Solved

ISA site to site VPN and non-ISA client traffic

Posted on 2011-03-03
23
348 Views
Last Modified: 2012-05-11
Hi,
we have inherited an ISA 2004 SP2 to Draytek 2820 site to site VPN connection from another support company. The site to site would appear to work fine and we can connect from the remote site back to the main site etc. The problem that we have is that need to be able to access a network device at the remote site from the main site and it will not connect. I have tried my laptop from the remote site as well and it would seem that the main site will only ping computers in the remote site with the ISA client installed on them. If i connect my laptop I cannot ping it or browse shares on it or anything from any PC in the main site. However, my laptop will browse back from the remote site to the main server etc. Is this default ISA behaviour or something in that it will only allow clients with the client installed on them to connect to each other or something else? Any help much appreciated as we need to get the network device working ASAP (it is not a computer.) Thanks in advance.
0
Comment
Question by:dazzercx
  • 13
  • 8
  • 2
23 Comments
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 35027350
In ISA side:
Do you have an access rule for VPN users ?
What does the network relationship between VPN and internal and vice versa ?

0
 

Author Comment

by:dazzercx
ID: 35027414
Hi,
We have rules to allow the traffic from the remote LAN subnet to the ISA subnet and vice versa and as I say we can ping from the main site to remote computers with the ISA client installed but nothing else. Thanks for the reply.
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 35027623
please note that there is a built in network in ISA server for VPN clients " vpn users"

You have 2 places to check; ISA and Draytek.

From ISA side do you have network relation from VPN to Internal ( direction is essential).

Could you post a snapshot for ISA config ( network and access rule)?
0
 

Author Comment

by:dazzercx
ID: 35027751
How do I post you a snapshot? sorry this is my first post here.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35027874
First of all ISA 2004 sp2 was the most bug-ridden version released and SP3 has been out years. Not onbly were there some good updates included, it also gave a HUGE boost to the realtime log monitor. That alone should be able to assist you with your enquiries.

The most common reasons that sites use the dreded ISA firewall client are:
The installers had no clue about ISA Server and assumed they HAD to have the client installed for the product to work. OR
The default gateway of the sites workstations did NOT point to the ISA Server.
0
 

Author Comment

by:dazzercx
ID: 35034886
Hi,
I have installed SP3 and can see in the logs that the ping requested is opened with no eorros, but I still get no repy from any Pc or device without the firewall client installed. As I say we have inherited this setup. Any more help much appreciated.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35034927
I take it the Draytek is the main site?
0
 

Author Comment

by:dazzercx
ID: 35034938
Hi,
No the Draytek is the remote site.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35035029
OK - so you see the ping to the remote device go through ISA - do you see an according request hit the Draytek log?
0
 

Author Comment

by:dazzercx
ID: 35035648
I cannot see any ping requests in the logs of the Drytek, even the one's that are working. I have all logs enabled and are viewing them via the Syslog utility.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35035671
Then we need to go to basics.
What is the device at the remote office that you are tryingt to contact? Is a computer? A printer?
Can you ping it from the Draytek itself?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:dazzercx
ID: 35035686
I have tried my laptop, yes I can ping that from the Draytek, but again not from the main site. The actual device we are trying to get working is a clocking in machine, it has the correct gateway specified. Again I can ping this fine from the Draytek. Thanks for your help on this.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35035712
Ah - ok.
Does the remote site have its own Internet connection or does all internet traffic come back to the ISA first and then use the main site's internet connection?
0
 

Author Comment

by:dazzercx
ID: 35035727
It has it's own Internet connection and when I test my laptop on it I am using that connection, but all computers with the ISA client on go back to the ISA site and then out to the Internet. I can ping all devices FROM my laptop TO all the main site servers etc when I am at the remote site.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35035761
That is going to be your issue I expect - the device will send its responses to your pings back to its default gateway which will then likely go out the remotre Internet connection. As per my first response to you, this situation is often one where the firewall client is used to indicate an alternative gateway.

Assuming the Draytek is the defautlt gateway of the remote office, Does the draytek have a static route for the local and remote subnets to support the vpn routes?
0
 

Author Comment

by:dazzercx
ID: 35035777
I have tried adding a static route of 192.168.8.0 (the main site IP range) subnet mask 255.255.255.0 with the IP address of the external ISA server as the gateway for this on the router, but it rejects it.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35035816
You cannot use the external ISA interface - it does not exist (think about it) because you have built a tunnel between the two locations. Really the Draytek should be handling this itself - can you capture and post the routing table from the Draytek please? Lets see what it thinks it is doing with the traffic.
0
 

Author Comment

by:dazzercx
ID: 35035850
The routing table is as follows, I only tried the static route thing after looking at another post but didn't think it looked right:

Key: C - connected, S - static, R - RIP, * - default, ~ - private
*             0.0.0.0/         0.0.0.0 via 77.107.X.X,   WAN1
*       77.107.X.X/ 255.255.255.255 via 77.107.X.X,   WAN1
S       77.107.X.X/ 255.255.255.255 via 77.107.X.X,   WAN1
S~        192.168.8.0/   255.255.255.0 via 78.32.X.X,    VPN
C~        192.168.1.0/   255.255.255.0 is directly connected,    LAN
 
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35036001
So
192.168.1.0 is your remote site
192.168.8.0 is your main site and the 192.168.1.0 network gets there via 78.32.x.y
77..107.x.y is your remote office ext entry to the internet etc?
0
 

Author Comment

by:dazzercx
ID: 35036042
yes that is correct
0
 

Author Comment

by:dazzercx
ID: 35058177
Does anyone else have any ideas on this at all?
0
 

Accepted Solution

by:
dazzercx earned 0 total points
ID: 35166711
Had problems with the broadband dropping off with this as well, once these were solved the VPN works fine now with no other configuration changes. It must have been an odd routing issue with the broadband supplier or such. Have answered my own question in the end so not sure how to close this case?
0
 

Author Closing Comment

by:dazzercx
ID: 35196675
External source was the issue
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now