Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ISA site to site VPN and non-ISA client traffic

Posted on 2011-03-03
23
Medium Priority
?
372 Views
Last Modified: 2012-05-11
Hi,
we have inherited an ISA 2004 SP2 to Draytek 2820 site to site VPN connection from another support company. The site to site would appear to work fine and we can connect from the remote site back to the main site etc. The problem that we have is that need to be able to access a network device at the remote site from the main site and it will not connect. I have tried my laptop from the remote site as well and it would seem that the main site will only ping computers in the remote site with the ISA client installed on them. If i connect my laptop I cannot ping it or browse shares on it or anything from any PC in the main site. However, my laptop will browse back from the remote site to the main server etc. Is this default ISA behaviour or something in that it will only allow clients with the client installed on them to connect to each other or something else? Any help much appreciated as we need to get the network device working ASAP (it is not a computer.) Thanks in advance.
0
Comment
Question by:dazzercx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 8
  • 2
23 Comments
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 35027350
In ISA side:
Do you have an access rule for VPN users ?
What does the network relationship between VPN and internal and vice versa ?

0
 

Author Comment

by:dazzercx
ID: 35027414
Hi,
We have rules to allow the traffic from the remote LAN subnet to the ISA subnet and vice versa and as I say we can ping from the main site to remote computers with the ISA client installed but nothing else. Thanks for the reply.
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 35027623
please note that there is a built in network in ISA server for VPN clients " vpn users"

You have 2 places to check; ISA and Draytek.

From ISA side do you have network relation from VPN to Internal ( direction is essential).

Could you post a snapshot for ISA config ( network and access rule)?
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Author Comment

by:dazzercx
ID: 35027751
How do I post you a snapshot? sorry this is my first post here.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35027874
First of all ISA 2004 sp2 was the most bug-ridden version released and SP3 has been out years. Not onbly were there some good updates included, it also gave a HUGE boost to the realtime log monitor. That alone should be able to assist you with your enquiries.

The most common reasons that sites use the dreded ISA firewall client are:
The installers had no clue about ISA Server and assumed they HAD to have the client installed for the product to work. OR
The default gateway of the sites workstations did NOT point to the ISA Server.
0
 

Author Comment

by:dazzercx
ID: 35034886
Hi,
I have installed SP3 and can see in the logs that the ping requested is opened with no eorros, but I still get no repy from any Pc or device without the firewall client installed. As I say we have inherited this setup. Any more help much appreciated.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35034927
I take it the Draytek is the main site?
0
 

Author Comment

by:dazzercx
ID: 35034938
Hi,
No the Draytek is the remote site.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35035029
OK - so you see the ping to the remote device go through ISA - do you see an according request hit the Draytek log?
0
 

Author Comment

by:dazzercx
ID: 35035648
I cannot see any ping requests in the logs of the Drytek, even the one's that are working. I have all logs enabled and are viewing them via the Syslog utility.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35035671
Then we need to go to basics.
What is the device at the remote office that you are tryingt to contact? Is a computer? A printer?
Can you ping it from the Draytek itself?
0
 

Author Comment

by:dazzercx
ID: 35035686
I have tried my laptop, yes I can ping that from the Draytek, but again not from the main site. The actual device we are trying to get working is a clocking in machine, it has the correct gateway specified. Again I can ping this fine from the Draytek. Thanks for your help on this.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35035712
Ah - ok.
Does the remote site have its own Internet connection or does all internet traffic come back to the ISA first and then use the main site's internet connection?
0
 

Author Comment

by:dazzercx
ID: 35035727
It has it's own Internet connection and when I test my laptop on it I am using that connection, but all computers with the ISA client on go back to the ISA site and then out to the Internet. I can ping all devices FROM my laptop TO all the main site servers etc when I am at the remote site.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35035761
That is going to be your issue I expect - the device will send its responses to your pings back to its default gateway which will then likely go out the remotre Internet connection. As per my first response to you, this situation is often one where the firewall client is used to indicate an alternative gateway.

Assuming the Draytek is the defautlt gateway of the remote office, Does the draytek have a static route for the local and remote subnets to support the vpn routes?
0
 

Author Comment

by:dazzercx
ID: 35035777
I have tried adding a static route of 192.168.8.0 (the main site IP range) subnet mask 255.255.255.0 with the IP address of the external ISA server as the gateway for this on the router, but it rejects it.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35035816
You cannot use the external ISA interface - it does not exist (think about it) because you have built a tunnel between the two locations. Really the Draytek should be handling this itself - can you capture and post the routing table from the Draytek please? Lets see what it thinks it is doing with the traffic.
0
 

Author Comment

by:dazzercx
ID: 35035850
The routing table is as follows, I only tried the static route thing after looking at another post but didn't think it looked right:

Key: C - connected, S - static, R - RIP, * - default, ~ - private
*             0.0.0.0/         0.0.0.0 via 77.107.X.X,   WAN1
*       77.107.X.X/ 255.255.255.255 via 77.107.X.X,   WAN1
S       77.107.X.X/ 255.255.255.255 via 77.107.X.X,   WAN1
S~        192.168.8.0/   255.255.255.0 via 78.32.X.X,    VPN
C~        192.168.1.0/   255.255.255.0 is directly connected,    LAN
 
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35036001
So
192.168.1.0 is your remote site
192.168.8.0 is your main site and the 192.168.1.0 network gets there via 78.32.x.y
77..107.x.y is your remote office ext entry to the internet etc?
0
 

Author Comment

by:dazzercx
ID: 35036042
yes that is correct
0
 

Author Comment

by:dazzercx
ID: 35058177
Does anyone else have any ideas on this at all?
0
 

Accepted Solution

by:
dazzercx earned 0 total points
ID: 35166711
Had problems with the broadband dropping off with this as well, once these were solved the VPN works fine now with no other configuration changes. It must have been an odd routing issue with the broadband supplier or such. Have answered my own question in the end so not sure how to close this case?
0
 

Author Closing Comment

by:dazzercx
ID: 35196675
External source was the issue
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question