Solved

ISA 2004 behind VPN router can't browse remote network

Posted on 2009-05-08
2
394 Views
Last Modified: 2012-08-14
A client of mine has D-Link 804HV VPN routers in 5 locations.  The tunnels were established and working fine until we started adding ISA 2004 onto the servers at each location.  There is still a need for the users to browse the remote networks, mainly just to copy some files occasionally.

Each location has different subnets on the external NIC's,  I.E. main branch has 2 NICs (192.168.2.x for WAN and 10.0.0.x for LAN).  The 192.168.2.x comes from the Dlink router. DHCP is not enabled on the Dlink..this is passed along from the DSL connection, rather than the public IP.  There is no apparent way to have the public IP directly entered onto the WAN NIC.  I believe this is the main cause of all the trouble, by the way.

One branch location has 192.168.7.x for WAN and again 10.0.0.x for LAN.  The idea would be for a user at main office to be able to browse to 192.168.7.10 (server IP).  Pings to any 192.168.7.x address from the main office don't ever go through.

RDP works fine thanks to some rule tweaking in ISA, but I can't seem to get network browsing functioning correctly.

Can anyone help me out here?  I'd rather keep the D-Link's in place as added security.
0
Comment
Question by:ArthurSim
2 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
Comment Utility
2 issues as I see it.

The VPN handles routing between the two known subnets, for example 192.168.2.x and 192.168.7.x By default packets are kept in the local network if they are destined for the same subnet, but if unknown, they are sent to the "Default" gateway, the VPN router. The router knows the location of the remote 192.168.x.x subnet and forwards packets destined for it, but it does not know the location of the 10.0.0.x subnet. A route needs to be added to the router from which the packet originated, or the generating PC, for example:
route add -p 10.0.0.0 mask 255.0.0.0 192.168..2.123
(where 192.168..2.123 is the WAN connection of the remote ISA server)
You also need a return route, but the ISA server is the default gateway for the its LAN, and its VPN router is the gateway for the ISA server, so the route will be automatic as the last device, the ISA's VPN router, knows the route to the originating packet/remote subnet.

Second issue is you cannot use the same subnet at more than 2 sites. Sounds like you are using 10.0.0.x (10.0.0.0/8).  You could change and use something like 10.0.1.x, 10.0.2.x, etc. at each site (10.0.0.0/24). If two site use the same subnet, even internally, how can the routing be configured to determine to which site to send the packet.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now