Solved

ISA 2004 behind VPN router can't browse remote network

Posted on 2009-05-08
2
397 Views
Last Modified: 2012-08-14
A client of mine has D-Link 804HV VPN routers in 5 locations.  The tunnels were established and working fine until we started adding ISA 2004 onto the servers at each location.  There is still a need for the users to browse the remote networks, mainly just to copy some files occasionally.

Each location has different subnets on the external NIC's,  I.E. main branch has 2 NICs (192.168.2.x for WAN and 10.0.0.x for LAN).  The 192.168.2.x comes from the Dlink router. DHCP is not enabled on the Dlink..this is passed along from the DSL connection, rather than the public IP.  There is no apparent way to have the public IP directly entered onto the WAN NIC.  I believe this is the main cause of all the trouble, by the way.

One branch location has 192.168.7.x for WAN and again 10.0.0.x for LAN.  The idea would be for a user at main office to be able to browse to 192.168.7.10 (server IP).  Pings to any 192.168.7.x address from the main office don't ever go through.

RDP works fine thanks to some rule tweaking in ISA, but I can't seem to get network browsing functioning correctly.

Can anyone help me out here?  I'd rather keep the D-Link's in place as added security.
0
Comment
Question by:ArthurSim
2 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 24335859
2 issues as I see it.

The VPN handles routing between the two known subnets, for example 192.168.2.x and 192.168.7.x By default packets are kept in the local network if they are destined for the same subnet, but if unknown, they are sent to the "Default" gateway, the VPN router. The router knows the location of the remote 192.168.x.x subnet and forwards packets destined for it, but it does not know the location of the 10.0.0.x subnet. A route needs to be added to the router from which the packet originated, or the generating PC, for example:
route add -p 10.0.0.0 mask 255.0.0.0 192.168..2.123
(where 192.168..2.123 is the WAN connection of the remote ISA server)
You also need a return route, but the ISA server is the default gateway for the its LAN, and its VPN router is the gateway for the ISA server, so the route will be automatic as the last device, the ISA's VPN router, knows the route to the originating packet/remote subnet.

Second issue is you cannot use the same subnet at more than 2 sites. Sounds like you are using 10.0.0.x (10.0.0.0/8).  You could change and use something like 10.0.1.x, 10.0.2.x, etc. at each site (10.0.0.0/24). If two site use the same subnet, even internally, how can the routing be configured to determine to which site to send the packet.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SSL VPN 3 31
macos sierra "Destination Net Unreachable" 7 54
Choice of router 8 21
Setting up static routes to  sonicwll 4 31
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question