Solved

Cannot SSH to server over PPTP from within ISA 2004 (SBS2k3) network using firewall client??

Posted on 2009-06-30
2
878 Views
Last Modified: 2012-05-07
I am on an SBS 2003 Network using ISA 2004 and my machine is using the Firewall Client.  

I recently got a virtual server at softlayer and I can open a vpn connection to the softlayer network and ping my server however I cannot connect using SSH with PuTTY.  

I can disable the firewall client temporarily and SSH to the server and then re-enable the firewall client and my SSH connection will stay up.

Does anyone have any ideas about why the firewall client / ISA Server is not allowing the SSH connection?  

Also, the ISA logs do not show any blocked connections.

Thanks in advance,

David
0
Comment
Question by:dtsmith1984
2 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 24749725
It is not logging anything being block because it is not blocking it.  The problem is that this is a VPN and the IP Range on the Remote Network (SoftLayer) is not configured within ISA as being part of the Internal Network,...therefore the FWC interprets it as being a connection attempt to "External" and winging it out to the Internet where it fails.  So it isn't being denied,..it is being allowed,...it is just failing because it is being tossed down the wrong path.
Why does it work without the FWC?  Because without the FWC the local machine's regular "routing" takes over.  By the very nature of how VPN works,..the VPN is overriding the local machines Default Gateway with itself (the VPN becomes the new Default Gateway).  Since the target IP# is obviously not part of the local machine's local network the traffic gets "tossed" to the Default Gateway (which happens to be the VPN at the moment) and it works.
So....
Option #1
Find out the IP Range (or at least the one you are targeting) and add it to the Internal Network Definition.  This would be the IP Range inside the Tunnel,...not the outside of the Tunnel.  Then from a command prompt create a "blackhole" Static Route on the ISA machine for the same IP Range.  This route will never actually get used,...it is only there so that ISA has a route that corresponds to all the listed IP Ranges in the Internal Network Definition.  Without the Route it will probably whine and complain about it and give alerts that it sees address on the LAN that may be spoofed. In other words it will complain that is see addresses on the Internal Interface that have no corresponding route.
Option #2
Just disable/enable the FWC as needed as you are already doing and don't worry about it.
0
 

Author Closing Comment

by:dtsmith1984
ID: 31598519
Thank you for the great explanation.  
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question