jokergrafisk
asked on
VPN IP Sec isa 2006 --> Chekpoint Safe@office
Hi!
We have 2 offices that will share servers.
The sales office have a Checkpoint Safe@office and the server-center has a Isa server 2006 running on 2003 server R2
The vpn tunnel is up and i can ping all local addresses on the sales office from the Isa server gateway (console).
But when i try to ping from the other computers on the network it would not work!
What am i missing? it looks like there is no route or something?
We have 2 offices that will share servers.
The sales office have a Checkpoint Safe@office and the server-center has a Isa server 2006 running on 2003 server R2
The vpn tunnel is up and i can ping all local addresses on the sales office from the Isa server gateway (console).
But when i try to ping from the other computers on the network it would not work!
What am i missing? it looks like there is no route or something?
ASKER
Hi!
Servercenter
139.96.57.0/24
GW 139.96.57.1
Salesoffice:
192.9.110.0/24
GW192.9.110.2
rules on isa server:
Alow all outbound trafic to the VPN net. and vice verca.
I added a route on the isa server. Route add 192.9.110.0 MASK 255.255.255.0 GW192.9.110.2 now its working from the server center, but only one way.
i can now ping all host on 192.9.110.0. from 139.96.57.0 bot not the other way.
Servercenter
139.96.57.0/24
GW 139.96.57.1
Salesoffice:
192.9.110.0/24
GW192.9.110.2
rules on isa server:
Alow all outbound trafic to the VPN net. and vice verca.
I added a route on the isa server. Route add 192.9.110.0 MASK 255.255.255.0 GW192.9.110.2 now its working from the server center, but only one way.
i can now ping all host on 192.9.110.0. from 139.96.57.0 bot not the other way.
Both those subnets are on public addresses - do you actually use public ip addressing for the internal networks?
The rule I would expect to see would be allow All protocols FROM internal & vpn net TO internal & vpn net 9 youi can limit it afterwards to just what you want to pass).
Have you got the converse static route on at the Checkpoint end?
open the ISA gui
Select monitoring - logging - click start query
Try the connection from the CP end - what do you see in the log?
The rule I would expect to see would be allow All protocols FROM internal & vpn net TO internal & vpn net 9 youi can limit it afterwards to just what you want to pass).
Have you got the converse static route on at the Checkpoint end?
open the ISA gui
Select monitoring - logging - click start query
Try the connection from the CP end - what do you see in the log?
ASKER
Hi!
Yes, we have some strange subnets ;)
I think the problem is the Safe@office.
it has to be something with routing.
Anyway, i give up.
Installing ISA server in the other location now.
Yes, we have some strange subnets ;)
I think the problem is the Safe@office.
it has to be something with routing.
Anyway, i give up.
Installing ISA server in the other location now.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What rules have you put in oplace to allow vpn to internal on the ISA server?
Can't help you with the Checkpoint end as I only use ISA/Cisco etc but lets make sure this end is OK first.