dazzercx
asked on
ISA site to site VPN and non-ISA client traffic
Hi,
we have inherited an ISA 2004 SP2 to Draytek 2820 site to site VPN connection from another support company. The site to site would appear to work fine and we can connect from the remote site back to the main site etc. The problem that we have is that need to be able to access a network device at the remote site from the main site and it will not connect. I have tried my laptop from the remote site as well and it would seem that the main site will only ping computers in the remote site with the ISA client installed on them. If i connect my laptop I cannot ping it or browse shares on it or anything from any PC in the main site. However, my laptop will browse back from the remote site to the main server etc. Is this default ISA behaviour or something in that it will only allow clients with the client installed on them to connect to each other or something else? Any help much appreciated as we need to get the network device working ASAP (it is not a computer.) Thanks in advance.
we have inherited an ISA 2004 SP2 to Draytek 2820 site to site VPN connection from another support company. The site to site would appear to work fine and we can connect from the remote site back to the main site etc. The problem that we have is that need to be able to access a network device at the remote site from the main site and it will not connect. I have tried my laptop from the remote site as well and it would seem that the main site will only ping computers in the remote site with the ISA client installed on them. If i connect my laptop I cannot ping it or browse shares on it or anything from any PC in the main site. However, my laptop will browse back from the remote site to the main server etc. Is this default ISA behaviour or something in that it will only allow clients with the client installed on them to connect to each other or something else? Any help much appreciated as we need to get the network device working ASAP (it is not a computer.) Thanks in advance.
ASKER
Hi,
We have rules to allow the traffic from the remote LAN subnet to the ISA subnet and vice versa and as I say we can ping from the main site to remote computers with the ISA client installed but nothing else. Thanks for the reply.
We have rules to allow the traffic from the remote LAN subnet to the ISA subnet and vice versa and as I say we can ping from the main site to remote computers with the ISA client installed but nothing else. Thanks for the reply.
please note that there is a built in network in ISA server for VPN clients " vpn users"
You have 2 places to check; ISA and Draytek.
From ISA side do you have network relation from VPN to Internal ( direction is essential).
Could you post a snapshot for ISA config ( network and access rule)?
You have 2 places to check; ISA and Draytek.
From ISA side do you have network relation from VPN to Internal ( direction is essential).
Could you post a snapshot for ISA config ( network and access rule)?
ASKER
How do I post you a snapshot? sorry this is my first post here.
First of all ISA 2004 sp2 was the most bug-ridden version released and SP3 has been out years. Not onbly were there some good updates included, it also gave a HUGE boost to the realtime log monitor. That alone should be able to assist you with your enquiries.
The most common reasons that sites use the dreded ISA firewall client are:
The installers had no clue about ISA Server and assumed they HAD to have the client installed for the product to work. OR
The default gateway of the sites workstations did NOT point to the ISA Server.
The most common reasons that sites use the dreded ISA firewall client are:
The installers had no clue about ISA Server and assumed they HAD to have the client installed for the product to work. OR
The default gateway of the sites workstations did NOT point to the ISA Server.
ASKER
Hi,
I have installed SP3 and can see in the logs that the ping requested is opened with no eorros, but I still get no repy from any Pc or device without the firewall client installed. As I say we have inherited this setup. Any more help much appreciated.
I have installed SP3 and can see in the logs that the ping requested is opened with no eorros, but I still get no repy from any Pc or device without the firewall client installed. As I say we have inherited this setup. Any more help much appreciated.
I take it the Draytek is the main site?
ASKER
Hi,
No the Draytek is the remote site.
No the Draytek is the remote site.
OK - so you see the ping to the remote device go through ISA - do you see an according request hit the Draytek log?
ASKER
I cannot see any ping requests in the logs of the Drytek, even the one's that are working. I have all logs enabled and are viewing them via the Syslog utility.
Then we need to go to basics.
What is the device at the remote office that you are tryingt to contact? Is a computer? A printer?
Can you ping it from the Draytek itself?
What is the device at the remote office that you are tryingt to contact? Is a computer? A printer?
Can you ping it from the Draytek itself?
ASKER
I have tried my laptop, yes I can ping that from the Draytek, but again not from the main site. The actual device we are trying to get working is a clocking in machine, it has the correct gateway specified. Again I can ping this fine from the Draytek. Thanks for your help on this.
Ah - ok.
Does the remote site have its own Internet connection or does all internet traffic come back to the ISA first and then use the main site's internet connection?
Does the remote site have its own Internet connection or does all internet traffic come back to the ISA first and then use the main site's internet connection?
ASKER
It has it's own Internet connection and when I test my laptop on it I am using that connection, but all computers with the ISA client on go back to the ISA site and then out to the Internet. I can ping all devices FROM my laptop TO all the main site servers etc when I am at the remote site.
That is going to be your issue I expect - the device will send its responses to your pings back to its default gateway which will then likely go out the remotre Internet connection. As per my first response to you, this situation is often one where the firewall client is used to indicate an alternative gateway.
Assuming the Draytek is the defautlt gateway of the remote office, Does the draytek have a static route for the local and remote subnets to support the vpn routes?
Assuming the Draytek is the defautlt gateway of the remote office, Does the draytek have a static route for the local and remote subnets to support the vpn routes?
ASKER
I have tried adding a static route of 192.168.8.0 (the main site IP range) subnet mask 255.255.255.0 with the IP address of the external ISA server as the gateway for this on the router, but it rejects it.
You cannot use the external ISA interface - it does not exist (think about it) because you have built a tunnel between the two locations. Really the Draytek should be handling this itself - can you capture and post the routing table from the Draytek please? Lets see what it thinks it is doing with the traffic.
ASKER
The routing table is as follows, I only tried the static route thing after looking at another post but didn't think it looked right:
Key: C - connected, S - static, R - RIP, * - default, ~ - private
* 0.0.0.0/ 0.0.0.0 via 77.107.X.X, WAN1
* 77.107.X.X/ 255.255.255.255 via 77.107.X.X, WAN1
S 77.107.X.X/ 255.255.255.255 via 77.107.X.X, WAN1
S~ 192.168.8.0/ 255.255.255.0 via 78.32.X.X, VPN
C~ 192.168.1.0/ 255.255.255.0 is directly connected, LAN
Key: C - connected, S - static, R - RIP, * - default, ~ - private
* 0.0.0.0/ 0.0.0.0 via 77.107.X.X, WAN1
* 77.107.X.X/ 255.255.255.255 via 77.107.X.X, WAN1
S 77.107.X.X/ 255.255.255.255 via 77.107.X.X, WAN1
S~ 192.168.8.0/ 255.255.255.0 via 78.32.X.X, VPN
C~ 192.168.1.0/ 255.255.255.0 is directly connected, LAN
So
192.168.1.0 is your remote site
192.168.8.0 is your main site and the 192.168.1.0 network gets there via 78.32.x.y
77..107.x.y is your remote office ext entry to the internet etc?
192.168.1.0 is your remote site
192.168.8.0 is your main site and the 192.168.1.0 network gets there via 78.32.x.y
77..107.x.y is your remote office ext entry to the internet etc?
ASKER
yes that is correct
ASKER
Does anyone else have any ideas on this at all?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
External source was the issue
Do you have an access rule for VPN users ?
What does the network relationship between VPN and internal and vice versa ?