[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Trying to access network shares with Cisco EasyVPN through SBS2003 Prem box

Posted on 2007-07-28
9
Medium Priority
?
544 Views
Last Modified: 2008-11-17
Hi all!

We've got a very simple network layout:

Cisco VPN Client (192.168.3.1 - 192.168.3.10) -> Cisco 857 ADSL Router (inside: 192.168.2.1) --> MS SBS 2003 Prem (ext: 192.168.2.11, int: 192.168.1.11) -> LAN (192.168.1.x)

I've configured EasyVPN Server and it works great. I RDP to the SBS external interface IP, with ISA publishing RDP for the Server to the External network (plus ISA publishes different ports for internal machines I need RDP access to as well). Not the most efficient I know, but the point is, the VPN connectivity works.

The issue as it stands is, I'd like to now access Windows network shares directly from my VPN Client, but can't resolve / ping the internal server or the domain from my VPN client, nor access it's shares via IP address. I'm guessing that ISA is blocking that traffic and I need to configure it in some way to allow DNS and other services through to the external network?

I can ping the router's internal interface (192.168.2.1) fine, but not the Server's external NIC (again, I can RDP to that external NIC though).

I'm not exactly sure how to set up DNS for the VPN tunnel (not sure if that's part of the issue) either. Which IP should be specified as the DNS server for the router (ip name-server) and for the VPN group? I'm assuming 192.168.2.11 for the latter, and once I deal to the ISA rules, that'll work fine?

Eventually I want to use IAS for authentication instead of the router users. I'd love to get that up and running now, but in the short term, simply accessing the network shares is the priority.

As an aside, a client's network is set up quite similarly - except they have SBS Standard (no ISA), so I'm guessing that will be straightforward in terms of accessing network shares once the VPN tunnel is established?

I'm far from an ISA or Cisco IOS expert - have "dabbling" experience in them both so would really appreciate any guidance anyone could give! I haven't played with the SBS2003 / ISA VPN, not sure if that's actually the best solution. I keep getting that nagging "but Cisco VPN will give you more security than ISA" feeling - not that I've based that on research or fact.

Thanks in advance!
0
Comment
Question by:slamit
  • 5
  • 2
  • 2
9 Comments
 
LVL 5

Expert Comment

by:rolust
ID: 19587252
Hi

I think you have a little of both worlds here.
Either use external FW a one nic on SBS. or two nics and ISA.
And why does the VPN client get IP adresses outside your LAN?

Take a look at MS Best Practices
http://www.microsoft.com/downloads/details.aspx?FamilyID=d9f63c79-6488-4058-bd90-94d46c82cd68&displaylang=en

Robert Lundqvist
Small Business Specialist
Sweden
0
 

Author Comment

by:slamit
ID: 19587266
Hey,

It seems to depend who you ask. Many people seem to swear by doubling up on security - external firewall and SBS with two NICs & ISA from what I've read. I guess if it's workable, it can never hurt to have more security, can it?

Is there an issue with VPN clients having addresses outside of the LAN range? I've always used / seen a different subnet for Cisco VPN clients in environments where the router is the firewall and servers have just one NIC and no ISA.

Thanks.
0
 
LVL 5

Expert Comment

by:rolust
ID: 19587291
Does the Cisco route to your internal net 192.168.1.x? or only to external?

Robert Lundqvist
Small Business Specialist
Sweden
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:slamit
ID: 19587298
Hey,

It just routes to the external 192.168.2.x network.

Thanks.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19587778
Your installation is fine so no sweat there.
No issue with having addresses outside of the lan range; in fact it is recommended.

On the vpn client, are you set to use the vpn default gateway?




0
 

Author Comment

by:slamit
ID: 19589043
Hi Keith,

I haven't added / changed the default gw for the VPN. An ipconfig /all from a connected client shows:

==========================================================
Ethernet adapter Local Area Connection 4:

        Connection-specific DNS Suffix  . : mydomain.local
        Description . . . . . . . . . . . : Cisco Systems VPN Adapter
        Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.3.10
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.3.1
        DNS Servers . . . . . . . . . . . : 192.168.2.11  // external IF of SBS server
        Primary WINS Server . . . . . . . : 192.168.2.11
==========================================================

I'm not sure why 3.1 is the default GW - it's one of the IPs in the range of that cisco pool - I can't ping it either. I manually added 2.1 while connected just in case, but still couldn't resolve any internal network hostnames.

I'm only guessing, but I still get the feeling it's actually ISA I need to give some TLC to, to resolve this?

Thanks.
0
 

Author Comment

by:slamit
ID: 19589385
The mystery deepens...

I just tried the same setup at another site. Except this is an SBS Standard Server with no ISA. Similar IP setup. I can make a VPN connection and can even telnet to the remote router, but I can't access the internal LAN.

I thought it may have been a Cisco ACL thing perhaps, so I gave the VPN IP range any access on the Dialer0 IF, but no joy.

So, I guess it's not ISA. Still not sure if it's Cisco ACL or the Windows Server though (the Standard does have a Firewall of sorts of course).

Hmmm...
0
 

Accepted Solution

by:
slamit earned 0 total points
ID: 19590863
I decided to bite the bullet and I'm implementing the SBS VPN with Cisco doing the passthrough.

I wouldn't mind knowing the solution to the above still as a just in case and out of interest if anyone knows?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19594351
It is the best way, I have to say with SBS but....
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question