Improve company productivity with a Business Account.Sign Up


Site to Site IPsec VPN between ISA 2004 and Netgear FVS318

Posted on 2008-09-29
Medium Priority
Last Modified: 2012-05-05
I currently have two ISA Server 2004 systems setup that I am trying to establish Site to site vpn connections with a Netgear FVS316 VPN router.  I am able to establish the connections but and I believe that the comminication is only one-way.  When I am connected to a machine that is behind the Netgear, I can ping any system that is behind either of the two ISA servers.  I can also ping any system that is behind the netgear from any machine that is behind either of the two ISA servers.  What I cannot do is ping any system behind the netgear if I am actually on either of the two ISA servers.  I believe that this a configuration issue within my ISA servers.  My Netgear indicates, in the VPN status dialog, that both of my connections are established.  So my question is, why can I not ping the Netgear or any machine that is behind it, when I am actually on either of the two ISA servers?  It would seem to me that if I can ping the systems on the Netgear from any machine that is behind the ISA servers that I should be able to ping directly from the ISA server itself.

Any help is appreciated!
Question by:xirtic
  • 3
  • 2

Accepted Solution

NutrientMS earned 750 total points
ID: 22600106

You should have a rule in ISA that allows traffic to flow between the networks (Internal) on your ISA to your VPN Site network.  What you may not have, is Localhost set as a FROM address.  Basically, this means you can have all clients behind the ISA server right to ping the netgear and everything behind it, but not the actual ISA server itself.

Post what this rule looks like if you have no joy reconfiguring it.

Author Comment

ID: 22600448
I am assuming you mean a firewall policy for the VPN connection that has localhost listed in the From dialog.  It is configured this way currently!

Expert Comment

ID: 22600711
On your isa server run a log where client ip = <ISA SERVER IP ADDRESS> and see what happens when you ping.  See if you get "DENIED - DEFAULT RULE" or what happens...

Author Comment

ID: 22601338
I ran a trace on the ISA server but could not get anything to come back.  One thing that I did notice was that when I tried to ping the Netgear box from the ISA server, it came back with "Negotiating IP Security" as opposed to "Response Timeout".  Not quite sure what this means.

Author Comment

ID: 23514603
I figured the problem

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question