Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 378
  • Last Modified:

ISA site to site VPN and non-ISA client traffic

Hi,
we have inherited an ISA 2004 SP2 to Draytek 2820 site to site VPN connection from another support company. The site to site would appear to work fine and we can connect from the remote site back to the main site etc. The problem that we have is that need to be able to access a network device at the remote site from the main site and it will not connect. I have tried my laptop from the remote site as well and it would seem that the main site will only ping computers in the remote site with the ISA client installed on them. If i connect my laptop I cannot ping it or browse shares on it or anything from any PC in the main site. However, my laptop will browse back from the remote site to the main server etc. Is this default ISA behaviour or something in that it will only allow clients with the client installed on them to connect to each other or something else? Any help much appreciated as we need to get the network device working ASAP (it is not a computer.) Thanks in advance.
0
dazzercx
Asked:
dazzercx
  • 13
  • 8
  • 2
1 Solution
 
Suliman Abu KharroubIT Consultant Commented:
In ISA side:
Do you have an access rule for VPN users ?
What does the network relationship between VPN and internal and vice versa ?

0
 
dazzercxAuthor Commented:
Hi,
We have rules to allow the traffic from the remote LAN subnet to the ISA subnet and vice versa and as I say we can ping from the main site to remote computers with the ISA client installed but nothing else. Thanks for the reply.
0
 
Suliman Abu KharroubIT Consultant Commented:
please note that there is a built in network in ISA server for VPN clients " vpn users"

You have 2 places to check; ISA and Draytek.

From ISA side do you have network relation from VPN to Internal ( direction is essential).

Could you post a snapshot for ISA config ( network and access rule)?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
dazzercxAuthor Commented:
How do I post you a snapshot? sorry this is my first post here.
0
 
Keith AlabasterCommented:
First of all ISA 2004 sp2 was the most bug-ridden version released and SP3 has been out years. Not onbly were there some good updates included, it also gave a HUGE boost to the realtime log monitor. That alone should be able to assist you with your enquiries.

The most common reasons that sites use the dreded ISA firewall client are:
The installers had no clue about ISA Server and assumed they HAD to have the client installed for the product to work. OR
The default gateway of the sites workstations did NOT point to the ISA Server.
0
 
dazzercxAuthor Commented:
Hi,
I have installed SP3 and can see in the logs that the ping requested is opened with no eorros, but I still get no repy from any Pc or device without the firewall client installed. As I say we have inherited this setup. Any more help much appreciated.
0
 
Keith AlabasterCommented:
I take it the Draytek is the main site?
0
 
dazzercxAuthor Commented:
Hi,
No the Draytek is the remote site.
0
 
Keith AlabasterCommented:
OK - so you see the ping to the remote device go through ISA - do you see an according request hit the Draytek log?
0
 
dazzercxAuthor Commented:
I cannot see any ping requests in the logs of the Drytek, even the one's that are working. I have all logs enabled and are viewing them via the Syslog utility.
0
 
Keith AlabasterCommented:
Then we need to go to basics.
What is the device at the remote office that you are tryingt to contact? Is a computer? A printer?
Can you ping it from the Draytek itself?
0
 
dazzercxAuthor Commented:
I have tried my laptop, yes I can ping that from the Draytek, but again not from the main site. The actual device we are trying to get working is a clocking in machine, it has the correct gateway specified. Again I can ping this fine from the Draytek. Thanks for your help on this.
0
 
Keith AlabasterCommented:
Ah - ok.
Does the remote site have its own Internet connection or does all internet traffic come back to the ISA first and then use the main site's internet connection?
0
 
dazzercxAuthor Commented:
It has it's own Internet connection and when I test my laptop on it I am using that connection, but all computers with the ISA client on go back to the ISA site and then out to the Internet. I can ping all devices FROM my laptop TO all the main site servers etc when I am at the remote site.
0
 
Keith AlabasterCommented:
That is going to be your issue I expect - the device will send its responses to your pings back to its default gateway which will then likely go out the remotre Internet connection. As per my first response to you, this situation is often one where the firewall client is used to indicate an alternative gateway.

Assuming the Draytek is the defautlt gateway of the remote office, Does the draytek have a static route for the local and remote subnets to support the vpn routes?
0
 
dazzercxAuthor Commented:
I have tried adding a static route of 192.168.8.0 (the main site IP range) subnet mask 255.255.255.0 with the IP address of the external ISA server as the gateway for this on the router, but it rejects it.
0
 
Keith AlabasterCommented:
You cannot use the external ISA interface - it does not exist (think about it) because you have built a tunnel between the two locations. Really the Draytek should be handling this itself - can you capture and post the routing table from the Draytek please? Lets see what it thinks it is doing with the traffic.
0
 
dazzercxAuthor Commented:
The routing table is as follows, I only tried the static route thing after looking at another post but didn't think it looked right:

Key: C - connected, S - static, R - RIP, * - default, ~ - private
*             0.0.0.0/         0.0.0.0 via 77.107.X.X,   WAN1
*       77.107.X.X/ 255.255.255.255 via 77.107.X.X,   WAN1
S       77.107.X.X/ 255.255.255.255 via 77.107.X.X,   WAN1
S~        192.168.8.0/   255.255.255.0 via 78.32.X.X,    VPN
C~        192.168.1.0/   255.255.255.0 is directly connected,    LAN
 
0
 
Keith AlabasterCommented:
So
192.168.1.0 is your remote site
192.168.8.0 is your main site and the 192.168.1.0 network gets there via 78.32.x.y
77..107.x.y is your remote office ext entry to the internet etc?
0
 
dazzercxAuthor Commented:
yes that is correct
0
 
dazzercxAuthor Commented:
Does anyone else have any ideas on this at all?
0
 
dazzercxAuthor Commented:
Had problems with the broadband dropping off with this as well, once these were solved the VPN works fine now with no other configuration changes. It must have been an odd routing issue with the broadband supplier or such. Have answered my own question in the end so not sure how to close this case?
0
 
dazzercxAuthor Commented:
External source was the issue
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 13
  • 8
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now