Solved

pptp vpn clients are not able to open shared network drives on ISA server

Posted on 2009-05-04
6
472 Views
Last Modified: 2012-05-06
hi, we have the following:´
LAN---ISA SERVER---LINKSYS RV042---INTERNET
We connect using PPTP VPN to the LINKSYS RV042 and from there we would like to run some SQL applications and also see some shared network drives on that ISA server. We created a rule on the ISA to allow acces from the VPN clients into it, the rule was defined to treat the VPN client network as a trusted network so all IP protocol (TPC and UDP) comes in and goes out from and to the VPN clients however we can run any application on any port except for the networking shared drives. Is there anything we can configure on that ISA so we can go to run and type \\172.16.1.1 (actual IP address of the ISA SERVER WAN interface) and the see the shared drives? by default ISA does not allow windows networking on its WAN unless you defined the source IP as trusted is what we thought but still not working. TOPOLOGY changes suggestions are welcome however we were unable to find the way to forward the protocol ESP to and inbound host on this Linksys rv042. thanks
0
Comment
Question by:wirlan
  • 3
  • 3
6 Comments
 
LVL 35

Expert Comment

by:Bembi
ID: 24305944
If you use the router in front of ISA to establish VPN connections, ISA is not aware about the fact, that this should be an internal user.

I would recommend to use ISA as VPN server. You can arrange that by setting your router to VPN pass through (or by opening the associated ports, if ther is no such setting). In that case, your VPN client is handled by ISA and therefore handled by the VPN client rules. As the client is on the internal network in that case, you can get full access to any internal resources.


0
 

Author Comment

by:wirlan
ID: 24306998
I understand the suggestion however I couldn`t find the way to port forward the 1753 port and the ESP protocol. Linksys only allows to port forward on TCP and UDP ports, it woun`t do forwarding for the ESP protocol itself so that is why the PPTP VPNs are connecting to the router... We want to keep the router in front of the ISA server for security porpuses. thanks for the reply!
0
 

Author Comment

by:wirlan
ID: 24307183
Correction. GRE protocol I meant. NOT ESP. thanks
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 35

Accepted Solution

by:
Bembi earned 500 total points
ID: 24307515
ISA is a fully featured firewall solution. There is no reason, to protect ISA itself (if setup correctly). Most of the routers have a (simple) Firewall included. Your RV042 is not the cheapest one, so I would assume, that it provides, what is needed.

Most of the routers (also the cheap ones) provides a setting which is called VPN pass through. This opens all ports (mostly for PPP or IPSEC / L2TP). You can do this also by hand of course. If this also includes ESP depends from the router itselves.

ESP is IP protocol number 50.
So you may have a look where you can enable this within your router. As this is on IP level, not on TCP level,  it has nothing to do with port forwarding (which is on TCP level). Port forwarding for TCP ports are protocol type 6.

You may find either some directly configuration options for IP based protocols or you may have to change the default firewall filters. Most of the routers are preset to allow everthing outgoing and nothing incoming. And this may also block all kinds of protocol types, which the exception of the basic TCP / UDP protocol types, which are controlled by port forwarding.

Have a look here, what I found about linkssys:
http://www.astaro.org/astaro-gateway-products/vpn-site-site-remote-access/3497-open-port-ike-phase-2-a.html

The advantage of passing through VPN through the router is, that you have a better control on your VPN clients using ISA. otherwise you would have to drill some holes into the ISA. ISA directyl supports all kinds of VPN clients and authentication types including certificates and so on. Your client is inside the network. If the VPN connection ends at your router, you have to explicitely open all needed services one by one through ISA as your client is outside the network.
0
 
LVL 35

Assisted Solution

by:Bembi
Bembi earned 500 total points
ID: 24307569
OK, GRE is usually a Cisco issue. Mostly in combination with cisco firmware and MS VPN clients as well as servers.

GRE is protocol type 47

Have a look here, if this helps:
http://forums.linksys.com/linksys/board/message?board.id=Wireless_Routers&message.id=112185
0
 

Author Closing Comment

by:wirlan
ID: 31577866
thank you guys
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question