Simple telnet from vpn client with ISA 2006 Standard

I am running ISA 2006 on Win2k3 Standard server. I use CMAK
to create the vpn client that configs the DNS Suffix and internal DNS servers.
ISA is handing out IP addresses. The vpn clients connect fine but when they run a program called Accuterm, Which justs telnets to an internal server, they cannot connect. I also have a Cisco concentrator 3000 with vpn configure and it works just great. (the concentrator is old and needs to be reitred).

I have a rule in the ISA that allows telnet,DNS > VPN Clients > internal Server.

My internal lan ip address range is 192.168.1.x
The ISA VPN client IP address range is 192.168.60.x
The Cisco vpn Concentrator IP address range is 192.168.50.x

When the ISA VPN client connect IPCONFIG shows

PPP adapter USER:

        Connection-specific DNS Suffix  . : domain.corp
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.60.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 192.168.60.2
        DNS Servers . . . . . . . . . . . : 192.168.1.x
                                            192.168.1.x

When the Cisco VPN Client connects IPCONFIG shows


Ethernet adapter Local Area Connection 3:

        Connection-specific DNS Suffix  . : ace.corp
        IP Address. . . . . . . . . . . . : 192.168.50.3
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :

On a test network I have which has a internal IP range of 10.10.10.x it seems to work fine with the ISA client. So the only difference I can tell is that the vpn clients are in another state (Distance) and thee interal network is on a 192.168.1.x (Spoofing)????

Any ideas on why ISA VPN users cannot telnet??
clynch302Asked:
Who is Participating?
 
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
No :(
0
 
pwindellCommented:
The IPConfig looks just fine.

Watch the Monitoring Log in ISA.  If it is blocking it,...it will clearly say so.  If it is not blocking it then you may have other non-ISA issues that are causing problems when ISA is used as the VPN Server.

CMAK
I never use CMAK to force DNS stuff to clients.  I also never use Address Pools for that matter.   ISA is perfectly capable of allowing the Clients to get those from DHCP.    It always works perfectly that way.  Yet  people seem to always have problems when they use an "address pools" and also have problems when they use CMAK,...I have no explaination why.

In the Dialup Connectiod you must enable "Use gateway on remote network".   If that is disabled you will fail to reach the DNS Servers and resolution will fail.
0
 
Keith AlabasterEnterprise ArchitectCommented:
I assume the vpn clients can ping the internal server OK just to ensure network comms are operating correctly? I'll also assume you have the ISA2006 service pack installed?
From the client, can they use the telnet command to access the internal server either by name or ip address  -
telnet aaa.bbb.ccc.ddd 23 - does this result in the same error?

On the ISA rules allowing vpn clients to internal, are you allowing all or selected protocols to pass through?

0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
clynch302Author Commented:
After further testing I am thinking it has to do with Spoofing. On my test network I have it configured as 192.168.3.x and the vpn works with telnet. If I change it to 192.168.1.x, the same as my local network, it does not allow telnet. I also do not see anything being blocked on the ISA logs,
0
 
Keith AlabasterEnterprise ArchitectCommented:
Have you added this network subnet into the LAT table so that ISA knows it is not an external range?
0
 
clynch302Author Commented:
Please explain...I am new to ISA.
0
 
Keith AlabasterEnterprise ArchitectCommented:
When you change the ip subnet range, are you also changing it within the internal LAT - ISA gui - configuration - networks etc
0
 
clynch302Author Commented:
What I am doing is changing the network range on the remote network.

Remote LAN- 192.168.1.x When connected to the VPN it gets 192.168.60.x from the ISA server. Telnet will not work.

If I Change the Remote LAN to 192.168.3.x it connects fine as well and telnet works.

The issue is that I would have to make all remote users change their IP range to something other than 192.168.1.x
0
 
clynch302Author Commented:
Anything????

 I know it has to do with vpn clients being on the same subnet. Is there a way to configure ISA 2006 to allow vpn clients access to internal resources?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.