• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 932
  • Last Modified:

Simple telnet from vpn client with ISA 2006 Standard

I am running ISA 2006 on Win2k3 Standard server. I use CMAK
to create the vpn client that configs the DNS Suffix and internal DNS servers.
ISA is handing out IP addresses. The vpn clients connect fine but when they run a program called Accuterm, Which justs telnets to an internal server, they cannot connect. I also have a Cisco concentrator 3000 with vpn configure and it works just great. (the concentrator is old and needs to be reitred).

I have a rule in the ISA that allows telnet,DNS > VPN Clients > internal Server.

My internal lan ip address range is 192.168.1.x
The ISA VPN client IP address range is 192.168.60.x
The Cisco vpn Concentrator IP address range is 192.168.50.x

When the ISA VPN client connect IPCONFIG shows

PPP adapter USER:

        Connection-specific DNS Suffix  . : domain.corp
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.60.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 192.168.60.2
        DNS Servers . . . . . . . . . . . : 192.168.1.x
                                            192.168.1.x

When the Cisco VPN Client connects IPCONFIG shows


Ethernet adapter Local Area Connection 3:

        Connection-specific DNS Suffix  . : ace.corp
        IP Address. . . . . . . . . . . . : 192.168.50.3
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :

On a test network I have which has a internal IP range of 10.10.10.x it seems to work fine with the ISA client. So the only difference I can tell is that the vpn clients are in another state (Distance) and thee interal network is on a 192.168.1.x (Spoofing)????

Any ideas on why ISA VPN users cannot telnet??
0
clynch302
Asked:
clynch302
  • 4
  • 4
1 Solution
 
pwindellCommented:
The IPConfig looks just fine.

Watch the Monitoring Log in ISA.  If it is blocking it,...it will clearly say so.  If it is not blocking it then you may have other non-ISA issues that are causing problems when ISA is used as the VPN Server.

CMAK
I never use CMAK to force DNS stuff to clients.  I also never use Address Pools for that matter.   ISA is perfectly capable of allowing the Clients to get those from DHCP.    It always works perfectly that way.  Yet  people seem to always have problems when they use an "address pools" and also have problems when they use CMAK,...I have no explaination why.

In the Dialup Connectiod you must enable "Use gateway on remote network".   If that is disabled you will fail to reach the DNS Servers and resolution will fail.
0
 
Keith AlabasterCommented:
I assume the vpn clients can ping the internal server OK just to ensure network comms are operating correctly? I'll also assume you have the ISA2006 service pack installed?
From the client, can they use the telnet command to access the internal server either by name or ip address  -
telnet aaa.bbb.ccc.ddd 23 - does this result in the same error?

On the ISA rules allowing vpn clients to internal, are you allowing all or selected protocols to pass through?

0
 
clynch302Author Commented:
After further testing I am thinking it has to do with Spoofing. On my test network I have it configured as 192.168.3.x and the vpn works with telnet. If I change it to 192.168.1.x, the same as my local network, it does not allow telnet. I also do not see anything being blocked on the ISA logs,
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Keith AlabasterCommented:
Have you added this network subnet into the LAT table so that ISA knows it is not an external range?
0
 
clynch302Author Commented:
Please explain...I am new to ISA.
0
 
Keith AlabasterCommented:
When you change the ip subnet range, are you also changing it within the internal LAT - ISA gui - configuration - networks etc
0
 
clynch302Author Commented:
What I am doing is changing the network range on the remote network.

Remote LAN- 192.168.1.x When connected to the VPN it gets 192.168.60.x from the ISA server. Telnet will not work.

If I Change the Remote LAN to 192.168.3.x it connects fine as well and telnet works.

The issue is that I would have to make all remote users change their IP range to something other than 192.168.1.x
0
 
clynch302Author Commented:
Anything????

 I know it has to do with vpn clients being on the same subnet. Is there a way to configure ISA 2006 to allow vpn clients access to internal resources?
0
 
Keith AlabasterCommented:
No :(
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now