Site-to-site connection is working, but client cannot reach other server on remote site

Hello,

I need help 'cause I'm stuck.

Have setup a site-to-site connection between two offices (both running SBS2003R2 with ISA2004). The connection is working fine. From both servers I can ping workstation on the remote site. On both sides workstations can ping the sbs server on the remote site, but not another server.

Site A:
Server: 172.16.123.3
DHCP scope 172.16.123.50 - 172.16.123.255

Site B:
Server: 172.16.1.1
DHCP scope 172.16.2.1 - 172.16.2.255

I've tried adding a route on the workstation
route add 172.16.1.0 mask 255.255.255.0 172.16.123.3
but I still get the same result.

What do I need in order to make this work? Do I need to setup Firewall rules, or something else?
LVL 1
CurbeAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Rob WilliamsConnect With a Mentor Commented:
Sorry I don't understand the physical configuration, as a result I cannot help with the routing. Perhaps someone else may not have as much difficulty in understanding.
0
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
What is it your trying to do? SBS cannot do trusts between two different domains, so that option isn't available.
0
 
CurbeAuthor Commented:
I'm just trying to reach the AS400 on IP base on the remote site (each side has a AS400). Nothing more... the connection is there, but workstations cannot reach the as400 (remote)
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Rob WilliamsCommented:
I agree with mwecomputers regarding trusts, but assuming they are different domains, you should be able to try to connect to a resource and be provided with a box requesting credentials. You would need to use a domain account from the local SBS. Obviously you are not at that point yet.

However...what do your workstations use as a gateway? sounds like traffic is not routed through the SBS, and therefore it is likely ISA that is blocking the remote access.
0
 
CurbeAuthor Commented:
The workstation use the local SBS as gateway. Is there a way to open the ISA for remote connection? Seems to me that it is possible, because if I use a regular VPN connection I can reach all IP addresses on that side. I'm not using it for trusts or that sort of things, just to communicate with an AS400.
0
 
CurbeAuthor Commented:
@RobWill:

On the workstations a can ping the remote SBS on it's IP, but not a server that is behind the firewall. I tried setting op rules that the VPN Network is allowed to reach the localnetwork but it didn't change anything.
0
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
Are you trying to do something like port forwarding with the ISA environment?
0
 
CurbeAuthor Commented:
No, at least not that I'm aware of. It's just a plain simple installation...
0
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
How to set up port forwarding with ISA 2004 Server:
http://www.experts-exchange.com/Security/Firewalls/Q_21774081.html

0
 
Rob WilliamsCommented:
If the PC's are pingable (if that is a word) and they are behind the SBS it is very odd. How is the VPN established? Using ISA or another solution?
0
 
CurbeAuthor Commented:
VPN is established with ISA 2004 using Virtual Private Networks (Remote Sites). On both sides I use the same user and I have bi-directional data between servers.

If I'm on the server (say on site A) I can ping all IP addresses on site B. When I'm on a workstation on Site A I can ping the SBS server (which provides the VPN) on site B, but nothing else. Same goes the other way around.

I just set up some rules in ISA server which tell that all Outbound traffice from vpn to internal is allowed and a rule which says the other way around (done on both servers) but still no result.
0
 
Rob WilliamsCommented:
Rather than using ping, as there may be a specific firewall rule, this is common, can you access a file using \\172.16.123.123\Sharename ?
By the way same user names makes no difference. Your actual user name is a combination of the domain name and user name domain1\john NEQ domain2\john
They are different domain names are they not ?
0
 
CurbeAuthor Commented:
They are different domains.

I'm unable to reach the server on the way you describe.
0
 
Rob WilliamsCommented:
The server would have 2 IP's are you trying to connect to the external or internal? Try the internal, the one on the same subnet as the workstations if you have not done so already.
0
 
CurbeAuthor Commented:
The server(s) has two nics one for internet, and one for internal network. The remote network comes from the internet.
0
 
Rob WilliamsCommented:
I am not terribly familiar with ISA, however i am comfortable with VPN;'s.
I would assume ISA creates the tunnel LAN to LAN even though it is WAN to WAN connection. There are automatic routes allowing all traffic between the LAN's which is why the PC's work. The external interface is on a different subnet and likely protected with file and print sharing and more, disabled.

Try LAN IP.
0
 
CurbeAuthor Commented:
I'm not interrested in file and print sharing... I just want to connect to my AS400 with a sort of terminal client. No more no less...

I'm looking for the correct settings in this, I've the idea that the ISA is blocking the traffic but I can't seem to find the right rule to set.
0
 
Rob WilliamsCommented:
I was asking about pinging. Can you ping the LAN IP of the server? I would think the VPN is configured to allow all traffic between the two LAN subnets, therefore the WAN IP may/should be be blocked. As a rule all services are blocked on the WAN IP as that is exposed to the Internet, the VPN traffic is automatically passed through.

Is this correct by the way
Site B:
Server: 172.16.1.1
DHCP scope 172.16.2.1 - 172.16.2.255
or should it be
DHCP scope 172.16.1.1 - 172.16.1.255
                                ^
0
 
CurbeAuthor Commented:
Nope, the scope is correct, on site be the servers have a different range than the workstation.

I noticed one more strange thing

I can ping from a workstation on site A a workstation on site b (172.16.2.12) but not the as400 on site b (172.16.1.2)
0
 
Rob WilliamsCommented:
Can you possibly outline the physical configuration such as

172.16.2.x-LANA<=>?LAN-IP=ISA=WAN-IP<=>VPN<=>WAN-IP=ISA=LAN-IP<=>172.16.123.x
And where does the AS400 fit in?

The VPN should allow traffic by default from 172.16.2.0/24 to 172.16.123.0/24 but other subnets such as 172.16.1.x will require routes, and possibly access control permissions and firewall exceptions to allow access. These depend on the location of the servers.
0
 
CurbeAuthor Commented:
Server LAN A: 172.16.123.3
AS400 LAN A: 172.16.123.1
Workstation LAN A: 172.16.123.100-172.16.123.250
Remote Site: 172.16.123.116 (DHCP)

Server LAN B: 172.16.1.1
AS400 LAN B: 172.16.1.2
Workstations LAN B: 172.16.2.1-172.16.1.254
Remote Site: 172.16.2.9 (DHCP)

I'm trying to connect from
172.16.123.102 -> 172.16.123.116 -> 172.16.1.1 -> 172.16.1.2

Hopefully this is what you mean...
0
 
Rob WilliamsCommented:
That helps but what I am really looking for is how is the AS400, at Site B, is physically connected to the ISA server. Is it similar to the attached sketch? If so the AS400 is on the protected site of the ISA server and is not accessible by the VPN. However, perhaps this is not the case and there is a router involved somewhere else. Or does the ISA server have 3 NIC's.
 
sample.gif
0
 
CurbeAuthor Commented:
No, it's connected to the switch on the lan b site.
0
 
CurbeAuthor Commented:
No, outcome but for the great support I award the points.
0
 
Rob WilliamsCommented:
Curbe, I don't think you should award me the points, I really have not been of any help. Configuring this if the AS400 is on the LAN side of the ISA server should not be difficult. You simply need a route at the LAN A site and a return route on the AS400. However, after 20+ posts I still do not understand the physical layout properly, and felt I was doing you a dis-service by perpetuating that, when perhaps someone else could better understand from your configuration postings. I am obviously not asking the correct question. We need to know how many NIC's the ISA at B has, what their IP's are, which is external, and which is internal, and how does a packet get from the LAN side of the ISA to the AS400. i.e is there a router in-between. If the LAN uses 192.168.2.x and the AS400 192.168.1.x then there must be. However I see there must be a typo in the following which adds to the confusion
Workstations LAN B: 172.16.2.1-172.16.1.254
                                             ^                ^

                                               
0
 
CurbeAuthor Commented:
I still give you the points because I have the solution...

All this time is was making a route to the ISA server on the same side. Now I make a route to the IP address the connection get's and it works fine.

So if the connection get's IP 172.16.2.1 I make a route on a pc...
route add 172.16.123.0 mask 255.255.255.0 172.16.2.1 this will all the addresses on the other side "pingable".
0
 
Rob WilliamsCommented:
Glad to hear you were able to resolve.
Thanks Curbe.
Cheers !
--Rob
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.