ISA 2004 behind VPN router can't browse remote network

A client of mine has D-Link 804HV VPN routers in 5 locations.  The tunnels were established and working fine until we started adding ISA 2004 onto the servers at each location.  There is still a need for the users to browse the remote networks, mainly just to copy some files occasionally.

Each location has different subnets on the external NIC's,  I.E. main branch has 2 NICs (192.168.2.x for WAN and 10.0.0.x for LAN).  The 192.168.2.x comes from the Dlink router. DHCP is not enabled on the Dlink..this is passed along from the DSL connection, rather than the public IP.  There is no apparent way to have the public IP directly entered onto the WAN NIC.  I believe this is the main cause of all the trouble, by the way.

One branch location has 192.168.7.x for WAN and again 10.0.0.x for LAN.  The idea would be for a user at main office to be able to browse to 192.168.7.10 (server IP).  Pings to any 192.168.7.x address from the main office don't ever go through.

RDP works fine thanks to some rule tweaking in ISA, but I can't seem to get network browsing functioning correctly.

Can anyone help me out here?  I'd rather keep the D-Link's in place as added security.
ArthurSimAsked:
Who is Participating?
 
Rob WilliamsConnect With a Mentor Commented:
2 issues as I see it.

The VPN handles routing between the two known subnets, for example 192.168.2.x and 192.168.7.x By default packets are kept in the local network if they are destined for the same subnet, but if unknown, they are sent to the "Default" gateway, the VPN router. The router knows the location of the remote 192.168.x.x subnet and forwards packets destined for it, but it does not know the location of the 10.0.0.x subnet. A route needs to be added to the router from which the packet originated, or the generating PC, for example:
route add -p 10.0.0.0 mask 255.0.0.0 192.168..2.123
(where 192.168..2.123 is the WAN connection of the remote ISA server)
You also need a return route, but the ISA server is the default gateway for the its LAN, and its VPN router is the gateway for the ISA server, so the route will be automatic as the last device, the ISA's VPN router, knows the route to the originating packet/remote subnet.

Second issue is you cannot use the same subnet at more than 2 sites. Sounds like you are using 10.0.0.x (10.0.0.0/8).  You could change and use something like 10.0.1.x, 10.0.2.x, etc. at each site (10.0.0.0/24). If two site use the same subnet, even internally, how can the routing be configured to determine to which site to send the packet.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.