Solved

Site-to-site connection is working, but client cannot reach other server on remote site

Posted on 2008-06-19
27
216 Views
Last Modified: 2013-11-05
Hello,

I need help 'cause I'm stuck.

Have setup a site-to-site connection between two offices (both running SBS2003R2 with ISA2004). The connection is working fine. From both servers I can ping workstation on the remote site. On both sides workstations can ping the sbs server on the remote site, but not another server.

Site A:
Server: 172.16.123.3
DHCP scope 172.16.123.50 - 172.16.123.255

Site B:
Server: 172.16.1.1
DHCP scope 172.16.2.1 - 172.16.2.255

I've tried adding a route on the workstation
route add 172.16.1.0 mask 255.255.255.0 172.16.123.3
but I still get the same result.

What do I need in order to make this work? Do I need to setup Firewall rules, or something else?
0
Comment
Question by:Curbe
  • 13
  • 11
  • 3
27 Comments
 
LVL 29

Expert Comment

by:Michael W
ID: 21823239
What is it your trying to do? SBS cannot do trusts between two different domains, so that option isn't available.
0
 
LVL 1

Author Comment

by:Curbe
ID: 21824202
I'm just trying to reach the AS400 on IP base on the remote site (each side has a AS400). Nothing more... the connection is there, but workstations cannot reach the as400 (remote)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21824217
I agree with mwecomputers regarding trusts, but assuming they are different domains, you should be able to try to connect to a resource and be provided with a box requesting credentials. You would need to use a domain account from the local SBS. Obviously you are not at that point yet.

However...what do your workstations use as a gateway? sounds like traffic is not routed through the SBS, and therefore it is likely ISA that is blocking the remote access.
0
 
LVL 1

Author Comment

by:Curbe
ID: 21824236
The workstation use the local SBS as gateway. Is there a way to open the ISA for remote connection? Seems to me that it is possible, because if I use a regular VPN connection I can reach all IP addresses on that side. I'm not using it for trusts or that sort of things, just to communicate with an AS400.
0
 
LVL 1

Author Comment

by:Curbe
ID: 21824263
@RobWill:

On the workstations a can ping the remote SBS on it's IP, but not a server that is behind the firewall. I tried setting op rules that the VPN Network is allowed to reach the localnetwork but it didn't change anything.
0
 
LVL 29

Expert Comment

by:Michael W
ID: 21824290
Are you trying to do something like port forwarding with the ISA environment?
0
 
LVL 1

Author Comment

by:Curbe
ID: 21824304
No, at least not that I'm aware of. It's just a plain simple installation...
0
 
LVL 29

Expert Comment

by:Michael W
ID: 21824338
How to set up port forwarding with ISA 2004 Server:
http://www.experts-exchange.com/Security/Firewalls/Q_21774081.html

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21824389
If the PC's are pingable (if that is a word) and they are behind the SBS it is very odd. How is the VPN established? Using ISA or another solution?
0
 
LVL 1

Author Comment

by:Curbe
ID: 21824430
VPN is established with ISA 2004 using Virtual Private Networks (Remote Sites). On both sides I use the same user and I have bi-directional data between servers.

If I'm on the server (say on site A) I can ping all IP addresses on site B. When I'm on a workstation on Site A I can ping the SBS server (which provides the VPN) on site B, but nothing else. Same goes the other way around.

I just set up some rules in ISA server which tell that all Outbound traffice from vpn to internal is allowed and a rule which says the other way around (done on both servers) but still no result.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21824567
Rather than using ping, as there may be a specific firewall rule, this is common, can you access a file using \\172.16.123.123\Sharename ?
By the way same user names makes no difference. Your actual user name is a combination of the domain name and user name domain1\john NEQ domain2\john
They are different domain names are they not ?
0
 
LVL 1

Author Comment

by:Curbe
ID: 21824599
They are different domains.

I'm unable to reach the server on the way you describe.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21824670
The server would have 2 IP's are you trying to connect to the external or internal? Try the internal, the one on the same subnet as the workstations if you have not done so already.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:Curbe
ID: 21824684
The server(s) has two nics one for internet, and one for internal network. The remote network comes from the internet.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21824715
I am not terribly familiar with ISA, however i am comfortable with VPN;'s.
I would assume ISA creates the tunnel LAN to LAN even though it is WAN to WAN connection. There are automatic routes allowing all traffic between the LAN's which is why the PC's work. The external interface is on a different subnet and likely protected with file and print sharing and more, disabled.

Try LAN IP.
0
 
LVL 1

Author Comment

by:Curbe
ID: 21826294
I'm not interrested in file and print sharing... I just want to connect to my AS400 with a sort of terminal client. No more no less...

I'm looking for the correct settings in this, I've the idea that the ISA is blocking the traffic but I can't seem to find the right rule to set.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21826444
I was asking about pinging. Can you ping the LAN IP of the server? I would think the VPN is configured to allow all traffic between the two LAN subnets, therefore the WAN IP may/should be be blocked. As a rule all services are blocked on the WAN IP as that is exposed to the Internet, the VPN traffic is automatically passed through.

Is this correct by the way
Site B:
Server: 172.16.1.1
DHCP scope 172.16.2.1 - 172.16.2.255
or should it be
DHCP scope 172.16.1.1 - 172.16.1.255
                                ^
0
 
LVL 1

Author Comment

by:Curbe
ID: 21829162
Nope, the scope is correct, on site be the servers have a different range than the workstation.

I noticed one more strange thing

I can ping from a workstation on site A a workstation on site b (172.16.2.12) but not the as400 on site b (172.16.1.2)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21839554
Can you possibly outline the physical configuration such as

172.16.2.x-LANA<=>?LAN-IP=ISA=WAN-IP<=>VPN<=>WAN-IP=ISA=LAN-IP<=>172.16.123.x
And where does the AS400 fit in?

The VPN should allow traffic by default from 172.16.2.0/24 to 172.16.123.0/24 but other subnets such as 172.16.1.x will require routes, and possibly access control permissions and firewall exceptions to allow access. These depend on the location of the servers.
0
 
LVL 1

Author Comment

by:Curbe
ID: 21839998
Server LAN A: 172.16.123.3
AS400 LAN A: 172.16.123.1
Workstation LAN A: 172.16.123.100-172.16.123.250
Remote Site: 172.16.123.116 (DHCP)

Server LAN B: 172.16.1.1
AS400 LAN B: 172.16.1.2
Workstations LAN B: 172.16.2.1-172.16.1.254
Remote Site: 172.16.2.9 (DHCP)

I'm trying to connect from
172.16.123.102 -> 172.16.123.116 -> 172.16.1.1 -> 172.16.1.2

Hopefully this is what you mean...
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21841127
That helps but what I am really looking for is how is the AS400, at Site B, is physically connected to the ISA server. Is it similar to the attached sketch? If so the AS400 is on the protected site of the ISA server and is not accessible by the VPN. However, perhaps this is not the case and there is a router involved somewhere else. Or does the ISA server have 3 NIC's.
 
sample.gif
0
 
LVL 1

Author Comment

by:Curbe
ID: 21841182
No, it's connected to the switch on the lan b site.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 21841203
Sorry I don't understand the physical configuration, as a result I cannot help with the routing. Perhaps someone else may not have as much difficulty in understanding.
0
 
LVL 1

Author Closing Comment

by:Curbe
ID: 31468831
No, outcome but for the great support I award the points.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21841234
Curbe, I don't think you should award me the points, I really have not been of any help. Configuring this if the AS400 is on the LAN side of the ISA server should not be difficult. You simply need a route at the LAN A site and a return route on the AS400. However, after 20+ posts I still do not understand the physical layout properly, and felt I was doing you a dis-service by perpetuating that, when perhaps someone else could better understand from your configuration postings. I am obviously not asking the correct question. We need to know how many NIC's the ISA at B has, what their IP's are, which is external, and which is internal, and how does a packet get from the LAN side of the ISA to the AS400. i.e is there a router in-between. If the LAN uses 192.168.2.x and the AS400 192.168.1.x then there must be. However I see there must be a typo in the following which adds to the confusion
Workstations LAN B: 172.16.2.1-172.16.1.254
                                             ^                ^

                                               
0
 
LVL 1

Author Comment

by:Curbe
ID: 21841537
I still give you the points because I have the solution...

All this time is was making a route to the ISA server on the same side. Now I make a route to the IP address the connection get's and it works fine.

So if the connection get's IP 172.16.2.1 I make a route on a pc...
route add 172.16.123.0 mask 255.255.255.0 172.16.2.1 this will all the addresses on the other side "pingable".
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21841584
Glad to hear you were able to resolve.
Thanks Curbe.
Cheers !
--Rob
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now