Solved

Cannot SSH to server over PPTP from within ISA 2004 (SBS2k3) network using firewall client??

Posted on 2009-06-30
2
868 Views
Last Modified: 2012-05-07
I am on an SBS 2003 Network using ISA 2004 and my machine is using the Firewall Client.  

I recently got a virtual server at softlayer and I can open a vpn connection to the softlayer network and ping my server however I cannot connect using SSH with PuTTY.  

I can disable the firewall client temporarily and SSH to the server and then re-enable the firewall client and my SSH connection will stay up.

Does anyone have any ideas about why the firewall client / ISA Server is not allowing the SSH connection?  

Also, the ISA logs do not show any blocked connections.

Thanks in advance,

David
0
Comment
Question by:dtsmith1984
2 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
Comment Utility
It is not logging anything being block because it is not blocking it.  The problem is that this is a VPN and the IP Range on the Remote Network (SoftLayer) is not configured within ISA as being part of the Internal Network,...therefore the FWC interprets it as being a connection attempt to "External" and winging it out to the Internet where it fails.  So it isn't being denied,..it is being allowed,...it is just failing because it is being tossed down the wrong path.
Why does it work without the FWC?  Because without the FWC the local machine's regular "routing" takes over.  By the very nature of how VPN works,..the VPN is overriding the local machines Default Gateway with itself (the VPN becomes the new Default Gateway).  Since the target IP# is obviously not part of the local machine's local network the traffic gets "tossed" to the Default Gateway (which happens to be the VPN at the moment) and it works.
So....
Option #1
Find out the IP Range (or at least the one you are targeting) and add it to the Internal Network Definition.  This would be the IP Range inside the Tunnel,...not the outside of the Tunnel.  Then from a command prompt create a "blackhole" Static Route on the ISA machine for the same IP Range.  This route will never actually get used,...it is only there so that ISA has a route that corresponds to all the listed IP Ranges in the Internal Network Definition.  Without the Route it will probably whine and complain about it and give alerts that it sees address on the LAN that may be spoofed. In other words it will complain that is see addresses on the Internal Interface that have no corresponding route.
Option #2
Just disable/enable the FWC as needed as you are already doing and don't worry about it.
0
 

Author Closing Comment

by:dtsmith1984
Comment Utility
Thank you for the great explanation.  
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now