Solved

Site to Site IPsec VPN between ISA 2004 and Netgear FVS318

Posted on 2008-09-29
5
649 Views
Last Modified: 2012-05-05
I currently have two ISA Server 2004 systems setup that I am trying to establish Site to site vpn connections with a Netgear FVS316 VPN router.  I am able to establish the connections but and I believe that the comminication is only one-way.  When I am connected to a machine that is behind the Netgear, I can ping any system that is behind either of the two ISA servers.  I can also ping any system that is behind the netgear from any machine that is behind either of the two ISA servers.  What I cannot do is ping any system behind the netgear if I am actually on either of the two ISA servers.  I believe that this a configuration issue within my ISA servers.  My Netgear indicates, in the VPN status dialog, that both of my connections are established.  So my question is, why can I not ping the Netgear or any machine that is behind it, when I am actually on either of the two ISA servers?  It would seem to me that if I can ping the systems on the Netgear from any machine that is behind the ISA servers that I should be able to ping directly from the ISA server itself.

Any help is appreciated!
0
Comment
Question by:xirtic
  • 3
  • 2
5 Comments
 
LVL 5

Accepted Solution

by:
NutrientMS earned 250 total points
ID: 22600106
Hi,

You should have a rule in ISA that allows traffic to flow between the networks (Internal) on your ISA to your VPN Site network.  What you may not have, is Localhost set as a FROM address.  Basically, this means you can have all clients behind the ISA server right to ping the netgear and everything behind it, but not the actual ISA server itself.

Post what this rule looks like if you have no joy reconfiguring it.
0
 

Author Comment

by:xirtic
ID: 22600448
I am assuming you mean a firewall policy for the VPN connection that has localhost listed in the From dialog.  It is configured this way currently!
0
 
LVL 5

Expert Comment

by:NutrientMS
ID: 22600711
On your isa server run a log where client ip = <ISA SERVER IP ADDRESS> and see what happens when you ping.  See if you get "DENIED - DEFAULT RULE" or what happens...
0
 

Author Comment

by:xirtic
ID: 22601338
I ran a trace on the ISA server but could not get anything to come back.  One thing that I did notice was that when I tried to ping the Netgear box from the ISA server, it came back with "Negotiating IP Security" as opposed to "Response Timeout".  Not quite sure what this means.
0
 

Author Comment

by:xirtic
ID: 23514603
I figured the problem
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now