Solved

ISA 2004 behind VPN router can't browse remote network

Posted on 2009-05-08
2
399 Views
Last Modified: 2012-08-14
A client of mine has D-Link 804HV VPN routers in 5 locations.  The tunnels were established and working fine until we started adding ISA 2004 onto the servers at each location.  There is still a need for the users to browse the remote networks, mainly just to copy some files occasionally.

Each location has different subnets on the external NIC's,  I.E. main branch has 2 NICs (192.168.2.x for WAN and 10.0.0.x for LAN).  The 192.168.2.x comes from the Dlink router. DHCP is not enabled on the Dlink..this is passed along from the DSL connection, rather than the public IP.  There is no apparent way to have the public IP directly entered onto the WAN NIC.  I believe this is the main cause of all the trouble, by the way.

One branch location has 192.168.7.x for WAN and again 10.0.0.x for LAN.  The idea would be for a user at main office to be able to browse to 192.168.7.10 (server IP).  Pings to any 192.168.7.x address from the main office don't ever go through.

RDP works fine thanks to some rule tweaking in ISA, but I can't seem to get network browsing functioning correctly.

Can anyone help me out here?  I'd rather keep the D-Link's in place as added security.
0
Comment
Question by:ArthurSim
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 24335859
2 issues as I see it.

The VPN handles routing between the two known subnets, for example 192.168.2.x and 192.168.7.x By default packets are kept in the local network if they are destined for the same subnet, but if unknown, they are sent to the "Default" gateway, the VPN router. The router knows the location of the remote 192.168.x.x subnet and forwards packets destined for it, but it does not know the location of the 10.0.0.x subnet. A route needs to be added to the router from which the packet originated, or the generating PC, for example:
route add -p 10.0.0.0 mask 255.0.0.0 192.168..2.123
(where 192.168..2.123 is the WAN connection of the remote ISA server)
You also need a return route, but the ISA server is the default gateway for the its LAN, and its VPN router is the gateway for the ISA server, so the route will be automatic as the last device, the ISA's VPN router, knows the route to the originating packet/remote subnet.

Second issue is you cannot use the same subnet at more than 2 sites. Sounds like you are using 10.0.0.x (10.0.0.0/8).  You could change and use something like 10.0.1.x, 10.0.2.x, etc. at each site (10.0.0.0/24). If two site use the same subnet, even internally, how can the routing be configured to determine to which site to send the packet.
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Auto-launch VPN via Wifi 7 84
Router question 6 523
AD Design Best Practices 6 61
Routing Issue 26 62
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question