Internal Network - Range 192.168.1.0 Mask 255.255.255.0
NIC Two - Perimeter Network - Range 10.0.10.0 Mask 255.255.255.0 Gateway 10.0.10.1

The Perimeter network is connected to my ADSL Router (10.0.10.1) which obviously services the Internet.  All incoming connection to my ADSL router are immediately forwarded to the Perimeter NIC.

My network at the Branch Office is set up as follows:

One Server - Two NICS
NIC One - Internal Network - Range 192.168.2.0 Mask 255.255.255.0
NIC Two - Perimeter Network - Range 10.0.11.0 Mask 255.255.255.0 Gateway 10.0.11.1

The Perimeter network is connected to my ADSL Router (10.0.11.1) which in turn is connected to a ADSL Modem.  The Router is a WAN router so I had to use a MODEM to do the Modemy bits.  The modem projects the External IP address on the device connected to it.  In this case the WAN port on my ADSL Router.  Consider the modem and router to be as one for arguements sake.  Internet connectivity is working fine with no problem.

My Main HQ network as its own static IP address and my Branch Office also has its own static IP Address.  Both server are part of the same domain.

I have install ISA 2004 on both servers.  The HQ server is allowed to receive everything I think it needs.  The Branch Office server is allowed to pass any traffic through any card - its got bugger all on it so not fussed about security yet.  I have followed the ISA 2004 Book, Help File and every Internet document I can find as to how to correctly set up a Site to Site VPN.  I created a user account with the same name as the remote network entity as the book states in order for it to work.  I gave 5 addresses to each side as a static pool to issue to incoming connections.  I first of all used the 192.168.x.x range but that didn't work and so I tried using the 10.0.x.x range.  I can change this easily.

Obvioulsy ISA 2004 has no way of actually initialising a connection.  If I try to ping an address from the Branch Office that lives on the Main HQ site I get no response.  The VPN tunnel doesn't even dial.  So I take a trip to Routing and Remote Access (from now on RRAS) and actually dial the connection myself.  First of all it says the username and password are invalid.  So I check the credentials and I have to take out the .LOCAL bit of my domain name listed to leave just what we call the "NETBios" name - fill in the passwords and bang it connects.  I get an IP address on my WAN PPP/SLIP connection from the other side and vice versa.  I try to ping anything and still no joy.

If anyone can help me I would be most appreciative.  I understand this might be a bit tricky without you actually seeing it.  I am willing to forward a Visio diagram if needs be to whoever wants to take a look.

If you need any extra info let me know!!

Rowan
0
Comment
Question by:Rowan_Insite
  • 6
  • 5
11 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16833099
Hello Rowan. I'm a little busy but by all means send the diag.

Are you setting up a pptp or an l2lp/ipsec tunnel?
Which book are your using as your guide?

keith_alabaster@experts-exchange.com

regards
keith
0
 

Author Comment

by:Rowan_Insite
ID: 16841058
Hi Keith

Sorry haven't got back to you stupid thing didn't tell me there was a reply!!! - I have made some changes to the config and got another step closer.  Its just a simple PPTP tunnel I want.  Nothing too difficult!  I am using the ISA Server 2004 Administrators Consultant but also have used the ISA 2004 help file too.

Thanks Keith

Rowan
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16844428
Have you looked at the isa2004 vpn kit?
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 16846523
0
 

Author Comment

by:Rowan_Insite
ID: 16850261
Hi Keith

Thanks for that - its worked a treat.  I have managed to get the two servers working perfectly and they can ping and do all sorts.  Now my next issue is getting workstations on either side to ping the other side.  So for example my laptop I want it to be able to RDP to the remote server.  What do I need to do to get that working?
0
 

Author Comment

by:Rowan_Insite
ID: 16850550
Keith

Halt everything - It all works!

I am now going to attempt to follow the Active Directory Domain Controller tutorial I found on ISAServer.org to get that bit in place.  But thanks for the articles they did the trick - I was pleasantly surprised.

Now I know where to come if I get stuck again!

Rowan
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16850890
You are more than welcome. I am only up the road from you :). I am the Technical Architect at the CAA at Gatwick....

Regards

Keith
0
 

Author Comment

by:Rowan_Insite
ID: 16851784
Ah excellent - Bet thats great fun!

I have it all working now apart from DNS - do you know of any reason why DNS wouldn't transfer zones across the VPN????????
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16853767
Have you added port 53 TCP (as its zone transfers, not name resolution which uses udp port 53) to the rules?
0
 

Author Comment

by:Rowan_Insite
ID: 16859347
Yeah I have done that - the problem was that it was trying to obtain DNS updates with some other IP Address - So I have resolved this and it is all ready to go up to the branch office - thanks again for your help Keith!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16860804
OK. Neat :)
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 4 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question