Site to Site IPsec VPN between ISA 2004 and Netgear FVS318

I currently have two ISA Server 2004 systems setup that I am trying to establish Site to site vpn connections with a Netgear FVS316 VPN router.  I am able to establish the connections but and I believe that the comminication is only one-way.  When I am connected to a machine that is behind the Netgear, I can ping any system that is behind either of the two ISA servers.  I can also ping any system that is behind the netgear from any machine that is behind either of the two ISA servers.  What I cannot do is ping any system behind the netgear if I am actually on either of the two ISA servers.  I believe that this a configuration issue within my ISA servers.  My Netgear indicates, in the VPN status dialog, that both of my connections are established.  So my question is, why can I not ping the Netgear or any machine that is behind it, when I am actually on either of the two ISA servers?  It would seem to me that if I can ping the systems on the Netgear from any machine that is behind the ISA servers that I should be able to ping directly from the ISA server itself.

Any help is appreciated!
xirticAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
NutrientMSConnect With a Mentor Commented:
Hi,

You should have a rule in ISA that allows traffic to flow between the networks (Internal) on your ISA to your VPN Site network.  What you may not have, is Localhost set as a FROM address.  Basically, this means you can have all clients behind the ISA server right to ping the netgear and everything behind it, but not the actual ISA server itself.

Post what this rule looks like if you have no joy reconfiguring it.
0
 
xirticAuthor Commented:
I am assuming you mean a firewall policy for the VPN connection that has localhost listed in the From dialog.  It is configured this way currently!
0
 
NutrientMSCommented:
On your isa server run a log where client ip = <ISA SERVER IP ADDRESS> and see what happens when you ping.  See if you get "DENIED - DEFAULT RULE" or what happens...
0
 
xirticAuthor Commented:
I ran a trace on the ISA server but could not get anything to come back.  One thing that I did notice was that when I tried to ping the Netgear box from the ISA server, it came back with "Negotiating IP Security" as opposed to "Response Timeout".  Not quite sure what this means.
0
 
xirticAuthor Commented:
I figured the problem
0
All Courses

From novice to tech pro — start learning today.