silchester
asked on
Outbound VPN calls through ISA Server 2004
We have a Small Business Server 2003 which has been running sucessfully for several years.
However since we changed our router it does not allow us to create a VPN connection to external equipment.
Although it appears that the ISA server is inhibiting the tunnel, the only item we have changed is the router. The router is setup as a DMX Host with IP address set as the Servers IP address.
However since we changed our router it does not allow us to create a VPN connection to external equipment.
Although it appears that the ISA server is inhibiting the tunnel, the only item we have changed is the router. The router is setup as a DMX Host with IP address set as the Servers IP address.
ASKER
The router is different but I have now set it up similar to the router before. I utilise port forwarding
and have specified PPTP.
However the VPN client is initiated from the PC on the SBS network so I do not see how I could have affected it?
The ISA Server is reporting the PPTP connection is blocked?
All very confusing.
and have specified PPTP.
However the VPN client is initiated from the PC on the SBS network so I do not see how I could have affected it?
The ISA Server is reporting the PPTP connection is blocked?
All very confusing.
If the vpn uses a different iP range, it will go through the router.
Make sure that port 1723 is open on the router. That is the port used by PPTP.
Make sure that port 1723 is open on the router. That is the port used by PPTP.
ASKER
My network is 192.168.16.x, wherease the VPN is 192.168.1.x. So that is OK and has not changed.
Port 1723 is is also open. At the moment the firewall has been disabled on the router.
I have set up the Router to Port foward to the servers IP address.
port-forward.bmp
Port 1723 is is also open. At the moment the firewall has been disabled on the router.
I have set up the Router to Port foward to the servers IP address.
port-forward.bmp
Is that a two way route?
1723 is open to the server, but how about back to the 192.168.16 and 192.168.1 ranges?
1723 is open to the server, but how about back to the 192.168.16 and 192.168.1 ranges?
ASKER
All external traffic from the server is routed via its default gateway which is the routers IP address,
Your screen shot shows the port open on one port, which I assume is the inbound port.
It does not show the port open on the outgoing port.
The server is telling you that the port is blocked outgoing.
It does not show the port open on the outgoing port.
The server is telling you that the port is blocked outgoing.
ASKER
On the router the Port Forward option is aimed at forwarding external (internat) traffic to an IP address on the internal network.
Our structure is a single router that connects to an ethernet card on teh Server. The internal network is on a 2nd network card on the server.
Therefore the server is also acting a Firewall for the system.
Any outgoing network traffic from our PC goes via the Server (SBS2k3) and ISA server and then through the default gateway which is the routers IP address. The router currently does not have teh firewall enabled and as such I would expect it to pass through.
Am I not understanding something?
Our structure is a single router that connects to an ethernet card on teh Server. The internal network is on a 2nd network card on the server.
Therefore the server is also acting a Firewall for the system.
Any outgoing network traffic from our PC goes via the Server (SBS2k3) and ISA server and then through the default gateway which is the routers IP address. The router currently does not have teh firewall enabled and as such I would expect it to pass through.
Am I not understanding something?
No, I wasn't.
I am out of ideas, sorry.
I am out of ideas, sorry.
Only SecureNAT Clients can make outbound VPN connections.
Web Proxy and Firewall Clients will not,...will never happen,...impossible.
Why? Because VPN requires GRE and the Web Proxy and Firewall Service are restricted to only TCP and UDP.
ISA is not going to report the connection as blocked if the ISA is not the one doing the blocking.
If the outer NAT Box is where the problem is, then the ISA will report the connection as failed,...not denied. The exact words used in the ISA log are important.
The outer NAT box is either allowing PPTP outbound,...or it is not. There is no "forwarding", reverse NATing or anything else. Just PPTP outbound,...either is,..or is not.
Web Proxy and Firewall Clients will not,...will never happen,...impossible.
Why? Because VPN requires GRE and the Web Proxy and Firewall Service are restricted to only TCP and UDP.
ISA is not going to report the connection as blocked if the ISA is not the one doing the blocking.
If the outer NAT Box is where the problem is, then the ISA will report the connection as failed,...not denied. The exact words used in the ISA log are important.
The outer NAT box is either allowing PPTP outbound,...or it is not. There is no "forwarding", reverse NATing or anything else. Just PPTP outbound,...either is,..or is not.
ASKER
Many thanks for the comment.
I read what teh ISA server is saying, but cannot understand why as nothing has supposedly changed, only the router.
I tried connecting to the router directly and the VPN connection works fine, therefore I think it must be the ISA server.
I have attached a copy of the ISA XML export file and a the log file for teh firewall. The example of VPN is to IP address 217..36.222.13 from my client PC 192.168.16.12.
isa201010.xml
isa201010.xml
I read what teh ISA server is saying, but cannot understand why as nothing has supposedly changed, only the router.
I tried connecting to the router directly and the VPN connection works fine, therefore I think it must be the ISA server.
I have attached a copy of the ISA XML export file and a the log file for teh firewall. The example of VPN is to IP address 217..36.222.13 from my client PC 192.168.16.12.
isa201010.xml
isa201010.xml
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Used onother source external to experts-exchange to assist
I assume it has the same IP as the old router.
Are the interfaces set up the same as the old router? Does it have the same trunks and routes set up?
Do you get any errors on the router?